Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 4 Analytics

Continuing from post Part 3.

Create a Analytics Rule which will generate an incident for investigation for web attacks. I would call this more of an active monitoring approach vs the Azure Sentinel workbooks. An analytics rule seems to me the same process of creating a log analytics alert rule.

Once Azure Sentinel is connected to your App Gateway WAF, create custom scheduled query rules that can search for specific criteria against the log data in the log analytics workspace. This will create alerts and generate incidents when the criteria are matched so that you can investigate them

Go to Analytics blade

Click Create, choose Schedule query rule. The Microsoft incident creation rule is more built-in rules and I haven’t seen anything related to the WAF at this time of writing.

I fill out the general settings as follows

I add the following query rule I created to detect for SQL injection attacks

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog" and action_s == "Matched" and
details_file_s == "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"
| project hostname_s , requestUri_s , clientIp_s, conditions_destinationIP_s

This query runs every 5 hours and looks over the last 5 hours. You can make it more frequent. The rule generates an alert when the number of query results is greater than 180. In other words, when there are more than 180 SQL injection attack events detected in the WAF over this period.

Next, there is an option to have an automated response when the alert is triggered. For example, you can create an Azure Logic App that can send out outlook emails, a message in a MS Teams or slack channel. Or even into other ticket management systems. In this case, I will ignore for now.

Lastly, is the review and create screen

Once created, you can see the rule for management purposes.

For further reading from the Microsoft Documentation Create custom analytic rules to detect suspicious threats

The next blog post will look at how to manage the incidents generated from this rule to investigate a malicious threat. To read further, click Part 5 on Azure Sentinel Incidents.

3 thoughts on “Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 4 Analytics

  1. Pingback: Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 5 Incidents – Roy Kim on Azure, Office 365 and SharePoint

  2. Pingback: Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 3 Monitoring – Roy Kim on Azure, Office 365 and SharePoint

  3. Pingback: Using Azure Sentinel with Azure App Gateway to Investigate Web Attacks – Part 1 Intro – Roy Kim on Azure, Office 365 and SharePoint

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s