Hello, this query might get you started https://github.com/Azure/Azure-Sentinel/blob/cfc14ce6570fa6e1a60edc59dbe4b597695c0b96/Solutions/Azure%20Web%20Application%20Firewall%20(WAF)/Analytic%20Rules/MaliciousWAFSessions.yaml#L39
A simpler version would be something like this (I dont have the data to test, so I haven't run it) - you'll have to add lines 7 and 15
let threshold = 500;
let successCode = dynamic(['400','404']);
let failcode = dynamic(['200']);
AzureDiagnostics
| where Category =="ApplicationGatewayAccessLog"
| where OperationName == "ApplicationGatewayFirewall"
// check for the faliure here???? | where <something> in (failcode)
| summarize FirstFail = min(TimeGenerated), LastFail = arg_max(TimeGenerated, *), FailCount = count() by SrcIpAddr, bin(TimeGenerated, 10m)
| where FailCount > threshold
| join kind=inner (
AzureDiagnostics
| where Category =="ApplicationGatewayAccessLog"
| where OperationName == "ApplicationGatewayFirewall"
// check for the sucess here ??? | where <something> in (successcode)
| summarize FirstSuccess = min(TimeGenerated), SuccessCount = count() by SrcIpAddr
| where SuccessCount > 0
) on SrcIpAddr
| where FirstSuccess > LastFail
| extend TimeDiff = datetime_diff("minute", FirstSuccess, LastFail)