Hello @Ravichandran, Gopi Krishna ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have a hub Vnet enabled with Azure DDoS protection plan and were trying to create Azure DDoS Protection workbook by enabling the diagnostics settings for the Public IP address within the hub Vnet but when executing the DDoS mitigation reports query in log analytics, you got the error "'extend' operator: Failed to resolve scalar expression named 'TrafficOverview_s'".
The DDoS logs are available only when a resource is actually under attack.
DDoSProtectionNotifications: Notifications will notify you anytime a public IP resource is under attack, and when attack mitigation is over.
DDoSMitigationReports: Attack mitigation reports uses the Netflow protocol data which is aggregated to provide detailed information about the attack on your resource. Anytime a public IP resource is under attack, the report generation will start as soon as the mitigation starts.
Refer : https://video2.skills-academy.com/en-us/azure/ddos-protection/diagnostic-logging?tabs=DDoSProtectionNotifications
If there was no real attack, I would request you to simulate a DDoS attack and then query the logs to validate the parameters.
Refer : https://video2.skills-academy.com/en-us/azure/ddos-protection/test-through-simulations
Azure has the below approved testing partners:
- BreakingPoint Cloud: a self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
- Red Button: work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
You can create an account for BreakingPoint Cloud and then follow the steps mentioned in the above doc to simulate a DDoS attack against Azure-hosted public IP addresses that belong to an Azure subscription of your own, which will be validated by Azure Active Directory (Azure AD) before testing.
After simulating a DDoS attack, try the below query to check if you get the data and then you can apply the required filters to your query:
AzureDiagnostics
| where Category == "DDoSProtectionNotifications" or "DDoSMitigationReports"
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.