Using Azure WAF to tracking blocked requests by Log Analytics.

Jakub Waliszewski
5 min readMar 22, 2021

--

Improve your web application protection with Azure WAF.

At Begin, I want to describe the operation of several very important services that together create a significant weapon against external attacks like from SQL injection, PHP injection, XSS attack, cross-site scripting or other web exploits

  • Front Door
  • Log Analytics
  • Azure Web Application Firewall

Front Door is a network service which works as a load balancer with additional service firewall called WAF.

Log Analytics is the Microsoft Tool in Azure Portal for writing custom queries and interactively analyzing their results. Operating on the Kusto query language.

WAF as the name says it is “Web Application Firewall” so that’s mean that this service is responsible for protection, monitoring and logging all common threats. We can define like a group rules combination of custom or managed rules which help to control access to your web application.

So in this scenario, in a few steps, I will show you how to easily and quickly verify what goes through to our endpoint and is caught by Azure Firewall.

Before we start verifying all incoming attacks on our site, we requirement be sure that our service will be collecting data which we will be able to analyze later. Without this setting, we don’t be able to check if our application is properly secure.

First we need to go to our Front Door through the search service.

And now you scroll down to the section ‘Monitoring and go to the ‘Diagnostics settings’ tab and press ‘Add diagnostics setting‘.

In the Diagnostics settings configuration, we have to check the appropriate fields so that the log and metrics are sent to our Log Analytics. Besides, we can set up archiving of log data directly to the storage account retention from 1 to 365 days.

At this point, we need to wait for some data to flow from Front Door to our log Analytics.

Returning to the main view of our Front Door, in the Monitoring tab, select Logs and wait for the Log Analytics service to load.

By default, we’ll be welcoming you with sample queries, which we can of course use.

Example of Top 20 blocked clients requests by IP and our rules.

Of course, we can create our own queries that exactly search for what he needs.

For example returns WAF logs on blocked requests

AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"

Results . Nothing block 🙂

Another example with AccessLogs entries from Front Door

AzureDiagnostics
| where ResourceType == "FRONTDOORS" and Category == "FrontdoorAccessLog"

That’s in normal, standard view and we can scroll down or expended and check more details what’s going on in the current log. You only need to expand the item any data to get even more details

Well, we already know what to do to enable data collection from Front Door, how to search for any anomalies through Log Analytics.

But not everyone likes or knows how to build queries in Log Analytics.
Is there a simpler, faster way to verify what is happening at our endpoint?

Of course!!!

As a reminder, when configuring data collection in the Diagnostics Log, we have also enabled data collection for the Storage Account.

Now just need to locate storage account where files have been saved, find container with named ‘insights-logs-frondoorwebapplicationfirewalllog’ and download PT1H.json

Now you know exactly step by step how to check the logs generated by your service Azure Front Door and know if you’re being attacked or spammed.

More information about Azure WAF with Front Door you can find in Microsoft Documentations

If you have any questions or just want to say hello :) You can find me here :) https://www.linkedin.com/in/jakub-waliszewski/

Front Door is a network service which works as a load balancer with additional service firewall called WAF.

--

--

Jakub Waliszewski
Jakub Waliszewski

Written by Jakub Waliszewski

Azure Cloud Architect in Transition Technologies PSC.

No responses yet