Azure Firewall Selective Logging: Finally Logging Smart, Not Everything

Hi. Actually i dont know if my blog interested at all to any one, but any way 🙂 

if your SIEM is drowning in firewall logs—allowed traffic, denied traffic, heartbeats, DNS pings, internal chatter—you’re paying big just to listen to crickets. that’s old school. Microsoft just flipped the switch with selective logging, and now your logs actually mean something.

🚧 The Problem: Log Overload & Performance Hell

Azure Firewall used to log everything:

  • Application rules, network rules, NAT

  • DNS proxy events

  • IDPS alerts, threat intelligence hits

  • Even fat top-flows and heartbeat events

It’s searchable, sure—but it also costs money, slows down Log Analytics, and buries your SOC in noise. Microsoft knew this sucked.

✅ What Changed? Meet Selective Logging

As announced recently selective logging lets you configure exactly which rule collections generate logs—and which types of rules in each group get logged.

Now you can:

  • Enable logging for specific NetworkRule Collections only

  • Disable logging for Allow rules that aren’t security-critical

  • Keep NAT logging quiet unless it matters

  • Skip noisy DNS proxy logs

All controlled per Rule Collection Group or via ARM/Bicep/CLI using structured configuration.

⚙️ Under the Hood: How Logging Is Structured

Azure Firewall exposes structured diagnostic tables (learn.microsoft.com):

Log Category Table Name Details
Network Rule AZFWNetworkRule individual packets matching a network rule
Network Aggregation AZFWNetworkRuleAggregation policy analytics rollups
Threat Intel AZFWThreatIntel TI hits and blocks
Application / DNS (legacy) AzureDiagnostics application rule & DNS proxy events

With resource-specific logging, the logs go into specific tables rather than spamming AzureDiagnostics, enabling cleaner schema, faster queries, and RBAC controls per table

🧪 Best Practices: Lean Logging = Leaner Ops

Microsoft’s engineering and field teams suggest:

  • Only log Deny rules by default — trusted Allow → skip logs

  • Create rule collection groups specifically for audit-worthy traffic

  • Use Resource-specific mode for faster ingestion and slicing of logs Microsoft Learn

  • Use Azure Firewall Workbooks to visualize traffic, hits, throughput, SNAT consumption—without ingesting unnecessary logs

⚙️ Performance Side—Logging vs CPU/Throughput

Azure Firewall can scale out when CPU or throughput hits thresholds (~60% CPU or 80% connections) and adds new nodes over ~5–7 minutes. Too much logging adds load and slows scale resets Azure Docs. Selective Logging lightens load—resulting in fewer scale events, lower latency, and reduced cost.

Plus, heavy logs like Top Flows and Flow Trace should only be used peri‑incident—they’re CPU intensive and should be turned off otherwise.

📌 CLI & Infrastructure-as-Code Control

You configure Selective Logging per rule collection in rule collection group objects. Using Azure CLI (az network firewall policy rule-collection-group collection add-filter-collection) or ARM templates, you set loggingConfiguration.enableLogging = true/false per rule collection.

That means:

  • dynamic, version-controlled logging via IaC

  • consistent environments across subscriptions

  • audits and RBAC on structured log tables

🧠 Security & Compliance Gains

  • GDPR, HIPAA, PCI: no need to store excessive metadata

  • Only store Deny and ThreatIntel logs required by compliance

  • Faster queries by targeting structured tables

  • Legal wins: prove to auditors you only record relevant security events

💡 Real-World Use Cases

  • A financial services org reduced daily Log Analytics ingestion by 70% while improving triage speed via Sentinel.

  • A healthcare provider anonymized logs and only forwarded Deny events, cutting costs and meeting HIPAA audit needs.

  • A SOC red team found selective logging reduced false positives in ML-based anomaly detection by focusing noise on bad flows only.

📊 Modern Policy Backup + Drift Detection

Combine selective logging with:

  • Resource Graph queries to track rule collection changes across subscriptions 

  • Structured logs in actual tables for dashboards and workbooks

That gives you holistic visibility, versioning, and signal clarity—no more alarm fatigue.

TL;DR: Don’t log everything. Log what matters.

Selective Logging is live.
Use structured logs.
Log only Deny, ThreatIntel, or critical policy hits.
Export to Sentinel, query smarter, save $$$.
Praise Microsoft for finally giving us control over logging.

Logging clarity + signal fidelity + cost savings = 💥