📢 Read the latest Release Notes to learn what's new on Hunters! 💡

Azure Network Firewall logs

  • Updated on Apr 9, 2026
  • Published on Apr 8, 2026
Prev Next

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Azure Network Firewall logs

✅

✅

✅

azure_network_firewall_logs

NDJSON

TYPE_AZURE_BLOCK_BLOB

Overview

Azure Network Firewall logs, commonly seen in Azure Monitor as categories such as AZFWNetworkRule, provide structured visibility into traffic decisions made by Azure Firewall. They record details such as source and destination IPs and ports, protocol, the action taken (Allow or Deny), and the exact policy, rule collection group, rule collection, and rule that matched the traffic. Microsoft documents these logs using the Azure resource log schema and the AZFWNetworkRule table reference, which describes both common envelope fields and firewall-specific fields.

Send data to Hunters

Hunters supports the ingestion of these logs using the Azure Block Storage List and sends data to Hunters.

To connect Azure Network Firewall logs:

Azure Block Storage List

Follow this guide to route Network Firewall logs from Azure to Hunters using Azure Block Storage.

Supported data types

Azure Network Firewall logs

Table name: azure_network_firewall_logs

These logs are valuable for security monitoring, troubleshooting, and audit use cases. They help analysts confirm whether traffic was explicitly allowed or denied, trace which firewall rule was responsible, investigate outbound and inbound connection activity, and detect suspicious or unexpected rule usage. Because Azure Firewall monitoring data is integrated with Azure Monitor and Log Analytics, these logs can also support alerting, dashboards, and Hunters SIEM detections when forwarded into Microsoft Sentinel or external platforms.

Expected format

Logs are expected in NDJSON format.

{ "time": "2024-01-01T00:00:00.000000+00:00", "resourceId": "/SUBSCRIPTIONS/<SUBSCRIPTION_ID>/RESOURCEGROUPS/<RESOURCE_GROUP>/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/<FIREWALL_NAME>", "properties": {"Protocol":"TCP","SourceIp":"10.O.0.1","SourcePort":12345,"DestinationIp":"2O.0.0.2","DestinationPort":443,"Action":"Allow","Policy":"<POLICY_NAME>","RuleCollectionGroup":"<RULE_COLLECTION_GROUP>","RuleCollection":"<RULE_COLLECTION>","Rule":"<RULE_NAME>","ActionReason":""}, "category": "AZFWNetworkRule"}