#Application Gateway Logs filtering

Work in progress, more of a starting point for myself…. Will work on making it more useful.

This query filters by all blocked requests triggered by the WAF Policy.

  AzureDiagnostics
  | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" and action_s == "Blocked"

Quite often these days however, there are a series of matched rules that will add to an anomaly score. If the total anomaly score of all matched rules is 5 or greater, a mandatory anomaly rule is triggered with the action value "Blocked". So this means, if you filter by matched rules you will see what lead to the anomaly score rule being triggered and you can then incrementally filter out the triggered rules once you have either added an exclusion or occasionally disabled the rule entirely.

This will show you all of the mathced rules within your chosen time-frame.

  AzureDiagnostics
  | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"

Then once you have Identified the matched rule and accounted fo it in some way excluded or disabled it. You can then add an additional filter to you request to remove that for example:

  AzureDiagnostics
  | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"
  | where ruleId_s <> "12345"
  | where ruleId_s <> "54321"

And so on, until you are no longer getting matched rules.