waflogicappreports

Serverless Computing | Email Report Azure WAF Logs

At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.

A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/

Use Log Analytics to Query the WAF Logs

The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.

AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s

waflogicappreports

You can save the query by clicking the Save button and give it a name and a Category.

waflogicappreports

We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

Create a Logic App

From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”

waflogicappreports

At the Logic App creation wizard add Name, subscription, resource group, location and press Create

waflogicappreports

Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.

waflogicappreports

Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”

waflogicappreports

search for “log analytics” and select the “Run query and visualize results”

waflogicappreports

I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.

waflogicappreports

After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”

waflogicappreports

search for “sendgrid” and select the “Send email (V2)”

waflogicappreports

Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/

waflogicappreports

Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.

waflogicappreports

Press Save to save the Flow and Run to test it.

waflogicappreports

The result at my email:

waflogicappreports

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen − 1 =