Unable to retrieve azure firewall log from portal

Ananya Sarkar 311 Reputation points
2020-11-24T16:07:21.627+00:00

Hi,

I was trying to generate log for azure threat intelligence but I am facing an issue.

I am inside the azure FW -> Logs and clicked on "run" for Threat Intelligence rule log data.
However its showing, the below error message,
'where' operator: Failed to resolve table or column expression named 'AzureDiagnostics'
If issue persists, please open a support ticket. Request id: 12490ba5-154b-415a-8e11-2152535e64ba

Can anybody plz help me to run the query and get the log for threat intelligence or let me know how to retrieve this log?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
662 questions
0 comments
Accepted answer
  1. SaiKishor-MSFT 17,231 Reputation points
    2020-11-24T19:26:14.237+00:00

    @Ananya Sarkar

    Can you try to add Log Analytics in Diagnostic Settings and then try to run the query. Please let me know if that helps and if not I can investigate further. Thank you!

    0 comments

5 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SaiKishor-MSFT 17,231 Reputation points
    2020-12-12T01:42:54.527+00:00

    @Ananya Sarkar
    The “brute force credential” is what is generated from Microsoft’s Threat Intel feed. Typically, a few scenarios where you may get this in logs:

    1. If you enabled DNAT to one of the VMs behind the FW, there might be real brute force attacks from one of those Ips.
    2. Otherwise, it is possible that you have some malicious app that is trying to get access to one of those Ips.
    3. You are accessing something “legit” (or what they believe that is legit) to one of those Ips, and this traffic gets flagged.

    We’ve also seen two false positive cases:

    1. Threat Intel database contains private Ips that only make sense to internal networks
    2. Azure sometimes allows customers to use any IP range including public IP range that the customer does not own as VNET address space. In other words, a customer’s VM can have some IP that looks like a Public IP that may match a real public malicious IP from Threat Intel database.

    If you would like, we can get the exact IPs from you, then we can reach out to our Threat Intel team to specifically determine what is happening. Thank you!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.