Query Azure Front Door WAF Logs

Nibbler 656 Reputation points
2023-10-26T11:34:58.7466667+00:00

Hello MS Q&A

I have a Front Door Premium with WAF, and experiencing number of "blocks" on rule "942340" I have no issues in query the logs, but unable to query what exactly the specific rule is blocking.

I have tried with many different queries combination, but no luck in getting the details on what is root for this rule to be blocking requests.

Example on a approach, that didn't give me any luck.

Step 1

zureDiagnostics

| where ResourceType == "PROFILES" or ResourceType == "FRONTDOORS"

| where action_s == "Block"

| where Category == "FrontDoorWebApplicationFirewallLog"

| where ruleName_s contains "Microsoft_DefaultRuleSet"

| summarize count() by ruleName_s, requestUri_s, policyMode_s, action_s, trackingReference_s, details_msg_s

Step 2
AzureDiagnostics

| where trackingReference_s == 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s

| order by TimeGenerated desc

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
676 questions
Azure Web Application Firewall
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.