Part 2: Visualizing DDoS Defense—Workbooks, Mitigation Reports & GitHub Tooling

Andrew Posted on 7:10 am

Part 2: Visualizing DDoS Defense—Workbooks, Mitigation Reports & GitHub Tooling

Today we start the second phase of our DDoS protection journey—where visibility becomes your superpower, and raw telemetry transforms into strategic insight.

You’ve done the hard work: diagnostic logging is enabled, your DDoS protection plan is active, and telemetry is flowing into Log Analytics.  Now it’s time to elevate your defense posture from reactive to predictive.  Because in cloud security, knowing what happened isn’t enough—you need to know what’s happening now, and what’s likely to happen next.

In this second installment, we’ll unlock the full analytical potential of your Azure setup. You’ll learn how to:

  • Deploy and customize the DDoS Protection Workbook from Azure’s Content Hub
  • Interpret mitigation reports to understand Azure’s automated response
  • Extend visibility across Azure Front Door and WAF using Microsoft’s GitHub tooling
  • Correlate DDoS events with application performance to quantify impact and guide response

This phase is about operational maturity.  It’s about giving your team the dashboards, queries, and context they need to make informed decisions—whether that’s tuning firewall rules, scaling resources, or briefing leadership.

💡 AzureTracks Tip: Visibility isn’t just about pretty charts—it’s about empowering your team to act faster, smarter, and with greater confidence.

Let’s turn your telemetry into tactical advantage—and make your cloud defense posture not just resilient, but intelligent.

To understand traffic trends in the data, we can dive deeper using KQL once our data sources are configured (See Part 1).

You will be able to see start and end of attack traffic flows, and you can tune this to meet your own requirements:

📘 Step 1: Add the DDoS Workbook from Azure Content Hub

Why it matters: Workbooks offer a visual, interactive way to explore DDoS telemetry—no Kusto queries required.

How to do it:

  1. In the Azure Portal, search for Workbooks.
  2. Click + New → From Gallery.
  3. In the gallery, search for DDoS Protection Workbook.
  4. Select the workbook titled DDoS Protection (published by Microsoft).
  5. Click Save and choose your Log Analytics workspace (the one you configured in Part 1).
  6. Open the workbook and explore the tabs:
    • Attack Summary
    • Mitigation Flow Logs
    • Notifications
    • Top Attacked Resources

Explore metrics from attacks using the DDoS Workbook:
A screenshot of a computer AI-generated content may be incorrect.

Explore details within an attack cycle or event:

💡 AzureTracks Tip: Customize the workbook filters to focus on specific time ranges, IPs, or resource groups. This helps isolate patterns and anomalies.

📄 Step 2: Understand Mitigation Reports

Why it matters: Mitigation reports reveal how Azure responded to an attack—what was blocked, how long it lasted, and what resources were targeted.

Where to find them:

  1. Go to your Log Analytics workspace.
  2. Open the Logs blade.
  3. Use the following Kusto query to surface mitigation reports:

KQL:

AzureDiagnostics

| where Category == “DDoSMitigationReports”

| project TimeGenerated, ResourceId, AttackType_s, AttackVector_s, MitigationReason_s, Duration_s

Key fields to watch:

FieldDescription
AttackType_sType of DDoS attack (e.g., SYN flood, UDP)
AttackVector_sProtocol or method used
MitigationReason_sWhy Azure initiated mitigation
Duration_sHow long the attack lasted

🧠 AzureTracks Insight: If you see frequent mitigations on the same resource, consider reviewing your exposure—are you publishing unnecessary public IPs?

🧪 Step 3: Explore Microsoft’s GitHub Repo for Azure Front Door & WAF

Why it matters: Azure Front Door and WAF offer additional layers of protection, especially for web-facing applications.  Microsoft’s GitHub repo includes templates, dashboards, and queries to extend your visibility.

How to use it:

  1. Visit Microsoft’s Azure WAF GitHub Repo.
  2. Browse the Workbooks folder for:
    • WAF Logs Workbook
    • Front Door Insights Workbook
  3. Download the .json workbook file.
  4. In Azure Portal:
    • Go to Workbooks → + New → Advanced Editor.
    • Paste the JSON content.
    • Save and connect to your Log Analytics workspace.

🔍 AzureTracks Tip: These workbooks help correlate WAF rule matches with DDoS events—especially useful for layered defense strategies.

🧩 Step 4: Correlate DDoS Events with Application Impact

Why it matters: Not all DDoS events cause downtime—but some do. Correlating attack telemetry with application metrics helps quantify impact.

How to do it:

  1. In your Log Analytics workspace, query both DDoS logs and App Insights metrics.
  2. Use time-based joins to correlate spikes in latency, failed requests, or CPU usage with DDoS mitigation timestamps.

KQL:

let ddos = AzureDiagnostics

| where Category == “DDoSMitigationReports”

| project TimeGenerated, ResourceId, AttackType_s;

let app = AppRequests

| summarize count() by bin(timestamp, 5m), name;

ddos

| join kind=inner (app) on $left.TimeGenerated == $right.timestamp

📌 Pro Tip: This kind of correlation is gold for incident postmortems and executive reporting.

Understanding different types of information within an attack is a key step to building effective protections against these attacks.  As a quick way to group results, we can again use some quick KQL to help us understand this:
A screenshot of a computer AI-generated content may be incorrect.

🧠 Summary: From Configuration to Clarity—Your Azure DDoS Defense, Fully Realized

With Part 2 complete, you’ve now crossed the threshold from setup to strategy.  You’ve gone beyond enabling protection—you’ve built a system that sees, understands, and responds to threats in real time.  This is what operational maturity looks like in the cloud.

Let’s recap what you’ve accomplished:

  • You deployed the DDoS Protection Workbook, giving your team a visual dashboard of attack telemetry, mitigation actions, and resource impact.
  • You learned how to query and interpret mitigation reports, surfacing key details like attack type, duration, and Azure’s automated response.
  • You extended your visibility across Azure Front Door and WAF, using Microsoft’s GitHub tooling to correlate web-layer threats with infrastructure-level events.
  • You built the capability to correlate DDoS activity with application performance, helping you quantify impact and guide response strategies with precision.

This isn’t just a technical win—it’s a strategic one.

You’ve equipped your environment with the tools to not only withstand attacks, but to learn from them.  You’ve created a feedback loop between telemetry and action, between visibility and resilience.

💡 AzureTracks Tip: The best defense isn’t just reactive—it’s adaptive.  The more you observe, the smarter your architecture becomes.

Whether you’re briefing leadership, conducting postmortems, or refining firewall rules, the insights you’ve unlocked will serve as a foundation for smarter decisions and faster responses. As DDoS threats continue to evolve, your Azure environment is now positioned to evolve with them.

This two-part series has taken you from the nuts and bolts of configuration to the high-level strategy of observability……but wait!  The journey doesn’t end here.

Azure’s security ecosystem is vast, and there are always new layers to explore—from Sentinel integrations to automated playbooks and beyond.

So stay curious. Stay vigilant. And keep building with intention.

🧠 Final AzureTracks Insight: Security isn’t a destination—it’s a discipline.  Today, you’ve taken a major step forward.