Contains all Application rule log data. Each match between data plane and Application rule creates a log entry with the data plane packet and the matched rule's attributes.

Table attributes

Attribute Value
Resource types
Categories Security
Solutions LogManagement
Basic log No
Ingestion-time transformation No
Sample Queries Yes


Column Type Description
Action string Action taken by the firewall following the Application rule hit.
ActionReason string When no rule is triggered for a request, this field contains the reason for the action performed by the firewall. For example: a packet dropped because no rule matched will show Default Action.
_BilledSize real The record size in bytes
DestinationPort int Request's destination port.
Fqdn string Request's target address in FQDN (Fully qualified Domain Name). For example:
_IsBillable string Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account
IsExplicitProxyRequest bool True if the request is received on an explicit proxy port. False otherwise.
IsTlsInspected bool True if the connection is TLS inspected. False otherwise.
Policy string Name of the policy in which the triggered rule resides.
Protocol string Request's network protocol. For example: HTTP, HTTPS.
_ResourceId string A unique identifier for the resource that the record is associated with
Rule string Name of the triggered rule.
RuleCollection string Name of the rule collection in which the triggered rule resides.
RuleCollectionGroup string Name of the rule collection group in which the triggered rule resides.
SourceIp string Request's source IP address.
SourcePort int Request's source port.
SourceSystem string The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics
_SubscriptionId string A unique identifier for the subscription that the record is associated with
TargetUrl string Request's target address URL. Available only for HTTP or TLS-inspected HTTPS requests. For example:
TenantId string The Log Analytics workspace ID
TimeGenerated datetime Timestamp (UTC) when the data plane log was created.
Type string The name of the table
WebCategory string Web Category identified for the requested FQDN (Azure Firewall Standard) or URL (Azure Firewall Premium). If a web category is not available for this request, the field is empty.