How to analyze WAF rules on Azure?

Question

How to analyze WAF rules on Azure?

Cataster 681

We have an accreditation requirement to prepare some form a report that has charts/metrics of WAF detection examples, as well as recommendations
We essentially want to perform a couple hours of analysis on whats poppin' and present some recommendations about what rules to disable/enable based on insights.

This review is helpful for us to optimize to make our environment more resilient/secure as well as documenting some insights and we can use for this accreditation requirement.

Essentially the report would have something like:

Detections, examples, and how do we remediate vulnerabilities

Is there something on Azure that can provide us this information about WAF events?

2 answers

Your answer

Answer 1

SaiKishor-MSFT 17,336

@Cataster Thank you for reaching out to Microsoft Q&A. I understand that you want to be able to analyze WAF rules.

Once your Application Gateway WAF is operational, you can enable logs to inspect what is happening with each request. Firewall logs give insight to what the WAF is evaluating, matching, and blocking. With Log Analytics, you can examine the data inside the firewall logs to give even more insights. For more information about creating a Log Analytics workspace, see Create a Log Analytics workspace in the Azure portal. For more information about log queries, see Overview of log queries in Azure Monitor.

Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Cataster 681 Reputation points

2021-11-25T18:25:16.08+00:00

@SaiKishor-MSFT Thanks Sai. Is there something for WAF rules in Azure where it provides a document of detection examples, and recommendations to remediate vulnerabilities?
For example, Azure Advisor provides the ability to download a pdf/csv which contains resources like VM and provides utilization metrics as well as recommended approaches to optimize the VM or even costs.

Is there something like that for WAFs on Azure?
SaiKishor-MSFT 17,336 Reputation points

2021-12-01T07:16:04.737+00:00

@Cataster The below documents provide example logs and how to troubleshoot WAF for Application Gateway:

Azure Web Application Firewall monitoring and logging

Troubleshoot Web Application Firewall (WAF) for Azure Application Gateway

Hope this helps. Please let us know if you need further assistance. Thank you!
Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Cataster 681

@SaiKishor-MSFT
Hi Sai
It looks like we have diagnostic setting enabled sending firewall data to a log analytics workspace.
I selected this query from Logs

// All firewall decisions   
// All decision taken by firewall. Contains hits on network, application and NAT rules, as well as threat intelligence hits and IDPS signature hits.   
AZFWApplicationRules

But im getting following error:

'' operator: Failed to resolve table or column or scalar expression named 'AZFWApplicationRule'

SaiKishor-MSFT 17,336 Reputation points

2021-12-14T08:05:10.143+00:00

@Cataster It looks like you may be using the wrong query. Please just type in AzureDiagnostics and check if you are able to see any records at all.

Please use something like this for WAF with Application Gateway-

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"

The following query example returns WAF logs on blocked requests (FrontDoor):

AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"

Please let me know if that helps. Thank you!

Answer 2

Cataster 681

@SaiKishor-MSFT
Thanks Sai! I dont think we have Front door, but i think these queries help identify some WAF detections. Question, is there one that shows recommendations for enabling rules?

Share via

How to analyze WAF rules on Azure?

2 answers

Your answer