Azure Web Application Firewall solution for Sentinel

Solution: Azure Web Application Firewall (WAF)

Azure Web Application Firewall (WAF) Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com/
Categories	domains
Version	3.0.1
Author	Microsoft - support@microsoft.com
First Published	2022-05-18
Solution Folder	Azure Web Application Firewall (WAF)
Marketplace	Azure Marketplace · Popularity: 🟢 High (87%)

The Azure Web Application Firewall (WAF) solution for Microsoft Sentinel allows you to ingest Diagnostic Metrics from Application Gateway, Front Door and CDN into Microsoft Sentinel.

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

Azure Web Application Firewall (WAF) 🔶

🔶 CLv1: This connector ingests into a table that uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Tables Used

This solution uses 4 table(s):

Table	Used By Connectors	Used By Content
`AGWAccessLogs`	-	Analytics
`AGWFirewallLogs`	-	Analytics
`AzureDiagnostics` 🔶	Azure Web Application Firewall (WAF)	Analytics, Workbooks
`Event`	-	Workbooks

🔶 CLv1: This table uses the legacy Custom Log V1 schema format with type-suffixed column names (e.g. _s, _d, _b, _t, _g). Note: identification is based on column name suffixes which are also permitted in CLv2, so this classification may not always be accurate.

Content Items

This solution includes 14 content item(s):

Content Type	Count
Analytic Rules	10
Workbooks	4

Analytic Rules

Name	Severity	Tactics	Tables Used
A potentially malicious web request was executed against a web server	Medium	InitialAccess	`AGWAccessLogs` `AGWFirewallLogs`
AFD WAF - Code Injection	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation	`AzureDiagnostics`
AFD WAF - Path Traversal Attack	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation, Discovery	`AzureDiagnostics`
App GW WAF - Code Injection	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation	`AGWFirewallLogs`
App GW WAF - Path Traversal Attack	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation, Discovery	`AGWFirewallLogs`
App Gateway WAF - SQLi Detection	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation	`AGWFirewallLogs`
App Gateway WAF - Scanner Detection	High	DefenseEvasion, Execution, InitialAccess, Reconnaissance, Discovery	`AGWFirewallLogs`
App Gateway WAF - XSS Detection	High	InitialAccess, Execution	`AGWFirewallLogs`
Front Door Premium WAF - SQLi Detection	High	DefenseEvasion, Execution, InitialAccess, PrivilegeEscalation	`AzureDiagnostics`
Front Door Premium WAF - XSS Detection	High	InitialAccess, Execution	`AzureDiagnostics`

Workbooks

Name	Tables Used
WebApplicationFirewallFirewallEvents	`AzureDiagnostics`
WebApplicationFirewallGatewayAccessEvents	`AzureDiagnostics`
WebApplicationFirewallOverview	`AzureDiagnostics`
WebApplicationFirewallWAFTypeEvents	`AzureDiagnostics` `Event`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.2	06-02-2025	Extracting transactionId_g and hostname_s from the AdditionalFields column using parse_json and Removing the now unavailable details_message_s and details_data_s fields from Analytic Rules App Gateway WAF - SQLi Detection and App Gateway WAF - XSS Detection.
3.0.1	10-06-2024	Added new Analytic Rules [App Gateway WAF - SQLi Detection and App Gateway WAF - XSS Detection]
3.0.0	21-12-2023	Added ResourceProvide condition as it is standard for Application Gateway WAF logs