Recently I was looking at troubleshooting a few issues with WAF alerts raised on a web app running behind Azure Frontdoor. I put together a couple of queries that I found useful to help create useful views of the logs. Popping them here for my own reference as much as anything but hopefully they are useful to someone else.
Focusing in on alerts in specific areas of your site
This query was used to achieve the following:
- Find any alerts which were NOT in the admin area of the site by parsing the request uri and checking it the path contains an admin area
- Look for alerts in the last 2 hours
AzureDiagnostics | where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(2h) | extend Result = parse_url(requestUri_s) | where Result.Path startswith "/admin/" == false | project Result.Path, ruleName_s, details_matches_s
This query could be easily extended if you wanted to look at specific url’s in a big list of alerts
Alert Summary by Url and Rule
The below query was used to help me look at the following:
- How many alerts are there grouped by url path and rule name
AzureDiagnostics | where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(24h) | extend Result = parse_url(requestUri_s) | project Result.Path, ruleName_s | summarize count() by tostring(Result_Path), ruleName_s
This is useful to help breakdown some of the alerts so that if you have a lot of different query strings causing the same alert to fire you can filter through the noise to workout what issues you have. Sometimes fixing or excluding a single false positive could address a lot of the issues in your log. This will let you see how many rules trigger on each path in your site.
An interesting point to note here is that using the parse_url function and projecting the result lets me get rid of the query string in my output query so I can make a more useful list where as some url’s might have lots of different query strings which would make it a big list of url’s with a count of 1 if we dont format the data here.
Summary of Alerts per Rule
This will help me to see how many of each rule are firing in the given time period
AzureDiagnostics | where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(24h) | summarize count() by ruleName_s
This is pretty simple query but it will be handy to let me see an overview of whats going on and if any new alerts are starting to show up or help me identify areas which need looking at if they are reporting lots of issues.