At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.
A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-apostolidis.gr/microsoft/azure/protect-your-web-application-with-azure-application-gateway-waf/
Use Log Analytics to Query the WAF Logs
The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.
AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
You can save the query by clicking the Save button and give it a name and a Category.
We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
Create a Logic App
From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”
At the Logic App creation wizard add Name, subscription, resource group, location and press Create
Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.
Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”
search for “log analytics” and select the “Run query and visualize results”
I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.
After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”
search for “sendgrid” and select the “Send email (V2)”
Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-apostolidis.gr/microsoft/azure/azure-free-smtp-relay-using-sendgrid/
Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.
Press Save to save the Flow and Run to test it.
The result at my email: