Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Reference for AGWFirewallLogs table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Audit, Azure Resources, Network |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✗ No |
| Azure Monitor Tables Reference | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| _ResourceId | string | A unique identifier for the resource that the record is associated with |
| _SubscriptionId | string | A unique identifier for the subscription that the record is associated with |
| Action | string | Action taken on the request. Available values are Blocked and Allowed (for custom rules), Matched (when a rule matches a part of the request), and Detected and Blocked (these are both for mandatory rules, depending on if the WAF is in detection or prevention mode). |
| ClientIp | string | Originating IP for the request. |
| ClientPort | int | Originating port for the request. |
| DetailedData | string | Specific data found in request that matched the rule for the triggered event. |
| DetailedMessage | string | Description of the rule for the triggered event. |
| FileDetails | string | Configuration file that contained the rule for the triggered event. |
| Hostname | string | Hostname or IP address of the Application Gateway. |
| InstanceId | string | Application Gateway instance for which firewall data is being generated. For a multiple-instance application gateway, there is one row per instance. |
| LineDetails | string | Line number in the configuration file that triggered the event. |
| Message | string | User-friendly message for the triggering event. More details are provided in the details section. |
| OperationName | string | Name of the operation. |
| ParanoiaLevel | string | The OWASP CRS paranoia level (1-4) of the rule that triggered. Empty for non-CRS rules (e.g., anomaly scoring, bot protection). |
| PolicyId | string | The ID of the firewall policy applied to the request. |
| PolicyScope | string | The scope of the policy. Values can be Global, Listener, or Location (for path-based rules). |
| PolicyScopeName | string | The name of the policy scope applied. |
| RequestUri | string | URL of the received request. |
| RuleId | string | Rule ID of the triggering event. |
| RuleSetType | string | Rule set type. The available value is OWASP. |
| RuleSetVersion | string | Rule set version used. Available values are 2.2.9 and 3.0. |
| Site | string | Site for which the log was generated. Currently, only Global is listed because rules are global. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | Time (UTC) when the log was created. |
| TransactionId | string | Unique ID for a given transaction which helps group multiple rule violations that occurred within the same request. |
| Type | string | The name of the table |
This table is used by the following solutions:
In solution Azure Web Application Firewall (WAF):
| Analytic Rule | Selection Criteria |
|---|---|
| A potentially malicious web request was executed against a web server | |
| App GW WAF - Code Injection | Action in "Blocked,Matched"Message has "File Inclusion"Message has "Injection" |
| App GW WAF - Path Traversal Attack | Action in "Blocked,Matched"Message has "Path Traversal Attack" |
| App Gateway WAF - SQLi Detection | Action in "Blocked,Matched"Message has "SQL Injection" |
| App Gateway WAF - Scanner Detection | Action in "Blocked,Matched"Message contains "Found User-Agent associated with security scanner" |
| App Gateway WAF - XSS Detection | Action in "Blocked,Matched"Message has "XSS" |
This table collects data from the following Azure resource types:
microsoft.network/applicationgatewaysReferences by type: 0 connectors, 5 content items, 0 ASIM parsers, 0 other parsers.
| Selection Criteria | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Action in "Blocked,Matched"Message has "File Inclusion"Message has "Injection" |
- | 1 | - | - | 1 |
Action in "Blocked,Matched"Message has "Path Traversal Attack" |
- | 1 | - | - | 1 |
Action in "Blocked,Matched"Message contains "Found User-Agent associated with security scanner" |
- | 1 | - | - | 1 |
Action in "Blocked,Matched"Message has "SQL Injection" |
- | 1 | - | - | 1 |
Action in "Blocked,Matched"Message has "XSS" |
- | 1 | - | - | 1 |
| Total | 0 | 5 | 0 | 0 | 5 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
Blocked |
- | 5 | - | - | 5 |
Matched |
- | 5 | - | - | 5 |
| Value | Connectors | Content Items | ASIM Parsers | Other Parsers | Total |
|---|---|---|---|---|---|
has File Inclusion |
- | 1 | - | - | 1 |
has Injection |
- | 1 | - | - | 1 |
has Path Traversal Attack |
- | 1 | - | - | 1 |
contains Found User-Agent associated with security scanner |
- | 1 | - | - | 1 |
has SQL Injection |
- | 1 | - | - | 1 |
has XSS |
- | 1 | - | - | 1 |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊