![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 97%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
293 questions
Hello @Kondlyada, Navaneeth Reddy ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you have an Azure WAF which is in detection mode, and you want to move it to prevention mode, but before doing it you want to identify which detections are legitimate.
As mentioned in the Azure WAF documentation,
The message that's logged when a WAF rule matches traffic includes the action value "
Matched." If the total anomaly score of all matched rules is 5 or greater, and the WAF policy is running in Prevention mode, the request will trigger a mandatory anomaly rule with the action value "Blocked" and the request will be stopped. However, if the WAF policy is running in Detection mode, the request will trigger the action value "Detected" and the request will be logged and passed to the backend.
As a WAF parses a request through the multiple WAF rules that make up the CRS, it keeps track of the rules that fire and adds the score of each rule to compute the total anomaly score for a request. The WAF will then compare the request anomaly score with an inbound risk score rule threshold. If the score exceeded, the request is more likely to be malicious, otherwise the request is judged to be safe.
Specific packets may hit one or more rules on the WAF. Each rule being hit has a different "Severity". If a packet is hitting more than one rule, the anomaly score of each of these rules is taken into account, and the sum is calculated and if the sum exceeds 5 points, the packet/request is blocked.
So, you cannot look at a single Matched log to find if it was allowed/blocked.
You can understand the WAF logs better by referring to the below doc:
You should filter your Azure WAF logs using the "transactionId" parameter. transactionId is a Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"
| where transactionId == "16861477007022634343" <--- replace this GUID with the one in your log.
If the same transactionId shows hit by more than one WAF rules and shows matched in the initial logs, WAF will calculate the sum of all the rules hit and if the sum exceeds 5 points, the packet/request will be blocked in the Prevention mode and detected in the Detection mode.
But if the transactionId shows only hit by a single WAF rule whose anomaly score is less than 5, then it will be allowed.
So, you can check the requests which shows detected for a particular transactionId and update any exclusions or custom rules prior to transition to Prevention mode. This can help reduce the occurrence of unexpected, blocked traffic.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.