Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
622 questions
Query Azure Front Door WAF Logs
Nibbler
616
Reputation points
Hello MS Q&A
I have a Front Door Premium with WAF, and experiencing number of "blocks" on rule "942340" I have no issues in query the logs, but unable to query what exactly the specific rule is blocking.
I have tried with many different queries combination, but no luck in getting the details on what is root for this rule to be blocking requests.
Example on a approach, that didn't give me any luck.
Step 1
zureDiagnostics
| where ResourceType == "PROFILES" or ResourceType == "FRONTDOORS"
| where action_s == "Block"
| where Category == "FrontDoorWebApplicationFirewallLog"
| where ruleName_s contains "Microsoft_DefaultRuleSet"
| summarize count() by ruleName_s, requestUri_s, policyMode_s, action_s, trackingReference_s, details_msg_s
Step 2
AzureDiagnostics
| where trackingReference_s == 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s
| order by TimeGenerated desc
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee2023-10-27T01:22:27.0333333+00:00 Thank you for reaching out.
Based on a glance at the queries, can you try running the 1st query with the following changes
- Make
where action_s == "Block"asaction_s contains "Block", as it can beBlockandblockas documented here - Remove
details_msg_sfrom your first query as we have seen in some instances where this property is absent from the logs.
Please let us know if it helped or the issue still persists. Thank you!
- Make
-
Nibbler 616 Reputation points
2023-10-27T08:59:53.79+00:00 - Hello @ChaitanyaNaykodi-MSFT
Thanks for you comment. However, this do not solve the issue at hand, that I want to see what rule 942340 is blocking and way. This only provide the overall rule "Microsoft_DefaultRuleSet-2.1-BLOCKING-EVALUATION-949110"
And the query using the "trackingReference_s" field, do not provider the needed details...
TimeGenerated [UTC]
- 2023-10-26T12:16:53Z
- Category
- FrontDoorWebApplicationFirewallLog
- ruleName_s
- Microsoft_DefaultRuleSet-2.1-SQLI-942300
- action_s
- AnomalyScoring
- trackingReference_s
- 20231026T121653Z-fbwcbxtyvp20h5346dfg787okghgd432wesfghy7ikhgjgdery0000000genc
-
Nibbler 616 Reputation points
2023-10-31T11:06:48.9833333+00:00 Hello @ChaitanyaNaykodi-MSFT Any feedback on last comment?
-
ChaitanyaNaykodi-MSFT 24,231 Reputation points Microsoft Employee
2023-11-01T03:14:11.91+00:00 I have reached out you offline regarding this issue.
Sign in to comment