Automated Detection and Response for Azure WAF with Sentinel runs with errors

Romain Vilbert 0 Reputation points
2023-10-15T17:45:34.21+00:00

Good afternoon,

I have been trying to trigger an automated response from Sentinel using the admin guide in Github.

https://techcommunity.microsoft.com/t5/azure-network-security-blog/automated-detection-and-response-for-azure-waf-with-sentinel/ba-p/3692525

I believe that I have followed the guide correctly (I have actually redone it twice).

Following this guide I have created a custom Analytics rule which should read my Front Door WAF log, retrieve the IP addresses which have been blocked and add an entry to my WAF custome rules with the detected IP addresses.

This is the query:

AzureDiagnostics
| where Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by clientIP_s, host_s, action_s, Resource
| top 20 by RequestCount 
| order by RequestCount desc

The Automated workbook gets triggered without error but the Run always failed to run to the end. An error is triggered when the Logic app reach the step "Check WAF Type".

Given that I use a Front Door app, this step should return True but it keeps failing by return false.

User's image

I have been spending a lot of time trying to figure this out but without sucess.

Would anyone have any idea?

Thanks a lot

Azure Web Application Firewall
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,135 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 29,746 Reputation points Microsoft Employee
    2023-10-18T08:17:46.8366667+00:00

    Hi @Romain Vilbert ,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Issue: Automated Detection and Response for Azure WAF with Sentinel was giving error "InvalidTemplate. Unable to process template language expressions in action 'Parse_Entities' inputs at line '0' and column '0': 'Required property 'content' expects a value but got null. Path ''.'

    Solution: @Romain Vilbert has found the issue was coming while access setting the Azure WAF due to which parse entities was not receiving correct input.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.