AzureFeeds

In today’s digital world, Distributed Denial of Service (DDoS) attacks have become one of the most common and disruptive threats facing online applications and services. These attacks aim to overwhelm a target, typically a website, API, or server, by flooding it with massive volumes of traffic, rendering it slow or completely inaccessible.

Azure DDoS Protection is Microsoft’s cloud-native defense that helps safeguard public-facing endpoints hosted in Azure. It works by continuously monitoring traffic patterns at the network layer (L3 and L4) and applying mitigation techniques in real time when suspicious or anomalous activity is detected. Azure DDoS Protection is tightly integrated with the Azure platform and provides always-on traffic scrubbing without requiring any manual intervention.

While Azure mitigates these attacks in the background, understanding who is attacking, which resources are targeted, and how often these events occur is helpful. This is where Azure Logic Apps shines. Azure Logic Apps is a powerful platform to simplify the integration and automation of multiple services that help you run your business workflows. You can run your custom code or use no code at all to get your workflows running. When combined with Log Analytics & KQL queries, Logic Apps can help you extract critical insights from DDoS logs, including:

• Attack starts and end times


• Affected public IPs


• Top attacking IPs, countries, and ASNs


• Volume of traffic and packets dropped


• Attack patterns and frequency


• Application availability

The result of the process is an email alert with details about the resource associated with the Public IP as detailed above. The owner of the resource is added as a recipient of the email, along with the security team who get alerted when the Attack occurs. Whether you’re a security engineer, a product owner, or part of a cloud operations team, this solution can help you improve visibility and enhance coordination during DDoS incidents. Let’s dive into how this automation works.

Here is the link to this template.  

Note: This template is an updated version of the same template discussed in this Blog- Enriching DDoS Protection Alerts with Logic Apps

 What this template contains:

1. Log Search Alert rule


2. Action Group


3. Logic App


4. Office 365 API Connector


5. Azure Monitor Logs API Connector

Parameters to Input when deploying:

• Security team’s Email Address


• Company Domain (In the form of abc@domain.com)


• Workspace name (Name of the Log Analytics workspace being used)

Prerequisites:

• A Public IP Address with DDoS Protection enabled either via IP Protection or Network Protection


• A Log Analytics Workspace to which the above Public IP Address should be sending Diagnostic logs, specifically all of the below categories:
  
  
  
  • DDoS protection notifications
  
  
  • Flow logs of DDoS mitigation decisions
  
  
  • Reports of DDoS mitigations
  
  
  
  


• 🔐Authentication Prerequisites:

1. Azure Resource Graph

• 
  
  
  
  • The Logic App uses a Managed Identity to authenticate with Azure Resource Graph and query metadata about Azure resources
  
  
  • Required Role: Logic App’s Managed Identity will need Reader or higher access on the subscription (or resource group) that contains the Public IP address under DDoS protection
  
  
  
  

2. Log Analytics Workspace

• 
  
  
  
  •  To run Kusto queries and retrieve DDoS mitigation logs, the Logic App connects to Azure Log Analytics Workspace using the same Managed Identity
  
  
  •  Required Role: Logic App’s Managed Identity will need Log Analytics Reader on the target workspace
  
  
  
  

3. Office 365 (Email Notifications) API Connection

• 
  
  
  
  • For sending enriched alert emails, the Logic App uses an API connection to Office 365. This connection must be authorized to send emails on behalf of the configured account, specifically Mail.Send & User.Read permissions
  
  
  • You must sign in and authorize this connection once during setup using the outlook credentials that you need it to use to send the emails
  
  
  • If your tenant has admin consent policies, a Global Admin might need to approve use of the connectors (especially Office 365) for the Logic App
  
  
  
  

4. Azure Monitor Logs API Connection

• 
  
  
  
  • This script queries Flow logs of DDoS mitigation decisions & Reports of DDoS mitigations
  
  
  • To do this it needs AzureMonitorLogs API Connection and therefore, authorizing this is necessary for it to work as expected
  
  
  • You must sign in and authorize this connection once during setup
  
  
  
  

5. Firewall & Network Rules

Ensure that: No IP restrictions block access from Logic App to the target services or public test URL in the HTTP step. You can find the outgoing IP Addresses here:

• 
  
  
  
  • Go to your Logic App
  
  
  • Select Properties
  
  
  • Look for the “Runtime outgoing IP addresses” section—these are your runtime IPs
  
  
  
  

Now, let’s look at what each of the items in the Template does and their workings below in detail:

1. Log Search Alert rule

• 
  
  
  
  • Monitors log data: It continuously scans the Azure Diagnostics logs, specifically targeting entries where the Category is DDoSProtectionNotifications and the type_s field indicates a Mitigation started event
  
  
  • Runs on a schedule: The rule runs every 5 minutes and looks back at the last 30 minutes of logs. This ensures near-real-time detection of mitigation activity. (This can be modified as needed to increase the look back time if needed)
  
  
  • Triggers on first sign of mitigation: If even one matching log entry is found (i.e., one mitigation event has started), the alert fires. This makes it extremely responsive
  
  
  • Alerts through an Action Group: Once triggered, the rule calls a pre-defined Action Group, which will Invoke a webhook to notify a Logic App
  
  
  
  

Why It’s Useful:

While Azure DDoS Protection automatically mitigates volumetric and protocol attacks at the network edge, getting alerted when an event occurs requires user configuration. This is done by:

• 
  
  
  
  • 
    
    
    
    • Notifying your team the moment mitigation begins
    
    
    • Adding observability, so you can correlate mitigation with service behavior or performance dips
    
    
    
    
  
  
  
  

2. Action Group: Enrich-DDoSAlert — Connecting detection to automation

When a DDoS attack is detected through an Azure Monitor alert, the response needs to be fast and efficient. That’s where Action Groups come in. In this case, the Enrich-DDoSAlert action group acts as the automation trigger for our DDoS response pipeline

This action group is configured to call a webhook tied to an Azure Logic App using a secure HTTP POST request instantly when the alert fires. Then the Logic App carries out a series of enrichment and response steps based on the DDoS alert

Why This Matters:

The action group acts as a real-time bridge between detection and automation, triggering the Logic App instantly when an alert fires. The Action Group ensures that:

• 
  
  
  
  • 
    
    
    
    • The alert is captured
    
    
    • Automation is triggered
    
    
    • The investigation process starts without delay
    
    
    
    
  
  
  
  

3. Logic App: Enrich-DDoSAlert

Step-by-Step Breakdown

• Triggered via HTTP request
  Accepts a payload containing alert metadata such as:

o   Target resource ID

o   DDoS alert details

o   Search links and interval data

• Extracts impacted public IP and performs enrichment
  Using Azure Resource Graph, it queries the target IP to determine:

o   Associated Azure resource (VM, App Gateway, etc.)

o   DNS name, tags, region, resource group, and owner (from tags)

• Connectivity Check (Optional Validation)
  It performs an HTTP GET request to the DNS/IP of the attacked resource — checking if it’s still up or responding


• Generates an HTML-formatted email
  Using all this context, it builds a clean, readable email body that includes:

o   Top source IPs

o   IP under attack

o   Resource name/type

o   DNS name

o   Region

o   Tag info (owner, environment, etc.)

o   Link to Log Analytics search results

o   Status of connectivity test (code, headers, body)

• Queries Azure Monitor logs again (This time allows it to build a thorough DDoS Post Mitigation Report)
  After a 50-minute delay, it runs a query on the DDoS mitigation logs to extract:

o   Top source IPs

o   Top countries, ASNs, and continents

o   Time of mitigation

o   Traffic overview

Note: This Delay is required but can be changed subtly. During this time, the post mitigation reports will be accumulated so it can be sent as an email in the next steps. Without this delay the reports will not populate correctly.

• Send a second email, titled “Post Mitigation DDoS Report”, containing the above data.

Post Mitigation Report plays a vital role in strengthening your defense strategy. By reviewing patterns in traffic origin, volume, and behavior, teams can:

o   Identify recurring attack sources or suspicious geographies

o   Correlate DDoS activity with other system anomalies

o   Fine-tune firewall and WAF rules based on attacker fingerprints

In short, this enriched reporting not only enhances visibility but also enables teams to proactively adapt their security posture and reduce the impact of future attacks.

4. Who gets notified? Office 365 API connector

Both emails are sent using an authenticated Office 365 connector, delivered to the security team and tagged owner (which will be inputted during deployment). The high-priority email ensures visibility, while the second report gives retrospective clarity.

Why this is useful:

• 
  
  
  
  • 
    
    
    
    • Reduces manual effort: No more pivoting across multiple tools to gather context
    
    
    • Speeds up response: Teams get instant details
    
    
    • Bridges Alert to Action: Combines signal (alert) with enrichment (resource graph + logs) and delivery (email)
    
    
    • Customizable: You can adjust queries, recipients, or even trigger conditions
    
    
    
    
  
  
  
  

5. Azure Monitor Logs API Connector

The Azure Monitor Logs API Connector allows Logic Apps to query data from Log Analytics using Kusto Query Language (KQL). In this solution, it’s essential for extracting DDoS-specific insights—such as top attacking IPs, countries, ASNs, and traffic volume—from diagnostic logs.

What It Does in This Template:

• 
  
  
  
  • Executes KQL queries against your Log Analytics Workspace
  
  
  • Retrieves:
    
    
    
    • Flow logs from DDoSMitigationFlowLogs
    
    
    • Mitigation reports from DDoSMitigationReports
    
    
    
    
  
  
  • Delivers summarized data such as:
    
    
    
    • Top attacker IPs
    
    
    • Source ASNs and countries
    
    
    • Mitigation start/end time
    
    
    • Traffic patterns
    
    
    
    
  
  
  
  

Here are some examples of the Automated & Enriched DDoS E-Mails:

Potential Attack, First Email, as soon as an attack event is identified:

Post Mitigation Summary Email:

Conclusion:

This Logic App doesn’t just automate alerting—it empowers your team with actionable context. By stitching together signals from Azure Monitor and Resource Graph, and packaging them into enriched, structured emails, it transforms raw alerts into informed decisions. Whether you’re triaging incidents or conducting post-attack analysis, this setup ensures you’re not starting from scratch each time. As attacks grow more complex, automation like this isn’t just nice to have—it’s essential. Start simple, adapt to your needs, and let your defenses work smarter.