Share via

Web Application Firewall - Log on blocked IPs

Nibbler 636 Reputation points
2021-01-17T13:15:54.71+00:00

Im want to see the amount of blocked IPs and how many requests each have made from the logs on the Application Gateway + Web Application Firewall.

I have custom rules use, geo-blocking and IP blocking. But would expect these IP`s being blocked by the custom rules to be in the logs.

So, using the following/below query, but getting an error message

“Failed to parse the query, no additional information is available. If issue persists,”

AzureDiagnostics
| where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayFirewallLog”
| where action_s == “Blocked”
| summarize count(details_message_s) by details_message_s, bin(TimeGenerated, 5m)
| render barchart

Any ideas to get this to work, or to pull the datra?

Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suvasara-MSFT 10,036 Reputation points
    2021-01-18T10:37:08.087+00:00

    @KE1980, Try listing all the actions blocked by WAF, 

    search * | where (action_s == "Blocked")

    For matched/blocked requests by IP. 

    AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | summarize count() by clientIp_s, bin(TimeGenerated, 1m) | render timechart

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.