{"id":4904,"date":"2020-11-26T05:59:00","date_gmt":"2020-11-26T05:59:00","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=4904"},"modified":"2025-11-12T07:02:09","modified_gmt":"2025-11-12T07:02:09","slug":"log-analytics-query-for-azure-waf-web-application-firewall-to-check-uris-and-blocking-rule-ids","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/log-analytics-query-for-azure-waf-web-application-firewall-to-check-uris-and-blocking-rule-ids","title":{"rendered":"Log analytics query for Azure WAF Web Application Firewall to Check URI’s and blocking rule ID’s"},"content":{"rendered":"\n
AzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayFirewall\" and action_s == \"Blocked\"<\/code><\/pre>\n\n\n\n
AzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayFirewall\" and action_s == \"Blocked\"\n| summarize AggregatedValue = count() by requestUri_s, _ResourceId\n| sort by AggregatedValue desc<\/code><\/pre>\n\n\n\n
AzureDiagnostics | where ResourceProvider == \"MICROSOFT.NETWORK\" and Category == \"ApplicationGatewayFirewallLog\" and action_s == \"Blocked\"| summarize count() by ruleId_s, bin(TimeGenerated, 1m),requestUri_s | sort by TimeGenerated desc \n<\/code><\/pre>\n\n\n\n
How to Track HTTP Status 504<\/strong><\/p>\n\n\n\n
AzureDiagnostics
| where OperationName == 'ApplicationGatewayAccess'
| where httpStatus_d == 504
| summarize count() by bin(TimeGenerated,1h)
| render columnchart<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
Track Azure WAF 949110<\/strong><\/p>\n\n\n\n
You need to use the TransactionID_g of a blocked Result which will then give you what leads up to the “inbound anomaly score exceeded azure Waf”<\/p>\n\n\n\n
\nAzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\" and OperationName == \"ApplicationGatewayFirewall\" and transactionId_g == \"4cdf74f3-04bb-585c-9059-2110c8dc486a\"\n<\/code><\/pre>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
942200 REQUEST-942-APPLICATION-ATTACK-SQLI
942340 REQUEST-942-APPLICATION-ATTACK-SQLI
942370 REQUEST-942-APPLICATION-ATTACK-SQLI
949110<\/p>\n\n\n\n
Check the Details_data_s<\/strong><\/p>\n\n\n\n
{“:”AUVIC”,”r found within [REQUEST_COOKIES:_tracking_consent:%7B%22region%22%3A%22AUVIC%22%2C%22reg%22%3A%22%22%2C%22con%22%3A%7B%22CMP%22%3A%7B%22m%22%3A%22%22%2C%22a%22%3A%22%22%2C%22p%22%3A%22%22%2C%22s%22%3A%22%22%7D%7D%2C%22lim%22%3A%5B%22CMP%22%5D%2C%22v%22%3A%222.1%22%7D]}<\/p>\n\n\n\n
This _tracking_consent is a shopify Cookie!<\/p>\n\n\n\n
Ok we can whitelist it via Custom Rule<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
AzureDiagnostics\n| where ResourceType == \"APPLICATIONGATEWAYS\"\n| where OperationName == \"ApplicationGatewayAccess\"\n| where httpStatus_d == 403\n| project TimeGenerated, Resource, clientIp_s, requestUri_s, transactionId_g, httpStatus_d\n| join kind=leftouter (\n    AzureDiagnostics\n    | where ResourceType == \"APPLICATIONGATEWAYS\"\n    | where OperationName == \"ApplicationGatewayFirewall\"\n    | project transactionId_g, action_s, ruleId_s, ruleGroup_s, Message, details_message_s, details_data_s, details_file_s\n) on transactionId_g\n| extend\n    MatchedData = details_data_s,\n    RuleDetails = strcat(\n        \"RuleID: \", ruleId_s,\n        \" | Group: \", ruleGroup_s,\n        \" | Action: \", action_s,\n        \" | Message: \", Message,\n        \" | Location: \", details_file_s,\n        \" | Matched: \", details_data_s\n    )\n| project\n    TimeGenerated,\n    Resource,\n    clientIp_s,\n    requestUri_s,\n    transactionId_g,\n    httpStatus_d,\n    action_s,\n    MatchedData,\n    RuleDetails\n| order by TimeGenerated desc<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
How to Track HTTP Status 504 Track Azure WAF 949110 You need to use the TransactionID_g of a blocked Result which will then give you what leads […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[4274,1464,4275,3394,1122,3395,3396,3393,3392],"class_list":["post-4904","post","type-post","status-publish","format-standard","hentry","category-research","tag-_tracking_consent","tag-azure","tag-cookie","tag-log-analytics","tag-query","tag-rules","tag-uris","tag-waf","tag-web-application-firewall"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=4904"}],"version-history":[{"count":10,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4904\/revisions"}],"predecessor-version":[{"id":9313,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4904\/revisions\/9313"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=4904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=4904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=4904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}