Those who have followed my blog will know that I’ve used Logic Apps extensively for many of my explorations of automating tasks so I’ve been very excited earlier this year when Microsoft released the capability to use AI agents in Azure Logic Apps workflows. I know I’m a bit late since this was released 6 months ago, it was not until this month that I finally set aside some time to create a workflow that would aid in analyzing firewall logs.
Let’s begin with the scenario:
- The Azure environment in this example has an Azure Firewall that serves as the main gateway in the hub for all the spoke network traffic that need to traverse through VNets, subnets, and internet
- The Azure Firewall only allow specific destinations for these networks to reach
- Internet access is limited to allowed FQDNs in the Application rules and IPs in the Network rules
- To allow for proactive remediation, a KQL query will be used to retrieve all denied traffic captured in the AZFWApplicationRule logs
- The purpose of this autonomous agent workflow is to take the results of these and generate a report
- The agent will add additional columns to the data to provide additional insight
- A report will be created and sent to the desired email address
**Note that this was still in preview early November 2025 and as I write this blog on November 23, 2025, the preview label is now gone when I attempt to create an Autonomous Agent:
A quick search show that it GA-ed on November 18th, 2025: 🎉Announcing General Availability of Agent Loop in Azure Logic Apps | Microsoft Community Hub
With that out of the way, let’s begin with an overview of the Workflow design layout:
The workflow begins with a Recurrence trigger that runs every day at 9AM EST:
Next, the Log Analytics Workspace is queried for the Azure Firewall AZFWApplication logs are queried for FQDNs and their hit count where the traffic is denied:
AZFWApplicationRule
| where Action == “Deny”
| summarize AttemptCount = count(),
SourceIPs = make_set(SourceIp),
DestinationPorts = make_set(DestinationPort) by Fqdn
| order by AttemptCount desc
The next step is to configure the agent and it is arguably one of the most important step to ensure that the information processed and returned by the LLM is exactly what is desired. I’ve played around with the Instructions for agent and have had to tweak it many times, use expressions, add compose steps to the tools, and yet it still produces some undesired results which I will go into shortly. For now, the following is the instructions I provided:
You are an AI assistant that is a cybersecurity expert with Azure Firewall, Azure Firewall Policy, Log Analytics Workspace, KQL, and analyzing Azure Firewall logs. Your goal is to review data returned from a KQL query that provide Azure Firewall traffic history. You do not need to ask any questions to complete your task.
Available Tools:
Send an email – used to send an email
Create CSV Report – takes JSON file and convert to CSV
Number of records – counts a JSON file for the amount of records
Workflow:
1. Review all the records returned and generate a report for each record and do not stop before processing the last record with the following details:
a) Attempt Count followed by the record value
b) Source IPs followed by the record value. The IP address format will be a list like the following example: [“10.224.4.6″] so exclude the [” and “], if there are more than 1 IP addresses like this sample: [“10.224.4.6″,”10.224.2.4″,”10.224.0.7″], just put the IP addresses without the [” and “] with each IP address on its own line.
c) Domain followed by the FQDN for the record
d) Destination Port followed by the port for the record
e) Domain Assessment followed by your knowledge of what it is used for and assessment of whether this domain is a threat or safe
f) Risk Level followed by your knowledge and assessment of whether this is low, medium or high risk
g) Remediation Action followed by your knowledge and assessment of how this can be remediated
h) Business Impact followed by your knowledge and assessment of what the impact is
2. Investigation Steps followed by:
List the steps as to how this can be investigated.
Response:
1. Retrieve the numeric value Number of records tool and use that number as the total number of records found.
2. Provide the full report of every record with the total count from the Number of records tool in an email formatted in HTML table with header coloured in light blue and all border that will be used with the Send an email tool to send an email.
In the email, the address is already set.
The Subject should be <concat(‘Firewall Analysis Report on ‘, formatDateTime(utcNow(), ‘MMMM dd, yyyy’), ‘.csv’)>.
The Body should be all the records along with the analysis content. If there is a token limit on the response, repeat the generation of the HTML content so you can add all the records into the report.
For the email Attachments of the email with the report, enter the Attachment Name as <concat(‘Firewall-Denied-Traffic-Results-‘, formatDateTime(utcNow(), ‘yyyy-MM-dd’), ‘.csv’)>.
Retrieve the output data of the Create CSV Report tool, add the Domain Assessment, Risk Level, Remediation Action, Business Impact, Investigation Steps columns with data from the analysis for each record and do not stop until the last record is processed then use that as the Attachment Content in the Send an email.
During testing when the feature was still in preview, there were runs where the LLM would ask for review so I added the following into the User instructions item:
No specific content or adjustment is needed before sending out the email report.
I’ve also gone ahead to max out the Advanced parameters for Max tokens and Maximum token count:
With the agent configured, the next are the tools. I originally placed the Run query and list results into the tool for the agent but I would get inconsistent results so I decided to remove the query from the tool and then create a separate tools for the reporting.
Create CSV Report – Leaving the creation of the CSV report returned either incomplete or inaccurate records.
Number of records – This may seem trivial but leaving the LLM to count the amount of records returned inconsistent results.
Send an email – This is fairly standard if we want to have the agent send an email.
Successful Reporting
The following is an example of the run history when the expected results are delivered through the workflow:
The following is the email received:
The following is the Excel:
Unsuccessful Reporting
I’ve noticed that out of 10 runs, there would be 20% or more reports that are incomplete and attempting to tweak the prompt has not allowed me to get consistent results. The following are examples of unsuccessful report run histories:
Note in the screenshot of how the unsuccessful run attempts to immediately convert the analysis into HTML where the successful run only contained the data. What I consistently noticed when the report is inaccurate is that the output of the analysis would have something similar to:
<!– Further rows for each record would follow the same pattern –>
Another attempt to run would result in the following message:
[… and so on for each record …]
Here is another example:
<!– Repeat for other records following the same format –>
Seeing these types of messages were frustrating:
analysis continues for the remaining records
I did some tests in the Chat Playground in AI Foundry and found that the output would also periodically truncate the output as such. Maxing the token configuration in the Advanced Parameters did not appear to affect this and grabbing the full output of the Log Analytics query, putting it into OpenAI’s token count tool https://platform.openai.com/tokenizer confirmed that I only had approximately 6000 tokens and should not exceed the Max tokens configuration.
The output from this run looks as such (note the missing records):
Oddly, at least for this run, the Excel appeared to be correct even thought I have seen attachments with missing records:
In summary, the results have been mixed and in terms of reliability, I don’t think I’d put this in production. My thoughts are there would be ways to adjust the workflow to achieve near 100% accurate results so I’ll be doing more tests in the following months.
Hope this provides a good demonstration of creating an autonomous workflow with AI Agents in Logic Apps.
