The Azure Firewall Product Team has recently announced support for the new Log Analytics Basic table plan for all resource-specific logging tables, offering a potential reduction in logging costs by up to 80%. This new mode complements the existing 80% cost reduction achieved through structured/resource-specific logging, providing even greater savings. To learn more about the cost optimization introduced by resource-specific logs, check out the blog post Optimizing Azure Firewall logging costs | Microsoft Community Hub.
While the new Basic table plan is beneficial for cost-conscious customers, it's important to note that Policy Analytics and Security Copilot integrations are not compatible with the Basic table plan. For more information on Basic tables, refer to the Azure Monitor Logs documentation.
Customers have long expressed concerns about high logging costs, so we listened and have developed a new Basic table plan to meet those needs. The Basic table plan provides a more economical solution without sacrificing essential functionalities. This initiative highlights Azure Firewall's commitment to delivering value and efficiency, making it easier for customers to manage their logging needs affordably.
When querying Basic tables, the cost is determined by the volume of data scanned, which depends on both the size of the table and the query's specified time range. Essentially, the data scanned refers to the amount of data ingested within the time frame set by the query for the targeted table. For example, if a query scans data over a three-day period in a table that ingests 100 GB daily, the charge would be based on 300 GB of data.
Enabling the basic table plan
The basic table plan is enhanced by resource-specific tables. To learn more about using structured/resource-specific logs, review the following documentation: Monitor Azure Firewall | Microsoft Learn. To enable the basic table plan, locate the tables under your Log Analytics Workspace, click on “Manage table,” and adjust the configuration as shown below.
Note: The table plan can be updated only once every 7 days.
Security Copilot and Policy Analytics
To use the Security Copilot integration with Azure Firewall, ensure your IDPS log table (AZFWIdpsSignature) is configured in Analytics mode. The same applies to Policy Analytics on the following tables:
- AZFWApplicationRuleAggregation
- AZFWIdpsSignature
- AZFWNatRuleAggregation
- AZFWNetworkRuleAggregation
- AZFWThreatIntel
If you are using both features, your configuration will look like this:
In summary, the new Log Analytics Basic table plan offers significant cost savings for Azure Firewall users, while maintaining essential functionality. By configuring your tables correctly, you can take full advantage of these savings and optimize your logging strategy. Explore the documentation and start saving today!
Microsoft