From 52164edca561728076d09a48332aeeb5c1d72556 Mon Sep 17 00:00:00 2001
From: yuvalpery <95619904+yuvalpery@users.noreply.github.com>
Date: Wed, 19 Mar 2025 20:18:06 +0200
Subject: [PATCH] Create Blocking WAF Rules.kql

Added a new suggested query to investigate WAF rule hits
---
 .../Queries/Analytics/Blocking WAF Rules.kql      | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 Azure Services/Application gateways/Queries/Analytics/Blocking WAF Rules.kql

diff --git a/Azure Services/Application gateways/Queries/Analytics/Blocking WAF Rules.kql b/Azure Services/Application gateways/Queries/Analytics/Blocking WAF Rules.kql
new file mode 100644
index 00000000..85ea6146
--- /dev/null
+++ b/Azure Services/Application gateways/Queries/Analytics/Blocking WAF Rules.kql	
@@ -0,0 +1,15 @@
+// Author: Microsoft Azure
+// Display name: Blocking WAF rules
+// Description: List all WAF rules hits related to blocked requests.
+// Categories: Network
+// Resource types: Application gateways
+// Topic: Alerts
+
+AGWFirewallLogs
+| where TransactionId in (
+   AGWFirewallLogs
+   | where Action == "Blocked"
+   | distinct TransactionId
+)
+| where RuleId != 949110
+| project TransactionId, TimeGenerated, ClientIp, RequestUri, RuleId, Message, DetailedMessage, DetailedData