Using Microsoft Sentinel with Azure Web Application Firewall

Azure Web Application Firewall (WAF) combined with Microsoft Sentinel can provide security information event management for WAF resources. Microsoft Sentinel provides security analytics using Log Analytics, which allows you to easily break down and view your WAF data. Using Microsoft Sentinel, you can access pre-built workbooks and modify them to best fit your organization's needs. The workbook can show analytics for WAF on Azure Content Delivery Network (CDN), WAF on Azure Front Door, and WAF on Application Gateway across several subscriptions and workspaces.

WAF log analytics categories

WAF log analytics are broken down into the following categories:

  • All WAF actions taken
  • Top 40 blocked request URI addresses
  • Top 50 event triggers,
  • Messages over time
  • Full message details
  • Attack events by messages
  • Attack events over time
  • Tracking ID filter
  • Tracking ID messages
  • Top 10 attacking IP addresses
  • Attack messages of IP addresses

WAF workbook examples

The following WAF workbook examples show sample data:

WAF actions filter

Top 50 events

Attack events

Top 10 attacking IP addresses

Launch a WAF workbook

The WAF workbook works for all Azure Front Door, Application Gateway, and CDN WAFs. Before connecting the data from these resources, log analytics must be enabled on your resource.

To enable log analytics for each resource, go to your individual Azure Front Door, Application Gateway, or CDN resource:

  1. Select Diagnostic settings.

  2. Select + Add diagnostic setting.

  3. In the Diagnostic setting page:

    1. Type a name.
    2. Select Send to Log Analytics.
    3. Choose the log destination workspace.
    4. Select the log types that you want to analyze:
      1. Application Gateway: ‘ApplicationGatewayAccessLog’ and ‘ApplicationGatewayFirewallLog’
      2. Azure Front Door Standard/Premium: ‘FrontDoorAccessLog’ and ‘FrontDoorFirewallLog’
      3. Azure Front Door classic: ‘FrontdoorAccessLog’ and ‘FrontdoorFirewallLog’
      4. CDN: ‘AzureCdnAccessLog’
    5. Select Save.

    Diagnostic setting

  4. On the Azure home page, type Microsoft Sentinel in the search bar and select the Microsoft Sentinel resource.

  5. Select an already active workspace or create a new workspace.

  6. On the left side panel under Configuration select Data Connectors.

  7. Search for Azure web application firewall and select Azure web application firewall (WAF). Select Open connector page on the bottom right.

    Data connectors

  8. Follow the instructions under Configuration for each WAF resource that you want to have log analytic data for if you haven't done so previously.

  9. Once finished configuring individual WAF resources, select the Next steps tab. Select one of the recommended workbooks. This workbook will use all log analytic data that was enabled previously. A working WAF workbook should now exist for your WAF resources.

    WAF workbooks

Automatically detect and respond to threats

Using Sentinel ingested WAF logs, you can use Sentinel analytics rules to automatically detect security attacks, create security incident, and automatically respond to security incident using playbooks. Learn more Use playbooks with automation rules in Microsoft Sentinel.

Azure WAF also comes in with built-in Sentinel detection rules templates for SQLi, XSS, and Log4J attacks. These templates can be found under the Analytics tab in the 'Rule Templates' section of Sentinel. You can use these templates or define your own templates based on the WAF logs.

WAF Detections

The automation section of these rules can help you automatically respond to the incident by running a playbook. An example of such a playbook to respond to attack can be found in network security GitHub repository here. This playbook automatically creates WAF policy custom rules to block the source IPs of the attacker as detected by the WAF analytics detection rules.

Next steps