diff --git a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml index d87bfd22efe..e8845bb1c66 100644 --- a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml +++ b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-SQLiDetection.yaml @@ -31,13 +31,16 @@ query: | | where Category == "ApplicationGatewayFirewallLog" | where action_s == "Matched" | where Message has "SQL Injection" - | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s + | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g) + | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s) + | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message | join kind = inner( AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" - | where action_s == "Blocked") on transactionId_g + | where action_s == "Blocked" + | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g | extend Uri = strcat(hostname_s,requestUri_s) - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s | where Total_TransactionId >= Threshold # The Threshold value above can be changed as per your infrastructure's requirement entityMappings: @@ -49,5 +52,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: clientIp_s -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml index eb30bdac327..8dca6e11779 100644 --- a/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml +++ b/Solutions/Azure Web Application Firewall (WAF)/Analytic Rules/App-GW-WAF-XSSDetection.yaml @@ -28,13 +28,16 @@ query: | | where Category == "ApplicationGatewayFirewallLog" | where action_s == "Matched" | where Message has "XSS" - | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s + | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g) + | extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s) + | project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message | join kind = inner( AzureDiagnostics | where Category == "ApplicationGatewayFirewallLog" - | where action_s == "Blocked") on transactionId_g + | where action_s == "Blocked" + | extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g | extend Uri = strcat(hostname_s,requestUri_s) - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s | where Total_TransactionId >= Threshold # The Threshold value above can be changed as per your infrastructure's requirement entityMappings: @@ -46,5 +49,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: clientIp_s -version: 1.0.0 +version: 1.0.1 kind: Scheduled diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip b/Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip new file mode 100644 index 00000000000..760d1a7f182 Binary files /dev/null and b/Solutions/Azure Web Application Firewall (WAF)/Package/3.0.2.zip differ diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json b/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json index b893f102b8b..d3dcfeaa473 100644 --- a/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json +++ b/Solutions/Azure Web Application Firewall (WAF)/Package/createUiDefinition.json @@ -64,7 +64,7 @@ } }, { - "name": "dataconnectors-link2", + "name": "dataconnectors-link1", "type": "Microsoft.Common.TextBlock", "options": { "link": { diff --git a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json index 738f87afbd9..e3b208d2782 100644 --- a/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json +++ b/Solutions/Azure Web Application Firewall (WAF)/Package/mainTemplate.json @@ -65,7 +65,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Azure Web Application Firewall (WAF)", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-azurewebapplicationfirewal", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "WAF", @@ -134,18 +134,18 @@ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','9b8dd8fd-f192-42eb-84f6-541920400a7a','-', '1.0.2')))]" }, "analyticRuleObject9": { - "analyticRuleVersion9": "1.0.0", + "analyticRuleVersion9": "1.0.1", "_analyticRulecontentId9": "bdb2cd63-99f2-472e-b1b9-acba473b6744", "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'bdb2cd63-99f2-472e-b1b9-acba473b6744')]", "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('bdb2cd63-99f2-472e-b1b9-acba473b6744')))]", - "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bdb2cd63-99f2-472e-b1b9-acba473b6744','-', '1.0.0')))]" + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','bdb2cd63-99f2-472e-b1b9-acba473b6744','-', '1.0.1')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.0", + "analyticRuleVersion10": "1.0.1", "_analyticRulecontentId10": "1c7ff502-2ad4-4970-9d29-9210c6753138", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '1c7ff502-2ad4-4970-9d29-9210c6753138')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('1c7ff502-2ad4-4970-9d29-9210c6753138')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c7ff502-2ad4-4970-9d29-9210c6753138','-', '1.0.0')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','1c7ff502-2ad4-4970-9d29-9210c6753138','-', '1.0.1')))]" }, "workbookVersion1": "1.1.0", "workbookContentId1": "WebApplicationFirewallFirewallEventsWorkbook", @@ -184,7 +184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Azure Web Application Firewall (WAF) data connector with template version 3.0.1", + "description": "Azure Web Application Firewall (WAF) data connector with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -383,7 +383,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "MaliciousWAFSessions_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -487,7 +487,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AFD-Premium-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -606,7 +606,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AFD-Premium-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -722,7 +722,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AFD-WAF-Code-Injection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AFD-WAF-Code-Injection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -840,7 +840,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AFD-WAF-Path-Traversal-Attack_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "AFD-WAF-Path-Traversal-Attack_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -960,7 +960,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "App-GW-WAF-Code-Injection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "App-GW-WAF-Code-Injection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1078,7 +1078,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "App-GW-WAF-Path-Traversal-Attack_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "App-GW-WAF-Path-Traversal-Attack_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1198,7 +1198,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "App-GW-WAF-Scanner-detection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "App-GW-WAF-Scanner-detection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1319,7 +1319,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "App-GW-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "App-GW-WAF-SQLiDetection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1336,7 +1336,7 @@ "description": "Identifies a match for a SQL Injection attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\nReferences: https://owasp.org/Top10/A03_2021-Injection/", "displayName": "App Gateway WAF - SQLi Detection", "enabled": false, - "query": "let Threshold = 3; \nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Matched\"\n| where Message has \"SQL Injection\"\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Blocked\") on transactionId_g\n| extend Uri = strcat(hostname_s,requestUri_s)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s\n| where Total_TransactionId >= Threshold\n", + "query": "let Threshold = 3; \nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Matched\"\n| where Message has \"SQL Injection\"\n| extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)\n| extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Blocked\"\n| extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g\n| extend Uri = strcat(hostname_s,requestUri_s)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s\n| where Total_TransactionId >= Threshold\n", "queryFrequency": "PT6H", "queryPeriod": "PT6H", "severity": "High", @@ -1438,7 +1438,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "App-GW-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "App-GW-WAF-XSSDetection_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -1455,7 +1455,7 @@ "description": "Identifies a match for an XSS attack in the App Gateway WAF logs. The threshold value in the query can be changed as per your infrastructure's requirements.\n References: https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)", "displayName": "App Gateway WAF - XSS Detection", "enabled": false, - "query": "let Threshold = 3; \nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Matched\"\n| where Message has \"XSS\"\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Blocked\") on transactionId_g\n| extend Uri = strcat(hostname_s,requestUri_s)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Detail_Message = make_set(details_message_s,100), Detail_Data = make_set(details_data_s,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s\n| where Total_TransactionId >= Threshold\n", + "query": "let Threshold = 3; \nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Matched\"\n| where Message has \"XSS\"\n| extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)\n| extend hostname_s = tostring(parse_json(AdditionalFields).hostname_s)\n| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message\n| join kind = inner(\nAzureDiagnostics\n| where Category == \"ApplicationGatewayFirewallLog\"\n| where action_s == \"Blocked\"\n| extend transactionId_g = tostring(parse_json(AdditionalFields).transactionId_g)) on transactionId_g\n| extend Uri = strcat(hostname_s,requestUri_s)\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), TransactionID = make_set(transactionId_g,100), Message = make_set(Message,100), Total_TransactionId = dcount(transactionId_g) by clientIp_s, Uri, action_s\n| where Total_TransactionId >= Threshold\n", "queryFrequency": "PT6H", "queryPeriod": "PT6H", "severity": "High", @@ -1554,7 +1554,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WebApplicationFirewallFirewallEvents Workbook with template version 3.0.1", + "description": "WebApplicationFirewallFirewallEvents Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1642,7 +1642,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WebApplicationFirewallGatewayAccessEvents Workbook with template version 3.0.1", + "description": "WebApplicationFirewallGatewayAccessEvents Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1730,7 +1730,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WebApplicationFirewallOverview Workbook with template version 3.0.1", + "description": "WebApplicationFirewallOverview Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -1818,7 +1818,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WebApplicationFirewallWAFTypeEvents Workbook with template version 3.0.1", + "description": "WebApplicationFirewallWAFTypeEvents Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -1902,7 +1902,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Azure Web Application Firewall (WAF)", diff --git a/Solutions/Azure Web Application Firewall (WAF)/ReleaseNotes.md b/Solutions/Azure Web Application Firewall (WAF)/ReleaseNotes.md index bc0bedbe672..d7122cf05c7 100644 --- a/Solutions/Azure Web Application Firewall (WAF)/ReleaseNotes.md +++ b/Solutions/Azure Web Application Firewall (WAF)/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------------------------------------| +| 3.0.2 | 06-02-2025 | Extracting transactionId_g and hostname_s from the AdditionalFields column using parse_json and Removing the now unavailable details_message_s and details_data_s fields from **Analytic Rules** App Gateway WAF - SQLi Detection and App Gateway WAF - XSS Detection.| | 3.0.1 | 10-06-2024 | Added new **Analytic Rules** [App Gateway WAF - SQLi Detection and App Gateway WAF - XSS Detection] | | 3.0.0 | 21-12-2023 | Added ResourceProvide condition as it is standard for Application Gateway WAF logs |