Has anyone figured out how to extract the useful fields from Azure Firewall Logs? We are logging our Azure Firewall logs to a storage account and Splunk is pulling those with the Splunk Microsoft Cloud Services app. The app doesn't appear to include the field extractions for these types of logs. I am not well versed in regex, so I tried using the Splunk field extractor in the GUI, but I ran into issues. I mainly need the protocol, src_ip, src_port, dest_ip, dest_port, action. I was able to get this working for TCP and UDP traffic, but the problems started with ICMP traffic. My field extractions wouldn't match the ICMP traffic. I think this was due to no port field in those. Then I noticed a few other logs that would not be the same as the TCP/UDP logs either. Here are some sample scrubbed logs in case someone is willing to help here. Or if anyone has already solved this with some app that I am not aware of, I would appreciate some help! Thanks in advance.
Here are all the sample logs examples I am seeing coming from the Azure Firewalls:
{ "category": "AzureFirewallNetworkRule", "time": "2019-07-30T17:43:59.9812590Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/NET-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/NET-XXX1-XXX1-FW01", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"TCP request from XXX.X.178.18:42132 to XXX.X.242.12:51113. Action: Allow"}}
{ "category": "AzureFirewallNetworkRule", "time": "2019-07-30T17:44:59.4538600Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/NET-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/NET-XXX1-XXX1-FW02", "operationName": "AzureFirewallNetworkRuleLog", "properties": {"msg":"ICMP request from XXX.X.10.1 to XXX.X.69.5. Action: Allow"}}
{ "category": "AzureFirewallNetworkRule", "time": "2019-07-30T16:13:54.9901410Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/DMZ-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DMZ-XXX1-XXX1-FW01", "operationName": "AzureFirewallNatRuleLog", "properties": {"msg":"TCP request from XXX.X.131.34:3318 to XXX.X.224.170:3299 was DNAT'ed to XXX.X.80.5:3299"}}
{ "category": "AzureFirewallNetworkRule", "time": "2019-07-30T16:39:45.5354460Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/DMZ-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DMZ-XXX1-XXX1-FW01", "operationName": "AzureFirewallThreatIntelLog", "properties": {"msg":"TCP request from XXX.X.231.199:33348 to XXX.X.224.170:443. Action: Alert. ThreatIntel: Port Scan"}}
{ "category": "AzureFirewallApplicationRule", "time": "2019-07-30T17:19:00.1880780Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/DMZ-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DMZ-XXX1-XXX1-FW01", "operationName": "AzureFirewallApplicationRuleLog", "properties": {"msg":"HTTPS request from XXX.X.110.8:65486 to abcd.efghijk.com:443. Action: Deny. No rule matched. Proceeding with default action"}}
{ "category": "AzureFirewallApplicationRule", "time": "2019-07-30T12:00:04.0868100Z", "resourceId": "/SUBSCRIPTIONS/XXXX1111-XX11-XX11-XX11-XXXXXX111111/RESOURCEGROUPS/DMZ-XXX1-XXX1-RG/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/DMZ-XXX1-XXX1-FW01", "operationName": "AzureFirewallApplicationRuleLog", "properties": {"msg":"HTTPS request from XXX.X.66.64:30476. Action: Deny. Reason: SNI TLS extension was missing."}}
... View more