Use Azure Sentinel to monitor and investigate incidents of cyber-attacks on a web application by having a layer of protection by leveraging the Azure Application Gateway’s Web Application Firewall.
The Azure Application Gateway is a layer 7 web traffic load balancer with many features to manage your traffic. This includes the WAF which can prevent or detect cyber attacks or web vulnerabilities based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1
Common examples of web attacks are SQL injection and cross site scripting. To mitigate against such threats, the App Gateway Web App Firewall can be fronted against one or more web applications and virtual machines. This can be part of a defense by depth strategy by adding another layer of security in your shared infrastructure.
A Log Analytics Workspace is a data repository to store log data collected from azure resources. This will be used to collect log data from the Application Gateway as a data source.
Azure Sentinel is an enterprise wide solution for threat detection, visibility, hunting and response. In other words, it is a security information event management (SIEM) and security orchestration response system. Azure Sentinel can analyze log data collected into an associated log analytics workspace.
The following is the architecture and data flow to support the requirement.
Finally, OWASP Zap Tool is a penetration testing tool and can simulate web attacks such as SQL injection and cross site scripting. I will use this tool against the App Gateway and a single page web app hosted in Azure App service such that Log Analytics can collect the telemetry of WAF events.
This blog series will continue by covering the concepts of:
- Part 2 – WAF Setup with Azure Sentinel
- Part 3 – Monitoring of web attacks
- Part 4 – Analytics alert rules of web attacks
- Part 5 – Incident Investigation of web attacks
- Part 6 – Hunting
My purpose is to show an applied architecture of using Azure Sentinel to support investigation of incidents of malicious web attacks.
To continue reading, click for Part 2 – WAF Setup with Azure Sentinel
3 thoughts on “Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 1 Intro”
Pingback: Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 2 Setup – Roy Kim on Azure, Office 365 and SharePoint
Excellent set of articles
Hello Roy, excellent posts, thanks much.
Is it possible to block random query string DDoS attack using these services?