Continuing from post Part 3.
Create a Analytics Rule which will generate an incident for investigation for web attacks. I would call this more of an active monitoring approach vs the Azure Sentinel workbooks. An analytics rule seems to me the same process of creating a log analytics alert rule.
Once Azure Sentinel is connected to your App Gateway WAF, create custom scheduled query rules that can search for specific criteria against the log data in the log analytics workspace. This will create alerts and generate incidents when the criteria are matched so that you can investigate them
Go to Analytics blade
Click Create, choose Schedule query rule. The Microsoft incident creation rule is more built-in rules and I haven’t seen anything related to the WAF at this time of writing.
I fill out the general settings as follows
I add the following query rule I created to detect for SQL injection attacks
AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" and action_s == "Matched" and details_file_s == "rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf" | project hostname_s , requestUri_s , clientIp_s, conditions_destinationIP_s
This query runs every 5 hours and looks over the last 5 hours. You can make it more frequent. The rule generates an alert when the number of query results is greater than 180. In other words, when there are more than 180 SQL injection attack events detected in the WAF over this period.
Next, there is an option to have an automated response when the alert is triggered. For example, you can create an Azure Logic App that can send out outlook emails, a message in a MS Teams or slack channel. Or even into other ticket management systems. In this case, I will ignore for now.
Lastly, is the review and create screen
Once created, you can see the rule for management purposes.
For further reading from the Microsoft Documentation Create custom analytic rules to detect suspicious threats
The next blog post will look at how to manage the incidents generated from this rule to investigate a malicious threat. To read further, click Part 5 on Azure Sentinel Incidents.