Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 1 Intro

On By Roy Kim (MVP)In Architecture & Design, Azure

Requirement

Use Azure Sentinel to monitor and investigate incidents of cyber-attacks on a web application by having a layer of protection by leveraging the Azure Application Gateway’s Web Application Firewall.

Solution Design

The Azure Application Gateway is a layer 7 web traffic load balancer with many features to manage your traffic. This includes the WAF which can prevent or detect cyber attacks or web vulnerabilities based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1

Common examples of web attacks are SQL injection and cross site scripting. To mitigate against such threats, the App Gateway Web App Firewall can be fronted against one or more web applications and virtual machines. This can be part of a defense by depth strategy by adding another layer of security in your shared infrastructure.

A Log Analytics Workspace is a data repository to store log data collected from azure resources. This will be used to collect log data from the Application Gateway as a data source.

Azure Sentinel is an enterprise wide solution for threat detection, visibility, hunting and response. In other words, it is a security information event management (SIEM) and security orchestration response system. Azure Sentinel can analyze log data collected into an associated log analytics workspace.

The following is the architecture and data flow to support the requirement.

Finally, OWASP Zap Tool is a penetration testing tool and can simulate web attacks such as SQL injection and cross site scripting. I will use this tool against the App Gateway and a single page web app hosted in Azure App service such that Log Analytics can collect the telemetry of WAF events.

This blog series will continue by covering the concepts of:

My purpose is to show an applied architecture of using Azure Sentinel to support investigation of incidents of malicious web attacks.

To continue reading, click for Part 2 – WAF Setup with Azure Sentinel

3 thoughts on “Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 1 Intro

  1. Pingback: Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 2 Setup – Roy Kim on Azure, Office 365 and SharePoint

  3. Mohammad Thahif BK

    Hello Roy, excellent posts, thanks much.
    Is it possible to block random query string DDoS attack using these services?

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s