Skip to content

Instantly share code, notes, and snippets.

@anwather

anwather/workbook.json

Created July 5, 2024 04:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anwather/4b664c6ca9e2aeb2ad044f4106304947 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anwather/4b664c6ca9e2aeb2ad044f4106304947 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
workbook.json
{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Azure WAF Monitor Workbook\r\n---"
},
"name": "Workbook Title"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "9a5fb8f4-61fa-4a63-bc89-ade6a64187a9",
"cellValue": "SelectedTab",
"linkTarget": "parameter",
"linkLabel": "Azure WAF Logs",
"subTarget": "WAFLogs",
"style": "link"
},
{
"id": "b3e39e6e-e8ba-418d-a632-63b5903fd594",
"cellValue": "SelectedTab",
"linkTarget": "parameter",
"linkLabel": "Azure WAF Metrics - Application Gateway",
"subTarget": "WAFMetricsAppGW",
"style": "link"
},
{
"id": "f0fc8aa9-4583-4815-a102-7e1cd4facc4c",
"cellValue": "SelectedTab",
"linkTarget": "parameter",
"linkLabel": "Azure WAF Metrics - Azure Front Door",
"subTarget": "WAFMetricsAFD",
"style": "link"
}
]
},
"name": "Workbook Tabs"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"crossComponentResources": [
"value::tenant"
],
"parameters": [
{
"id": "e1c085f6-3a26-435e-adc0-093bbf6e41e0",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "summarize by subscriptionId\r\n| project value=strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId",
"crossComponentResources": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"value::all"
]
},
{
"id": "all",
"version": "KqlParameterItem/1.0",
"name": "Workspaces",
"type": 5,
"isRequired": true,
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
]
},
"timeContext": {
"durationMs": 86400000
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": [
"/subscriptions/a7d43aba-a680-4026-a2e6-91e9e64d6ec9/resourceGroups/loganalytics-rg-001/providers/Microsoft.OperationalInsights/workspaces/law-001"
]
},
{
"id": "c723f64f-b97e-4add-9e1d-e6b4eddf6719",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"isRequired": true,
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
},
"timeContext": {
"durationMs": 86400000
},
"value": {
"durationMs": 3600000
}
},
{
"id": "2d68e64a-c15e-4449-adb8-7c0ed052b739",
"version": "KqlParameterItem/1.0",
"name": "WAFType",
"label": "WAF Type",
"type": 2,
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\"Application Gateway\", \"Front Door and CDN Profiles\"]",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"value": "Application Gateway"
},
{
"id": "643d0eb3-f44c-4ebb-99f0-bb8512e410a5",
"version": "KqlParameterItem/1.0",
"name": "WAF",
"label": "WAF Items",
"type": 5,
"isRequired": true,
"query": "Resources\r\n| where type =~ case('{WAFType}' == 'Application Gateway', 'Microsoft.Network/ApplicationGateways', '{WAFType}' == 'Front Door and CDN Profile', 'Microsoft.Network/Frontdoors', 'Microsoft.Cdn/Profiles')\r\n| project id, name",
"crossComponentResources": [
"value::tenant"
],
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resources/tenants",
"value": "/subscriptions/159b808f-8dd9-4a40-9e2d-6faeb558cbb0/resourceGroups/ct-apg-waf-rg/providers/Microsoft.Network/applicationGateways/ct-apg-waf-01"
}
],
"style": "pills",
"queryType": 1,
"resourceType": "microsoft.resources/tenants"
},
"name": "Workbook Parameters"
},
{
"type": 1,
"content": {
"json": "### Azure WAF Metrics\r\nThe data below dosen't read from the Log Analytics workpsace, it's reading directly from the resources which requires resource visibility. The following metrics have 'SplitBy' dimensions set that will not run properly when multiple resources are selected. \r\nClick [here for more information on Azure Metrics](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform-metrics)",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isNotEqualTo",
"value": "WAFLogs"
},
"name": "WAF Metric Warning"
},
{
"type": 10,
"content": {
"chartId": "workbookc21108a5-6fd3-403e-aafd-d8b6eb53bae8",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafTotalRequests",
"aggregation": 1,
"splitBy": "PolicyName"
}
],
"title": "WAF Total Requests - Application Gateway",
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"name": "WAF Total Requests - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "RuleGroupID"
}
],
"title": "WAF Managed Rule Blocks by RuleGroup - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Block"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - RuleGroup - Block - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "RuleGroupID"
}
],
"title": "WAF Managed Rule Allows by RuleGroup - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Pass"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - RuleGroup - Allow - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "RuleID"
}
],
"title": "WAF Managed Rule Blocks by RuleId - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Block"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - RuleId - Block - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "RuleID"
}
],
"title": "WAF Managed Rule Allows by RuleId - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Pass"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - RuleId - Allow - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "CountryCode"
}
],
"title": "WAF Managed Rule Blocks by GeoLocation - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Block"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - GeoLocation - Block - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafSecRule",
"aggregation": 1,
"splitBy": "CountryCode"
}
],
"title": "WAF Managed Rule Allows by GeoLocation - Application Gateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Pass"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "50",
"name": "WAF Managed Rule Matches - GeoLocation - Allow - Application Gateway"
},
{
"type": 10,
"content": {
"chartId": "workbook52eb8d72-7af5-4c4f-8e72-434507e3a051",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.network/applicationgateways",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.network/applicationgateways",
"metric": "microsoft.network/applicationgateways--AzwafCustomRule",
"aggregation": 1,
"splitBy": "CustomRuleID"
}
],
"title": "WAF Custom Rules Matches by RuleName - ApplicationGateway",
"filters": [
{
"id": "1",
"key": "Action",
"operator": 0,
"values": [
"Block",
"Pass"
]
}
],
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAppGW"
},
"customWidth": "100",
"name": "WAF Custom Rules Matches -RuleName - Block/Pass - ApplicationGateway"
},
{
"type": 10,
"content": {
"chartId": "workbookdd732908-0ae7-41f8-85f5-0f5b372ae0f4",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.cdn/profiles",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.cdn/profiles",
"metric": "microsoft.cdn/profiles-Traffic-WebApplicationFirewallRequestCount",
"aggregation": 1,
"splitBy": "RuleName"
}
],
"title": "WAF Request Matches by RuleName - Azure Front Door",
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAFD"
},
"name": "WAF Request Matches by RuleName - Azure Front Door"
},
{
"type": 10,
"content": {
"chartId": "workbook7dc748d2-121c-4711-8290-8944639dedf5",
"version": "MetricsItem/2.0",
"size": 0,
"chartType": 2,
"resourceType": "microsoft.cdn/profiles",
"metricScope": 0,
"resourceParameter": "WAF",
"resourceIds": [
"{WAF}"
],
"timeContextFromParameter": "TimeRange",
"timeContext": {
"durationMs": 3600000
},
"metrics": [
{
"namespace": "microsoft.cdn/profiles",
"metric": "microsoft.cdn/profiles-Traffic-WebApplicationFirewallRequestCount",
"aggregation": 1,
"splitBy": "Action"
}
],
"title": "WAF Request Matches by Action - Azure Front Door",
"gridSettings": {
"rowLimit": 10000
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFMetricsAFD"
},
"name": "WAF Request Matches by Action - Azure Front Door"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| summarize number = count() by Action",
"size": 3,
"showAnalytics": true,
"title": "WAF actions filter",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "series",
"exportParameterName": "SelectedAction",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "piechart"
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "27",
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where Action == \"Block\"\r\n| where requestUri_s <> \"/\"\r\n| summarize count() by requestUri_s \r\n| top 40 by count_ desc ",
"size": 3,
"showAnalytics": true,
"title": "Top 40 Blocked Request URI addresses, filter to single URI address",
"noDataMessage": "The current data has no \"Blocked\" results",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "requestUri_s",
"exportParameterName": "RequestURI",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "requestUri_s",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "count_",
"formatter": 8,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"useGrouping": false,
"maximumFractionDigits": 2,
"maximumSignificantDigits": 5
}
}
},
"showBorder": false
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "requestUri_s",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "63",
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Rule= iif(Rule contains \"Mandatory rule. Cannot be disabled.\", strcat_array(split(Rule, \"Mandatory rule. Cannot be disabled. Inbound \",1),\"\"), Rule) // Removes initial component for mandatory rule \r\n| extend Rule = iif(Rule contains \"Total Inbound Score\", strcat_array(array_concat(split(Rule, \" - SQLI=\", 0), parse_json('[\") -\"]'), split(Rule,\"):\",1)),\"\"),Rule) // Removes smaller information if more info is available for anomaly score\r\n| summarize count() by Rule\r\n| top 50 by count_ desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Top 50 event trigger, filter by rule name",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Rule",
"exportParameterName": "Selected",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 3,
"formatOptions": {
"palette": "blue",
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_count__1",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_count__1",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "30",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize count() by Rule, bin(TimeGenerated, 1h)\r\n",
"size": 0,
"showAnalytics": true,
"title": "Messages, by time",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Message",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "70",
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,requestUri_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,instanceId_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or OperationName == \"ApplicationGatewayFirewall\" or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\" \r\n| extend Role = extract(\"ApplicationGateway([a-zA-Z_a-zA-Z_0-9]*)\",1,instanceId_s) \r\n| extend RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s, Site = site_s\r\n| project Rule, TimeGenerated, SourceSystem, Hostname, ResourceId, ResourceGroup, ResourceProvider, Category, Role, Action, Site, Message_Details, File_Details, ClientIP, RequestUri\r\n| sort by TimeGenerated",
"size": 0,
"showAnalytics": true,
"title": "Message, full details",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "table",
"gridSettings": {
"filter": true
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"name": "query - 11"
},
{
"type": 1,
"content": {
"json": "---"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\" \r\n| summarize Amount = count() by Rule\r\n| order by Amount desc\r\n\r\n",
"size": 0,
"title": "Attacks events, by messages and filterable by rule name",
"noDataMessage": "Filtered messages are not attack events",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "",
"exportParameterName": "MessageFilter",
"exportDefaultValue": "{\"Rule\":\"*\"}",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Amount",
"formatter": 8,
"formatOptions": {
"palette": "blueDark",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"filter": true
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "20",
"name": "query - 16"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\" \r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where Rule == Child or Child == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize Amount = count() by Rule, bin(TimeGenerated, 1h), ResourceId\r\n| project Amount, Rule, TimeGenerated, ResourceId\r\n| order by Amount desc",
"size": 0,
"showAnalytics": true,
"title": "Attack events, by time",
"noDataMessage": "Filtered messages are not attack events",
"timeContextFromParameter": "TimeRange",
"exportParameterName": "Message",
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "80",
"name": "query - 14"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where Rule == Child or Child == \"*\" \r\n| distinct TrackingID",
"size": 0,
"showAnalytics": true,
"title": "TrackingID filter",
"noDataMessage": "You've over filtered or you're missing this data.",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "TrackingID",
"exportParameterName": "SelectedTrackingID",
"exportDefaultValue": "*",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"rowLimit": 500,
"filter": true,
"sortBy": [
{
"itemKey": "TrackingID",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "TrackingID",
"sortOrder": 2
}
]
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "20",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where Rule == Child or Child == \"*\"\r\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\r\n| project TrackingID, TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category",
"size": 0,
"showAnalytics": true,
"title": "TrackingID Messages",
"noDataMessage": "You've over filtered or you're missing this data.",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"gridSettings": {
"rowLimit": 50
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "80",
"name": "query - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string, ruleName_s:string, clientIp_s:string, clientIP_s:string, action_s:string, transactionId_s:string,trackingReference_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where Rule == Child or Child == \"*\"\r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\"\r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| summarize count() by ClientIP\r\n| top 10 by count_ desc",
"size": 0,
"showAnalytics": true,
"title": "Top 10 Attacking IP Addresses, filter to single IP address",
"noDataMessage": "Filtered messages are not attack events",
"timeContextFromParameter": "TimeRange",
"exportFieldName": "x",
"exportParameterName": "ClientIP",
"exportDefaultValue": "*",
"showExportToExcel": true,
"exportToExcelOptions": "all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "ClientIP",
"formatter": 1
},
"leftContent": {
"columnMatch": "count_",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "ClientIP",
"formatter": 1
},
"centerContent": {
"columnMatch": "count_",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"showLegend": true
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "count_",
"sizeAggregation": "Sum",
"legendMetric": "count_",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "count_",
"heatmapPalette": "greenRed"
}
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "25",
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SelectedMS = dynamic({MessageFilter}); // reference to the above list of messages (Event trigger)\r\nlet Child = SelectedMS.Rule; // Used to choose a group of messages - redirects to the message which was grouped\r\nlet FakeData = (datatable (Message:string,ruleName_s:string,clientIp_s:string,clientIP_s:string,action_s:string,transactionId_s:string,site_s:string,details_message_sRole:string,details_file_sRole:string,hostname_sRole:string,Role:string,trackingReference_s:string,ruleGroup_s:string,instanceId_s:string,ruleSetType_s:string,details_message_s:string,details_data_s:string,details_file_s:string,hostname_s:string,requestUri_s:string) [ \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\", \"\",\"\", \"\", \"\", \"\", \"\",\"\",\"\",\"\",\"\",\"\",\"\" ]);\r\nFakeData | union AzureDiagnostics\r\n| where (ResourceType == \"APPLICATIONGATEWAYS\" or ResourceType == \"FRONTDOORS\" or ResourceType == \"PROFILES\" or ResourceType == \"CDNWEBAPPLICATIONFIREWALLPOLICIES\") and (\"{WAFType:label}\" == \"All\" or (ResourceType == \"APPLICATIONGATEWAYS\" and \"{WAFType:label}\" contains \"application gateway\") or (ResourceType == \"FRONTDOORS\" and \"{WAFType:label}\" contains \"azure front door\") or (ResourceType == \"PROFILES\" and \"{WAFType:label}\" contains \"front door and cdn profiles\") or (ResourceType==\"CDNWEBAPPLICATIONFIREWALLPOLICIES\" and \"{WAFType:label}\" contains \"cdn\")) and (\"{WAF:label}\" == \"All\" or Resource in~ (split(\"{WAF:label}\", \",\")))\r\n| where Category == \"FrontdoorWebApplicationFirewallLog\" or Category == \"FrontDoorWebApplicationFirewallLog\" or (OperationName == \"ApplicationGatewayFirewall\" and Message contains \"attack\") or Category == \"WebApplicationFirewallLogs\"\r\n| where '{RequestURI}' == requestUri_s or '{RequestURI}' == \"*\"\r\n| extend Rule = strcat(ruleName_s, Message), ClientIP = strcat(clientIp_s, clientIP_s)\r\n| where Rule == Child or Child == \"*\"\r\n| extend Action = iif(action_s == \"Blocked\", Action = \"Block\", action_s)\r\n| extend Action = iif(Action == \"Detected\", Action = \"Log\", Action)\r\n| extend TrackingID = strcat(transactionId_s, trackingReference_s)\r\n| where '{SelectedTrackingID}' == TrackingID or '{SelectedTrackingID}' == \"*\" \r\n| where '{SelectedAction}' == Action or '{SelectedAction}' == \"*\" \r\n| where '{Selected}' == Rule or '{Selected}' == \"*\"\r\n| where ('{ClientIP}' == ClientIP or '{ClientIP}' == \"*\")\r\n| extend RuleGroup = ruleGroup_s, InstandUri = instanceId_s, RequestUri = requestUri_s, RuleSetType = ruleSetType_s, Message_Details = details_message_s, Data_Details = details_data_s, File_Details = details_file_s, Hostname = hostname_s\r\n| project TimeGenerated, Rule, ClientIP, RuleGroup, InstandUri, RequestUri, RuleSetType, Action, Message_Details, File_Details, Data_Details, Hostname, Category",
"size": 0,
"title": "Attack messages of IP address",
"noDataMessage": "Filtered messages are not attack events",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspaces}"
],
"visualization": "table",
"gridSettings": {
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "SelectedTab",
"comparison": "isEqualTo",
"value": "WAFLogs"
},
"customWidth": "75",
"showPin": true,
"name": "query - 13"
}
],
"fallbackResourceIds": [
"a7d43aba-a680-4026-a2e6-91e9e64d6ec9"
],
"fromTemplateId": "sentinel-WebApplicationFirewallFirewallEvents",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment