@Shramik Ghadigaonkar Thank you for reaching out.
In order to determine the top talkers in from Azure Firewall activating the top flow logs will be the way to go.
https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference#top-flows
The top flows log is known in the industry as fat flow log and in the preceding table as Azure Firewall Fat Flow Log. The top flows log shows the top connections that are contributing to the highest throughput through the firewall.
Make sure you have enabled structured firewall logs in this case
https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall#enable-structured-logs
Enable the Top flows log using the following Azure PowerShell commands:
Set-AzContext -SubscriptionName <SubscriptionName>
$firewall = Get-AzFirewall -ResourceGroupName <ResourceGroupName> -Name <FirewallName>
$firewall.EnableFatFlowLogging = $true
Set-AzFirewall -AzureFirewall $firewall
Note: Activate Top flows logs only when troubleshooting a specific issue to avoid excessive CPU usage of Azure Firewall.
Please follow the documentation above for disabling the logs.
You can find the sample query here
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/azfwfatflow
// Get the fatflows from past 1000 samples with rate atleast 5 mbps
AZFWFatFlow
| take 1000
| order by TimeGenerated desc
| where FlowRate > 5
This is list of columns available for this log
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwfatflow#columns
Currently this log does not contain the SentBytes and received bytes details and if top flow logs do not satisfy your requirements it will help if you could file a feedback item for this request along with your business requirement. You can file this request here
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.