Azure Web Application Firewall Monitoring and Logging

Azure Web Application Firewall (WAF) monitoring and logging are provided through logging and integration with Azure Monitor and Azure Monitor logs.

Azure Monitor

WAF with Application Gateway log is integrated with Azure Monitor. Azure Monitor allows you to track diagnostic information including WAF alerts and logs. You can configure WAF monitoring within the Application Gateway resource in the portal under the Diagnostics tab or through the Azure Monitor service directly.

Logs and diagnostics

WAF with Application Gateway provides detailed reporting on each threat it detects. Logging is integrated with Azure Diagnostics logs and alerts are recorded in a json format. These logs can be integrated with Azure Monitor logs.

WAFDiag

For more information about diagnostics logs, see Application Gateway WAF resource logs. If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior. You can use exclusions to fine tune rules and exclude any data that you want to be excluded from the logs. For more information, see Web application firewall exclusion lists in Azure Application Gateway.

Application Gateway WAF v2 Metrics

New WAF metrics are only available for Core Rule Set 3.2 or greater, or with bot protection and geo-filtering. The metrics can be further filtered on the supported dimensions.

Metrics Description Dimension
WAF Total Requests Count of successful requests that WAF engine has served Action, Country/Region, Method, Mode, Policy Name, Policy Scope
WAF Managed Rule Matches Count of total managed rule matches Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name
WAF Custom Rule Matches Count of custom rule matches Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name
WAF Bot Protection Matches1 Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. Action, Country/Region, Bot Type, Mode, Policy Name, Policy Scope
WAF JS Challenge Request Count Count the number of requests that match JS Challenge WAF rules. Action, Policy Name, Policy Scope, Rule2

1 Only Bot Manager Rule Set 0.1 will be displayed under “WAF Bot Protection Matches”. Requests matching Bot Manager Rule Set 1.0 will increase “WAF Total Requests” metrics, not “WAF Bot Protection Matches”.

2 Rule name for custom rules and Rule ID for the Bot Manager Rule Set.

For metrics supported by Application Gateway V2 SKU, see Application Gateway v2 metrics

Application Gateway WAF v1 Metrics

Metrics Description Dimension
Web Application Firewall Blocked Requests Count Count of total requests that have been blocked by the WAF engine
Web Application Firewall Blocked Requests Distribution Total number of rules hit distribution for the blocked requests by Rule Group and Rule ID Rule Group, Rule ID
Web Application Firewall Total Rule Distribution Count of total matched requests distribution by Rule Group and Rule ID Rule Group, Rule ID

For metrics supported by Application Gateway V1 SKU, see Application Gateway v1 metrics

Access WAF Metrics in Azure portal

  1. From the Azure portal menu, select All Resources >> <your-Application-Gateway-profile>.

  2. Under Monitoring, select Metrics:

  3. In Metrics, select the metric to add:

    Screenshot of waf metrics page.

  4. Select Add filter to add a filter:

    Screenshot of adding filters to metrics.

  5. Select New chart to add a new chart

Configure Alerts in Azure portal

  1. Set up alerts on Azure Application Gateway by selecting Monitoring >> Alerts.

  2. Select New alert rule for metrics listed in Metrics section.

Alert will be charged based on Azure Monitor. For more information about alerts, see Azure Monitor alerts.

Next steps