| Action |
string |
The terminating action taken by AWS WAF (ALLOW, BLOCK, CAPTCHA, or Challenge). |
| Args |
string |
The query string parameters of the request. |
| _BilledSize |
real |
The record size in bytes |
| CaptchaResponse |
dynamic |
Status of the CAPTCHA action for the request. |
| ChallengeResponse |
dynamic |
Status of the security challenge for the request. |
| ClientIp |
string |
IP address of the client making the request. |
| Country |
string |
Country of origin for the request. |
| ExcludedRules |
dynamic |
Rules excluded from evaluation in the rule group. |
| FormatVersion |
string |
Version of the AWS WAF log format. |
| Headers |
dynamic |
Headers included in the HTTP request. |
| HttpMethod |
string |
The HTTP method (GET, POST, etc.) of the request. |
| HttpRequest |
dynamic |
Metadata about the HTTP request. |
| HttpSourceId |
string |
ID of the associated resource (e.g., CloudFront distribution, Load Balancer). |
| HttpSourceName |
string |
Source of the request (e.g., CF, APIGW, ALB). |
| HttpVersion |
string |
HTTP version used in the request. |
| _IsBillable |
string |
Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| Ja3Fingerprint |
string |
JA3 fingerprint of the TLS Client Hello. |
| Labels |
dynamic |
Labels applied to the request by rules. |
| NonTerminatingMatchingRules |
dynamic |
List of rules that matched but didn't terminate the request. |
| OversizeFields |
dynamic |
Fields in the request that exceeded AWS WAF inspection limits. |
| RateBasedRuleList |
dynamic |
List of rate-based rules applied to the request. |
| RequestHeadersInserted |
dynamic |
Headers inserted for custom request handling. |
| RequestId |
string |
Request ID for the network request. |
| ResponseCodeSent |
int |
HTTP response code sent to the client. |
| RuleGroupId |
string |
ID of the rule group that matched. |
| RuleGroupList |
dynamic |
List of rule groups that acted on the request. |
| SourceSystem |
string |
The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId |
string |
The Log Analytics workspace ID |
| TerminatingRule |
dynamic |
The rule that terminated the request. If this is present, it contains action, ruleId, ruleMatchDetails, and any additional information provided for each rule varies according factors such as the rule configuration, rule match type, and details of the match. |
| TerminatingRuleId |
string |
ID of the network rule that matched. |
| TerminatingRuleMatchDetails |
dynamic |
Details of the rule that terminated the request. |
| TerminatingRuleType |
string |
Type of rule that terminated the request. |
| TimeGenerated |
datetime |
Timestamp when the log was processed. |
| Type |
string |
The name of the table |
| Uri |
string |
The URI of the request. |
| WebAclId |
string |
The GUID of the web ACL applied to the request. |