Query Azure Front Door WAF Logs
Hello MS Q&A
I have a Front Door Premium with WAF, and experiencing number of "blocks" on rule "942340" I have no issues in query the logs, but unable to query what exactly the specific rule is blocking.
I have tried with many different queries combination, but no luck in getting the details on what is root for this rule to be blocking requests.
Example on a approach, that didn't give me any luck.
Step 1
zureDiagnostics
| where ResourceType == "PROFILES" or ResourceType == "FRONTDOORS"
| where action_s == "Block"
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s contains "Microsoft_DefaultRuleSet"
| summarize count() by ruleName_s, requestUri_s, policyMode_s, action_s, trackingReference_s, details_msg_s
Step 2
AzureDiagnostics
| where trackingReference_s == 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s
| order by TimeGenerated desc