Organising Azure Firewall Logs for ingestion
If you are ingesting Azure Firewall logs into your Sentinel workspace, ensure that you have set the diagnostic settings “Resource Specific”
Benefits of choosing Resource Specific logs
When you choose this settings, individual tables for each firewall log category are created in Sentinel workspace for example AZFWNetworkRule and AZFWDNSQuery as opposed to one table namely AzureDiagnostics having all logs under various categories.
From search and query perspective, this is how it will look like if you leave the settings unchanged to AzureDiagnostics.
AzureDiagnostics
| where Category=="AZFWNetworkRule"
| take 10
Once changed to resource specific, you can directly query the table, making it a cleaner and more efficient search experience.
AzurAZFWNetworkRule
| take 10
This as a result:
- Makes it easier to work with the data in log queries.
- Provides better discoverability of schemas and their structure.
- Improves performance across ingestion latency and query times.
- Provides the ability to grant Azure role-based access control rights on a specific table and
- Allows you to create data transformation rules that can help you normalise data and optimse ingestion. (More on it in a later post)
How to change this setting
Here is how to do it in few easy steps:
- Navigate to Azure your firewall instance in Azure portal
- In left pane, click “Diagnostic Settings” under “Monitoring” section
- Click “Edit Settings” to change existing log streams setting.
- Under Destination table choose “Resource Specific”
