Recently Ive been helping with some Azure Frontdoor with WAF scenarios and below are a few queries I find useful when you have the Frontdoor configured to send log messages to Log Analytics and you want to check the firewall log to get a view of whats happening and for troubleshooting.
Just a simple query to project fields and to get the 250 most recent events
If you just want a simple view of some of the most recent events and project out a few useful fields so its easy to see what got logged.
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
| project TimeGenerated, clientIP_s, requestUri_s, details_msg_s, details_data_s, trackingReference_s
| order by TimeGenerated desc
| take 250Find an event from the tracking id
When a request gets blocked the client may query why they were blocked or you might need to correlated with your logs. They can have a response header called X-Azure-Ref which will have a tracking id and below is a simple query to help file the firewall log message.
let trackingId = "0ShSgYQAAAACLhWlOT4+QSqMlKZegVEsaTUFOMzBFREdFMDcxMABmNWY5MWE3My0wZTdlLTRhYjktODM4YS1kMjVmNWRjOTg1MDU=";
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and trackingReference_s == trackingIdSummarize the number of failures by rule
Simple summary so you can see which rules may be causing you problems.
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and TimeGenerated > ago(1d)
| summarize count() by ruleName_sSummarize the number of failures by url
Just a simple summary so you can see which url’s might be causing you problems
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and TimeGenerated > ago(1d)
| summarize count() by requestUri_sList the number of events by formatted url and rule
The url may sometimes have a query string on it so you might get a lot in the list. This query will remove the query string and group by the url with out the query string and then by rule so its easy to see which rules are affecting each page or api.
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and TimeGenerated > ago(1d)
| extend BaseRequestUri = tostring(split(requestUri_s, "?")[0])
| summarize count() by BaseRequestUri, ruleName_sNumber of Firewall Rule Events per day for last 30 days
Simple barchart showing the number of events per day flagging in the log
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and TimeGenerated > ago(30d)
| summarize count() by bin(TimeGenerated, 1d)
| render barchartWhen did firewall rule events happen over the last 30d
Timechart to show when the events are happening so you can get a profile of when you might have problematic times.
AzureDiagnostics
| where Category == "FrontdoorWebApplicationFirewallLog"
and TimeGenerated > ago(30d)
| make-series count() default=0 on TimeGenerated in range(ago(30d), now(), 30m)
| render timechart
