Azure Application Gateway Firewall Logs

  • Updated on Sep 1, 2024
  • Published on Aug 29, 2024

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: azure_application_gateway_firewall

Azure Application Gateway Firewall is a web application firewall (WAF) that provides centralized protection for your web applications from common threats and vulnerabilities. It helps to secure your applications by filtering and monitoring HTTP requests, offering protection against SQL injection, cross-site scripting, and other web-based attacks.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

  1. In the Azure portal home screen, search for and open Resource Groups.
    Azure resource groups

    The Resource Group list opens.

  2. Select the relevant resource group.
    The Resource Group opens.

  3. Now, scroll down the side menu to the Monitoring section, and click Diagnostic Settings.
    Resource group diagnostic settings

    The Diagnostic Settings page opens.

  4. Select a resource from the Resource list.

  5. Click Add Diagnostic setting.
    Resource group new diagnostic setting

  6. Under Logs, check the Application Gateway Firewall Log checkbox.

  7. Under Destination details, check the Stream to an Event Hub option.

  8. Fill in the requested details and give the diagnostic setting a name.

  9. Click Save.

STEP 3: Set up the connection on Hunters

📘 Before you begin
To complete this process you will need the information gathered when following this guide.
To connect logs to Hunters:
  1. Open the Hunters platform and navigate to Data > Data Sources.
    Data sources1
  2. Click ADD DATA SOURCES.
    Add data source4
  3. Locate the Microsoft Azure panel and click Connect.
    The Add Data Flows window opens.
  4. Fill in the required Azure application details, as gathered here under STEP 2.
    Connect Azure logs on Hunters
  5. Under the Data Types section, activate the data types you want to connect.
  6. For each activated data type, fill in the required information, as gathered here:
    1. Under STEP 1 - Subscription ID
    2. Under STEP 3 - Resource group name and Event Hub namespace and
    3. Under STEP 4 - Event Hub name.
  7. OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
  8. Click Test Connection to make sure everything was set up correctly.
  9. Once the connection is established, click Submit.

Expected format

Logs are expected in JSON format.

{
  "records": [
    {
      "timeStamp": "2024-03-01T07:12:29+00:00",
      "resourceId": "/SUBSCRIPTIONS/PROVIDERS/PROVIDER-A.NETWORK/APPLICATIONGATEWAYS/SOURCEA",
      "operationName": "ApplicationGatewayFirewall",
      "category": "ApplicationGatewayFirewallLog",
      "properties": {
        "instanceId": "instance_id",
        "clientIp": "1.2.3.4",
        "clientPort": "",
        "requestUri": "/.env",
        "ruleSetType": "OWASP_CRS",
        "ruleSetVersion": "3.1.0",
        "ruleId": "930130",
        "message": "Restricted File Access Attempt",
        "action": "Matched",
        "site": "Global",
        "details": {
          "message": "Warning. Matched phrase \"/.env ...\" at REQUEST_FILENAME. ",
          "data": "Matched Data: /.env found within REQUEST_FILENAME: /.env",
          "file": "dir/FILE1.conf",
          "line": "128"
        },
        "hostname": "api-management.company.com",
        "transactionId": "bfb4979f5fed0720062694e829990942",
        "policyId": "policy_id",
        "policyScope": "Global",
        "policyScopeName": "Global"
      }
    }
  ]
}