Loading...

Utilizing Azure DDoS Protection Workbook for DDoS attack traffic Analysis

Utilizing Azure DDoS Protection Workbook for DDoS attack traffic Analysis

In today's digital age, the security of applications, servers, and networks is paramount. One of the most significant threats to this security is Distributed Denial of Service (DDoS) attacks. These attacks can cripple your infrastructure, leading to downtime, loss of revenue, and damage to your reputation. Therefore, it is crucial to implement robust protection mechanisms to safeguard your digital assets.

 

Azure DDoS Protection offers a comprehensive solution to defend against these malicious attacks. It provides automatic attack detection and mitigation, ensuring that your applications and services remain available even during an attack. Azure DDoS Protection is seamlessly integrated with Azure's native services, making it an ideal choice for businesses already leveraging the Azure ecosystem. Some of the salient features of Azure DDoS Protection include Adaptive Tuning, Attack Analytics and Metrics, DDoS Rapid Response etc. By leveraging Azure DDoS Protection, businesses can ensure the resilience and availability of their digital infrastructure, providing peace of mind in an increasingly hostile cyber environment.

 

In this blog we will be focusing on how to understand the current DDoS attacks landscape within our environment using Azure DDoS Workbook.

 

Investigating DDoS Attacks Landscape with Azure DDoS Workbook

When a DDoS attack occurs, it's crucial to have the right tools to investigate and understand the attack's impact. The Azure DDoS Workbook is an invaluable resource for this purpose. It provides detailed insights into DDoS attack traffic over a given period of time in a single dashboard. For more information on a deep dive investigation of a DDoS Attack, check the detailed steps mentioned here.

 

Setting up the DDoS Workbook: Outlined below are the necessary steps to set up and effectively utilize the DDoS workbook.

 

  • Configure Diagnostic Logging and Metrics: Ensure that diagnostic settings are enabled for the public IP addresses you want to monitor. This will allow you to collect the required DDoS mitigation flow logs, reports and Metrics as shown below.

ShabazShaik_0-1726657626814.png

 

  • Access the Azure DDoS Workbook: The Azure DDoS Workbook can be deployed from either installing the Sentinel Solution for Azure DDoS Protection or using the deployment template in the Azure Network Security GitHub repository as shown below. It provides a comprehensive view of DDoS attack metrics and logs in a single dashboard.

 

1. Sentinel Solution: Navigate to the Sentinel Blade’s Content Hub tab and install the Azure DDoS Protection Solution.

 

ShabazShaik_1-1726657626821.png

 

2. Net Sec GitHub Repository: Navigate to the Net Sec GitHub Repository and deploy the workbook using Azure Deploy button as shown below:

 

ShabazShaik_2-1726657626832.png

 

  • Configuring the Azure DDoS Workbook: The Azure DDoS Workbook needs to be provided with the Log Analytic Workspace, TimeRange and Public IP resource details as shown below:

ShabazShaik_3-1726657626835.png

 

Analyzing the Workbook Details:

 

    • Traffic Overview: This section offers comprehensive details on the total number of packets and the various categories of dropped packets during the DDoS attacks for the timeline defined in the above step.

ShabazShaik_4-1726657626837.png

 

    • Last Ten DDoS Attack Reports: This section provides the details of Attack reports, resources affected, attack vectors and packet information as we can see below.

ShabazShaik_5-1726657626841.png

 

    • Location and Protocol details: This section provides categorized details on the protocols involved in the DDoS attacks, the origins of these attacks, and the protocol violations that occurred during past DDoS incidents.

ShabazShaik_6-1726657626847.png

 

    • Raw DDoS Mitigation and Flow Logs: Furthermore, if we would like to take a look at the Raw DDoS Logs those are also available as part of the workbook so that we do not have to separately look for them in the log analytic workspace. DDoS mitigation flow logs listed here are based on the sampled data.

ShabazShaik_7-1726657626860.png

 

    • DDoS Metrics Tab: The DDoS Metrics Tab provides graphical representation of all the important metrics like Packet count, Syn packets threshold to trigger DDoS mitigation, inbound DDoS TCP/UDP packets and Under DDoS attack or not as shown below. For detailed information on these metrics, check the blog referenced here. Most of the metrics here are based on number of Packets Per Second and Packets/Byte Counts.

ShabazShaik_8-1726657626866.png

 

    • Investigation Tab: The Investigation Tab in the workbook offers specific details on the number of packets that were dropped or allowed during past DDoS attacks, including the ports involved. Additionally, this tab provides information on the top attacking IPs and the timeline of the mitigation activities, as illustrated below.

ShabazShaik_9-1726657626878.png

 

 

Conclusion:

Azure DDoS Protection is a powerful service that helps protect your Azure resources from DDoS attacks. By leveraging the Azure DDoS Workbook, you can gain valuable insights into attack traffic and mitigation actions, enabling you to respond effectively and maintain the availability of your applications. Stay vigilant and proactive in defending against DDoS attacks to ensure the resilience of your online services.

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)

We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...

2 hours ago

See our new Azure Cosmos DB Design Patterns

Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...

16 hours ago

Need a different partition key in Azure Cosmos DB? Pick the right approach

Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...

23 hours ago

Azure SDK Release (June 2026)

Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...

1 day ago

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

4 days ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

5 days ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

6 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

8 days ago

Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB

The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...

8 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy