Continuing from the previous post Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool, I will show how to query the WAF logs using Azure Log Analytics as it provides near real-time monitoring. To get a more comprehensive implementation of Log Analytics you can read my other blog series on Monitoring Virtual Machines with Azure Log Analytics

In order to setup monitoring, the Azure application gateway’s diagnostics logs have be connected to your log analytics workspace as shown.

By clicking Edit setting, it was setup with the following check boxes filled and selecting my existing log analytics workspace named rkimoms

 The Send to log Analytics is checked off along with selecting my log analytics workspace called rkimoms.

Going to my log analytics workspace query editor

I execute the following log analytics query to see which requests were detected and blocked by the WAF.

AzureDiagnostics
| where Category == “ApplicationGatewayFirewallLog” and action_s == “Blocked”
| summarize any(details_data_s) by details_file_s, details_message_s, details_data_s, bin(TimeGenerated, 10m)

The query returns the following result

As indicated by the red arrow, you can see 44 detected attacks of the SQL Injection Attack Detected via libinjection rule and where by the OWASP ZAP tool ran this type of attack.

To visualize with a bar chart, I execute a query
AzureDiagnostics
| where Category == “ApplicationGatewayFirewallLog” and action_s == “Blocked”
| summarize count(details_message_s) by details_message_s, bin(TimeGenerated, 5m)
| render barchart

And receive the result

This shows ZAP tool attack scans that I have run several times in a 30 minute period. The bar chart groups the results in 5 min time buckets and by attack detected rule.

So, whether in testing or in production scenarios, use Log Analytics to monitor the web application firewall logs to assess threats.

Resources

• Application Gateway Diagnostics Logs