Connect data from Microsoft web application firewall

You can stream logs from the Azure Application Gateway’s Microsoft web application firewall (WAF). This WAF protects your applications from common web vulnerabilities such as SQL injection and cross-site scripting, and lets you customize rules to reduce false positives.​ Follow these instructions to stream your Microsoft Web application firewall logs into Azure Sentinel.​

Prerequisites

  • An existing application gateway resource

Connect to Microsoft web application firewall

If you already have Microsoft web application firewall, make sure you have an existing gateway resource. Once your Microsoft web application firewall is deployed and getting data, the alert data can easily be streamed into Azure Sentinel.

  1. In the Azure Sentinel portal, select Data connectors.
  2. In the Data connectors page, select the WAF tile.
  3. Go to Application Gateway resource and choose your WAF.​
    1. Select Diagnostic settings.​
    2. Select + Add diagnostic setting under the table.​
    3. In the Diagnostic settings page, type a Name and select Send to Log Analytics.
    4. Under Log Analytics Workspace select the Azure Sentinel workspace.​
    5. Select the log types that you want to analyze. We recommended: ApplicationGatewayAccessLog and ApplicationGatewayFirewallLog.​
  4. To use the relevant schema in Log Analytics for the Microsoft web application firewall alerts, search for AzureDiagnostics.

Next steps

In this document, you learned how to connect Microsoft web application firewall to Azure Sentinel. To learn more about Azure Sentinel, see the following articles: