Jump to content

- - - - -

Serverless Computing | Email Report Azure WAF Logs

  Posted by Pantelis Apostolidis , in Azure 28 December 2018 · 79 views

At this post, we will create a Logic App that will query the Log Analytics workspace for the WAF logs of the last 24 hours and send the results in an email, using a free SendGrid account.

A Web Application Firewall protects your application from common web vulnerabilities. Azure provides enterprise grade Web Application Firewall through the Application Gateway. You can read more at my previous post: https://www.e-aposto...on-gateway-waf/
Use Log Analytics to Query the WAF Logs
The Application Gateway WAF sends its logs to the Log Analytics workspace. You can see them using a typical query like the below, that will list all events at the past 24 hours.

AzureDiagnostics | where Resource == “PROWAF” and OperationName == “ApplicationGatewayFirewall” | where TimeGenerated > ago(24h) | summarize count() by TimeGenerated, clientIp_s , TimeGenerated , ruleId_s , Message , details_message_s , requestUri_s, details_file_s , hostname_s
Posted Image
You can save the query by clicking the Save button and give it a name and a Category.
Posted Image
We can send those logs as email by using an Azure Logic App and a SendGrid account. You can see how to create a SendGrid free account at my previous post: https://www.e-aposto...using-sendgrid/
Create a Logic App
From the portal.azure.com, Create a resource and write “logic app”, click the “Logic App”and press “Create”
Posted Image
At the Logic App creation wizard add Name, subscription, resource group, location and press Create
Posted Image
Next the Logic App will be created. Open it and from the Logics App Designer select the “Recurrence” common trigger.
Posted Image
Change the Recurrence Interval to “1” and the Frequency to “Day” and press the “+ New step”
Posted Image
search for “log analytics” and select the “Run query and visualize results”
Posted Image
I will proceed with “Sign in”, you can also use a Service Principal but we will cover this to another post.
Posted Image
After you login select the Subscription, Resource Group and the Log Analytics Workspace. Next, add the query, for Chart Type select “Html Table” and add a “Next Step”
Posted Image

search for “sendgrid” and select the “Send email (V2)”
Posted Image
Add a name for the connection and the API key that you created at the SendGrid creation post and press create. https://www.e-aposto...using-sendgrid/
Fill the From address, To address and Subject. At the email body, add dynamic content and select the blocs of the previous set result.
Press Save to save the Flow and Run to test it.
The result at my email: