Identifying Top FQDN Traffic Flows in Azure Firewall Logs

Monitoring and analyzing network traffic is crucial for maintaining a secure and efficient Azure environment. Azure Firewall provides robust logging capabilities that allow you to scrutinize traffic flows, particularly focusing on Fully Qualified Domain Names (FQDNs). By leveraging Azure Firewall's logs and employing Kusto Query Language (KQL), you can identify the top FQDNs contributing to your network traffic.

Understanding Azure Firewall Logs
Azure Firewall generates various logs that offer insights into its operations:

• Application Rule Logs: Detail traffic allowed or denied based on application rules, including information about FQDNs accessed.
• Network Rule Logs: Capture data on traffic filtered through network rules, focusing on IP addresses and ports.
• Top Flows Logs: Highlight the top connections contributing to the highest throughput, aiding in identifying significant traffic patterns.
  

Identifying Top FQDN Traffic Flows

To pinpoint the top FQDNs in your network traffic, you can utilize the following KQL approach:

let ApplicationRuleData = AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| where Fqdn contains "blob." and action_s == "Allow"
| summarize count() by SourceIp, Fqdn;
let FlowData = AzureDiagnostics
| where Category == "AzureFirewallFatFlowLog"
| summarize sum(FlowRate / 1024) by SourceIp, DestinationIp
| sort by sum_ desc;
ApplicationRuleData
| join kind=inner (FlowData) on SourceIp
| summarize TotalFlowRate = sum(sum_) by Fqdn
| order by TotalFlowRate desc

Explanation of the Query

1. ApplicationRuleData: This segment filters the application rule logs to include only entries where the FQDN contains "blob." and the action is "Allow." It then summarizes the count by SourceIp and Fqdn.
   
   
2. FlowData: This part processes the fat flow logs, summarizing the flow rate (converted to kilobits per second) by SourceIp and DestinationIp, and sorts the results in descending order.
3. Joining Data: The final step performs an inner join between ApplicationRuleData and FlowData on SourceIp, then summarizes the total flow rate by Fqdn and orders the results to highlight the top FQDNs.

Considerations

• Performance Impact: Activating Top Flows logs can increase CPU usage. Enable these logs primarily during specific troubleshooting scenarios to avoid potential performance degradation.
• Data Retention: Ensure that your Log Analytics workspace is configured with an appropriate data retention policy to maintain historical logs for trend analysis.

Conclusion
By effectively analyzing Azure Firewall logs with KQL, you can identify the top FQDNs impacting your network traffic. This insight allows for informed decisions on traffic management, security policy adjustments, and resource allocation, ultimately enhancing the performance and security of your Azure environment.