Tracking Rule Changes in Azure WAF: Seeking a Master File Solution

Sena Sarici 20 Reputation points
2024-03-18T10:20:01.9733333+00:00

We use Azure WAF and make constant changes to rules for different applications (adding/removing exclusions, adding/removing custom rules, etc.). We are looking for a way to track all these changes. Is there a file or document (master file style) that we can access to see the history of changes made, such as on which date a particular change was made when we look back?

Azure Web Application Firewall
0 comments
Accepted answer
  1. GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee
    2024-03-18T13:44:29.0533333+00:00

    Hello @Sena Sarici ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to track Rule Changes in Azure WAF and would like to know if there is a file or document where you can see the history of changes made on the WAF.

    You can check Activity log for all the history of changes made on the WAF.

    You can use Azure activity logs to view all operations that are submitted to your Azure subscription, and their status. Activity log entries are collected by default, and you can view them in the Azure portal.

    • Entries in the Activity Log are system generated and can't be changed or deleted.
    • Entries in the Activity Log are typically a result of changes (create, update or delete operations) or an action having been initiated. Operations focused on reading details of a resource are not typically captured.
    • The logs are preserved for 90 days in the Azure event logs store.

    Refer: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-logs#activity-log

    https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell

    To view the activity logs for your Azure WAF, you can go to the WAF policy in Azure portal and click on the Activity log tab and edit the timeframe to see the logs as below:

    User's image

    And then you can click on any of the Changed Property entries to view the actual change details in JSON format:

    User's image

    You can also send the activity log to a Log Analytics workspace to enable the Azure Monitor Logs feature.

    Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-log-analytics-workspace

    If you want to retain your log data longer than 90 days for audit, static analysis, or backup, then you should send the activity log to an Azure Storage account.

    Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log?tabs=powershell#send-to-azure-storage

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest