Recently I was looking at troubleshooting a few issues with WAF alerts raised on a web app running behind Azure Frontdoor. I put together a couple of queries that I found useful to help create useful views of the logs. Popping them here for my own reference as much as anything but hopefully they are useful to someone else.

Focusing in on alerts in specific areas of your site

This query was used to achieve the following:

  • Find any alerts which were NOT in the admin area of the site by parsing the request uri and checking it the path contains an admin area
  • Look for alerts in the last 2 hours
| where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(2h)
| extend Result = parse_url(requestUri_s)
| where Result.Path startswith "/admin/" == false
| project  Result.Path, ruleName_s, details_matches_s

This query could be easily extended if you wanted to look at specific url’s in a big list of alerts

Alert Summary by Url and Rule

The below query was used to help me look at the following:

  • How many alerts are there grouped by url path and rule name
| where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(24h)
| extend Result = parse_url(requestUri_s)
| project  Result.Path, ruleName_s
| summarize count() by tostring(Result_Path), ruleName_s

This is useful to help breakdown some of the alerts so that if you have a lot of different query strings causing the same alert to fire you can filter through the noise to workout what issues you have. Sometimes fixing or excluding a single false positive could address a lot of the issues in your log. This will let you see how many rules trigger on each path in your site.

An interesting point to note here is that using the parse_url function and projecting the result lets me get rid of the query string in my output query so I can make a more useful list where as some url’s might have lots of different query strings which would make it a big list of url’s with a count of 1 if we dont format the data here.

Summary of Alerts per Rule

This will help me to see how many of each rule are firing in the given time period

| where Category contains "FrontdoorWebApplicationFirewallLog" and TimeGenerated > ago(24h)
| summarize count() by ruleName_s

This is pretty simple query but it will be handy to let me see an overview of whats going on and if any new alerts are starting to show up or help me identify areas which need looking at if they are reporting lots of issues.


Buy Me A Coffee