Penetration Testing Your Web App with Azure Application Gateway WAF Part 3: Log Analytics

Continuing from the previous post Penetration Testing Your Web App with Azure Application Gateway WAF Part 2: OWASP ZAP Tool, I will show how to query the WAF logs using Azure Log Analytics as it provides near real-time monitoring. To get a more comprehensive implementation of Log Analytics you can read my other blog series on Monitoring Virtual Machines with Azure Log Analytics

In order to setup monitoring, the Azure application gateway’s diagnostics logs have be connected to your log analytics workspace as shown.
PenTestWAF9

By clicking Edit setting, it was setup with the following check boxes filled and selecting my existing log analytics workspace named rkimoms
PenTestWAF10
 The Send to log Analytics is checked off along with selecting my log analytics workspace called rkimoms.

Going to my log analytics workspace query editor
PenTestWAF11

I execute the following log analytics query to see which requests were detected and blocked by the WAF.

AzureDiagnostics
| where Category == “ApplicationGatewayFirewallLog” and action_s == “Blocked”
| summarize any(details_data_s) by details_file_s, details_message_s, details_data_s, bin(TimeGenerated, 10m)

The query returns the following result
PenTestWAF12

As indicated by the red arrow, you can see 44 detected attacks of the SQL Injection Attack Detected via libinjection rule and where by the OWASP ZAP tool ran this type of attack.

To visualize with a bar chart, I execute a query
AzureDiagnostics
| where Category == “ApplicationGatewayFirewallLog” and action_s == “Blocked”
| summarize count(details_message_s) by details_message_s, bin(TimeGenerated, 5m)
| render barchart

And receive the result
PenTestWAF13

This shows ZAP tool attack scans that I have run several times in a 30 minute period. The bar chart groups the results in 5 min time buckets and by attack detected rule.

So, whether in testing or in production scenarios, use Log Analytics to monitor the web application firewall logs to assess threats.

Resources

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s