Web Application Firewall - Log on blocked IPs

Nibbler 656 Reputation points
2021-01-17T13:15:54.71+00:00

Im want to see the amount of blocked IPs and how many requests each have made from the logs on the Application Gateway + Web Application Firewall.

I have custom rules use, geo-blocking and IP blocking. But would expect these IP`s being blocked by the custom rules to be in the logs.

So, using the following/below query, but getting an error message

“Failed to parse the query, no additional information is available. If issue persists,”

AzureDiagnostics
| where ResourceProvider == “MICROSOFT.NETWORK” and Category == “ApplicationGatewayFirewallLog”
| where action_s == “Blocked”
| summarize count(details_message_s) by details_message_s, bin(TimeGenerated, 5m)
| render barchart

Any ideas to get this to work, or to pull the datra?

Azure Web Application Firewall
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. suvasara-MSFT 10,041 Reputation points
    2021-01-18T10:37:08.087+00:00

    @KE1980, Try listing all the actions blocked by WAF, 

    search * | where (action_s == "Blocked")

    For matched/blocked requests by IP. 

    AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" | summarize count() by clientIp_s, bin(TimeGenerated, 1m) | render timechart

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.