Azure Frontdoor WAF Blocked a Request
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Azure Frontdoor WAF Blocked a Request

Set up the azure integration.

Overview

Goal

Detect when an Azure Frontdoor Web Application Firewall (WAF) blocks a request from an IP address.

Strategy

This rule monitors Azure Activity logs for Frontdoor Web Application Firewall logs and detects when the @evt.name has a value of Microsoft.Network/FrontDoor/WebApplicationFirewallLog/Write and @properties.action has a value of Block.

Triage & Response

  1. Inspect whether this request should have been blocked or not.
  2. Navigate to the IP dashboard and inspect other requests this IP address has made.