Integrate and export diagnostic logs into SIEM

Implementation Effort: Medium

User Impact: Low

Overview

After enabling diagnostic logging for Azure DDoS Protection, Azure Firewall, and Azure WAF stream these logs into your SIEM—such as Microsoft Sentinel via its built-in data connectors.

When ingesting your network security logs into a SIEM via a Log Analytics workspace, include the key diagnostic categories from each service to ensure full visibility and actionable insights:

• Azure DDoS Protection: DDoSProtectionNotifications, DDoSMitigationReports, and DDoSMitigationFlowLogs to track attack detections, mitigation actions, and traffic details
• Azure Firewall: AzureFirewallNetworkRule, AzureFirewallApplicationRule, AzureFirewallThreatIntel, and AzureFirewallIdpsSignature logs to capture all rule matches, threat-intel blocks, and intrusion detections
• Azure WAF (Front Door & App Gateway): WebApplicationFirewallLog, FrontdoorAccessLog, and FrontdoorHealthProbeLog for Front Door; ApplicationGatewayFirewallLog, ApplicationGatewayAccessLog, and ApplicationGatewayPerformanceLog for Application Gateway—so you can monitor blocked requests, traffic patterns, and gateway health

These logs, once collected in Log Analytics and routed into your SIEM, provide the foundation for automated alerts, playbook-driven responses, dashboards, and advanced threat hunting—ensuring you maintain a robust Zero Trust network security posture.

Reference

• Azure DDoS Solution for Microsoft Sentinel
• Azure Firewall with Microsoft Sentinel
• Using Microsoft Sentinel with Azure Web Application Firewall
• Onboard Microsoft Sentinel
• Diagnostic settings in Azure Monitor