We've got WAF enabled in detection mode and have set up some exclusion rules to cut down on false positives. Now, I'm curious about the ratio of excluded events to matched events. Is there a way to view the logs of excluded events or run a query to generate a dashboard for visualization?

@Someiah Coimbatore Sampath Kumar , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to compare the false positives with and without Exclusion Lists. Currently, I am afraid WAF Exclusions are not logged. When you configure exclusions in the WAF policy settings, those requests matching the exclusion criteria will bypass the WAF rules and won't be logged as security events. Only custom rules are logged. See : WAF Firewall log I can check once internally if this includes WAF Exclusions or not - however I highly doubt that Exclusion List is included. Cheers, Kapil.

Excluded Events in WAF - Microsoft Q&A

Accepted answer

KapilAnanth-MSFT 36,316 Reputation points Microsoft Employee

2024-02-26T11:40:44.93+00:00
@Someiah Coimbatore Sampath Kumar ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to compare the false positives with and without Exclusion Lists. Currently, I am afraid WAF Exclusions are not logged.

When you configure exclusions in the WAF policy settings, those requests matching the exclusion criteria will bypass the WAF rules and won't be logged as security events.

Only custom rules are logged.

See : WAF Firewall log

I can check once internally if this includes WAF Exclusions or not - however I highly doubt that Exclusion List is included.

Cheers,

Kapil.
Please sign in to rate this answer.
Someiah C S 60 Reputation points

2024-03-01T11:03:19.13+00:00

Hi @KapilAnanth-MSFT

Thank you for the clarification and confirmation. We've made progress in reducing false positives by implementing exclusion rules and disabling irrelevant rules. Now, as we transition to prevention mode, I'm interested in setting up immediate notifications for blocked requests. Can we utilize Alerts in monitoring for this purpose? Specifically, if I configure alerts using a query for any blocked requests, will I receive immediate notifications? My concern is ensuring prompt notification if a legitimate request is being blocked.

KapilAnanth-MSFT 36,316 Reputation points Microsoft Employee

2024-03-01T16:44:39.43+00:00

@Someiah C S ,

That's wonderful to know.

With respect to alerts,

You can consider filtering out the logs and configuring alerts based on the number of rows

The Log analytics query to get only Blocked Requests is as follows:

AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" and action_s == "Blocked"

You can further fine tune this by using the top matched rules (more than 10 Blocked requests by a single Rule)

AzureDiagnostics | where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog" and action_s == "Blocked" | summarize count() by ruleId_s, bin(TimeGenerated, 1m) | where count_ > 10

Now, to configure Alerts,

Log search alerts : https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-types#log-alerts

How to : https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-log-alert-rule#configure-the-alert-rule-conditions Make sure you set "Table rows" in Measure field.

Hope this helps.

Cheers,

Kapil

Someiah C S 60 Reputation points

2024-03-05T07:03:33.3666667+00:00

Hi @KapilAnanth-MSFT

I attempted to create a log alert using the query you provided as an example but encountered the following error. I'm trying to set up an alert for blocked requests and need to configure notifications for this alert. Could you suggest the conditions (Alert logic and Measurment) that I should set for the alert? Additionally, I ran the query in Log Analytics, and it worked fine, but I also need IP details included in the alert.

KapilAnanth-MSFT 36,316 Reputation points Microsoft Employee

2024-03-09T16:47:10.7766667+00:00

@Someiah C S ,

That is strange, I was able to do this.

I used the below configuration,

Make sure you go to Alerts section from the App Gateway Blade (so that the proper scope and work space are selected).- Set the Frequency and Aggregation according to your requirement.

As you can see , the Alert triggered and I got a notification as well

Hope this helps.

For Pricing Details, refer : Azure Monitor pricing

Cheers,

Kapil
Sign in to comment

Share via

Excluded Events in WAF

0 additional answers