Merge pull request #11776 from Azure/v-visodadasi/WAF

Updated Application Gateway WAF - SQLi Detection and Application Gateway WAF - XSS Detection
Azure · Feb 7, 2025 · e3b3dc9 · e3b3dc9
2 parents 26481bb + 290a029
commit e3b3dc9
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 32 deletions.
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml
@@ -31,13 +31,16 @@ query:  |
  | where Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"
  | where Message has "SQL Injection"
- | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)
+ | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message
  | join kind = inner(
  AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
- | where action_s == "Blocked") on transactionId_g
+ | where action_s == "Blocked"
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g
  | extend Uri = strcat(hostname_s,requestUri_s)
- | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
  | where Total_TransactionId >= Threshold
 # The Threshold value above can be changed as per your infrastructure's requirement
 entityMappings:
@@ -49,5 +52,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: clientIp_s 
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml
@@ -28,13 +28,16 @@ query:  |
  | where Category == "ApplicationGatewayFirewallLog"
  | where action_s == "Matched"
  | where Message has "XSS"
- | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)
+ | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)
+ | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message
  | join kind = inner(
  AzureDiagnostics
  | where Category == "ApplicationGatewayFirewallLog"
- | where action_s == "Blocked") on transactionId_g
+ | where action_s == "Blocked"
+ | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g
  | extend Uri = strcat(hostname_s,requestUri_s)
- | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
+ | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s
  | where Total_TransactionId >= Threshold
 # The Threshold value above can be changed as per your infrastructure's requirement 
 entityMappings:
@@ -46,5 +49,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: clientIp_s 
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip b/Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip
diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json b/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json
@@ -64,7 +64,7 @@
             }
           },
           {
-            "name": "dataconnectors-link2",
+            "name": "dataconnectors-link1",
             "type": "Microsoft.Common.TextBlock",
             "options": {
               "link": {