CODEWITHSUNDEEP
azure-wafazure-log-analytics-workspace
Matt Douhan
Matt Douhan

Reputation: 733

How can I filter out custom rules from Azure WAF logs?

I am using the following query to monitor Azure WAF, it works fine but I want to filter out custom rule hits from the query and only show blocks by MSFT Default Rulesets but I cannot find how to do that

The following query show blocks from custom rules AND MSFT default rules, I want to only show MSFT default rule set blocks

I understand I can exclude the name or all my custom rules but that will be difficult to maintain

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| where requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx" or requestUri_s contains "xxx"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize BlockCount = count() by TimeStamp = bin(TimeGenerated, 3h), ClientIP = clientIP_s, RuleName = ruleName_s, Host = host_s, PATH = tostring(ParsedUrl.Path)
| order by TimeStamp desc

Upvotes: 0

Views: 604

Answers (1)

bodfox
bodfox

Reputation: 21

Are you using Azure Frontdoor premium WAF? If yes, according to Azure Frontdoor documentation , the Category is "FrontDoorWebApplicationFirewallLog" and not "FrontdoorWebApplicationFirewallLog" (Notice the uppercase 'D' in Frontdoor)

That said, you can exclude custom rules by looking for only the Default Ruleset

AzureDiagnostics
|where ResourceType == "PROFILES" or ResourceType == "FRONTDOORS"
| where action_s == "Block"
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s contains "Microsoft_DefaultRuleSet"

Upvotes: 0

Related Questions