Detecting Suspicious Traffic Patterns Using Azure Network Flow Logs

In today’s cloud-driven world, network security is as much about visibility as it is about prevention. You can’t protect what you can’t see. In Microsoft Azure, Network Watcher Flow Logs offer a powerful way to monitor and analyse network traffic for unusual patterns that could indicate a potential security threat.

Whether it’s unexpected traffic from unknown IP addresses, sudden spikes in data transfer, or repeated failed connection attempts, analysing flow logs can help detect and respond to suspicious activity before it escalates.

In this blog, we’ll walk through what Azure Network Flow Logs are, why they matter for security, and step-by-step instructions for detecting suspicious traffic patterns.

1. What Are Azure Network Flow Logs?

Azure Network Flow Logs are part of Azure Network Watcher, a network performance monitoring and diagnostic service. These logs capture IP traffic information flowing through Azure Network Security Groups (NSGs), recording details such as:

• Source IP address and port
• Destination IP address and port
• Transport protocol (TCP/UDP)
• Traffic direction (inbound/outbound)
• Traffic status (allowed or denied)
• Timestamps of the flow

By storing these logs in Azure Storage, streaming them to Event Hubs, or analysing them with Azure Monitor Logs, security teams can spot unusual activity patterns.

2. Why Flow Logs Are Critical for Threat Detection

Flow logs enable detection of:

• Port scanning attempts – Multiple connection requests across different ports from the same IP.
• DDoS indicators – Large volumes of inbound traffic from many different IPs.
• Data exfiltration attempts – Sudden spikes in outbound traffic to unknown destinations.
• Unusual geographic access – Access from countries where you have no users.
• Malware C2 communications – Repeated connections to known malicious IPs.

Without flow logs, these patterns are almost impossible to detect in real time.

3. Setting Up Azure Network Flow Logs

Before you can detect suspicious activity, you need to enable and configure flow logging.

Step 1: Enable Network Watcher

1. Go to Azure Portal → Search for Network Watcher.
2. Ensure Network Watcher is enabled for your subscription and region.

Step 2: Enable Flow Logs for an NSG

1. Navigate to the Network Security Group protecting your resources.
2. Select Flow logs from the left-hand menu.
3. Click Enable.
4. Choose a Storage account for logs.
5. Set Retention (days) according to your compliance/security policy.
6. Click Save.

Step 3: (Optional) Send Logs to Log Analytics

If you want real-time analysis, configure Diagnostic Settings on the NSG to send flow logs to Log Analytics.

4. Analysing Flow Logs for Suspicious Traffic Patterns

Once logs are generated, here’s how to analyse them effectively.

Step 1: Retrieve Flow Logs

Flow logs are stored in JSON format. You can access them via:

• Azure Storage Explorer (for raw logs)
• Log Analytics (for query-based searches)
• Azure Data Explorer (ADX) for large datasets
• Power BI for visualization

Step 2: Define “Suspicious” in Your Context

Suspicious patterns vary depending on your workloads. Examples include:

• Multiple denied inbound connections from the same IP within a short time
• Outbound traffic to blacklisted IP addresses
• Access from unexpected geolocations
• Unusual protocols or ports in use
• High volume traffic at unusual hours

Step 3: Use Kusto Queries in Log Analytics

If logs are sent to Log Analytics, you can run KQL (Kusto Query Language) queries to find anomalies.

• Example 1 – Detect Port Scanning Attempts

AzureDiagnostics

| where Category == “NetworkSecurityGroupFlowEvent”

| extend srcIp = tostring(parse_json(Properties_s).flows[0].flowTuples[0])

| summarize Count = count() by srcIp

| where Count > 100

| order by Count desc

This finds source IPs generating more than 100 connection attempts.

• Example 2 – Detect Outbound Traffic to Unusual Locations

AzureDiagnostics

| where Category == “NetworkSecurityGroupFlowEvent”

| extend flowData = parse_json(Properties_s)

| extend destIp = tostring(flowData.flows[0].flowTuples[0])

| where destIp !in (“KnownTrustedIPs”)

| summarize Connections = count() by destIp

| order by Connections desc

Step 4: Identify Geographic Anomalies

Use an IP-to-Geo enrichment (via Azure Sentinel or a custom lookup table) to identify traffic from unexpected countries.

Step 5: Automate Detection

Instead of manually checking logs:

• Create Azure Monitor Alerts based on KQL queries.
• Use Microsoft Sentinel to trigger playbooks in Logic Apps for automated response.
• Configure Threat Intelligence integration to block malicious IPs automatically.

5. Practical Example – Catching a Port Scan

Scenario:

A malicious actor is scanning your Azure VM for open ports.

Detection Steps:

• Enable NSG Flow Logs on the NSG protecting the VM.
• After logs are collected, run a KQL query to count inbound attempts from each source IP.
• If one IP attempts to connect to multiple ports in a short time, flag it.
• Automatically send an email alert via Azure Monitor when the threshold is exceeded.
• Use Azure Firewall or NSG rules to block the offending IP.

6. Best Practices for Suspicious Traffic Detection

• Enable Flow Logs on all critical NSGs – Not just internet-facing ones.
• Integrate with Microsoft Sentinel for advanced analytics and threat hunting.
• Retain logs for at least 90 days for forensic analysis.
• Regularly update your “trusted IPs” list to reduce false positives.
• Correlate flow logs with other data sources (VM logs, app logs, threat intelligence feeds).
• Automate responses to reduce mean time to respond (MTTR).

Conclusion:

Azure Network Flow Logs are not just a compliance checkbox — they’re a powerful detection tool in your cloud security arsenal. By enabling and properly analysing these logs, you can uncover hidden threats, detect suspicious traffic patterns, and take proactive action before damage occurs.

Whether you use them for manual threat hunting or automated incident response, flow logs give you the visibility needed to secure your Azure environment against modern cyberattacks.

Reference study courses on above topic:

AZ-700: Designing and Implementing Microsoft Azure Networking Solutions – CloudThat Training

About CloudThat