Merge pull request #208235 from johndowns/waf-front-door-pivot

Front Door WAF - Add pivots for standard/premium changes

Author: v-ccolin

articles/web-application-firewall/afds/afds-overview.md

@@ -5,7 +5,7 @@ services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
 ms.topic: conceptual
-ms.date: 05/06/2022
+ms.date: 08/16/2022
 ms.author: victorh
 ---
 
@@ -104,7 +104,7 @@ Unknown bots are classified via published user agents without additional validat
 
 ![Bot Protection Rule Set](../media/afds-overview/botprotect2.png)
 
-If bot protection is enabled, incoming requests that match bot rules are logged at the FrontdoorWebApplicationFirewallLog log. You may access WAF logs from a storage account, event hub, or log analytics.
+If bot protection is enabled, incoming requests that match bot rules are logged. You may access WAF logs from a storage account, event hub, or log analytics.
 
 ## Configuration
 

articles/web-application-firewall/afds/waf-front-door-configure-custom-response-code.md

@@ -5,10 +5,10 @@ services: web-application-firewall
 author: vhorne
 ms.service: web-application-firewall
 ms.topic: article
-ms.date: 06/10/2020
+ms.date: 08/16/2022
 ms.author: victorh 
 ms.custom: devx-track-azurepowershell
-
+zone_pivot_groups: front-door-tiers
 ---
 
 # Configure a custom response for Azure Web Application Firewall (WAF)
@@ -25,8 +25,17 @@ In the above example, we kept the response code as 403, and configured a short "
 
 :::image type="content" source="../media/waf-front-door-configure-custom-response-code/custom-response.png" alt-text="Custom response example":::
 
-"{{azure-ref}}" inserts the unique reference string in the response body. The value matches the TrackingReference field in the `FrontdoorAccessLog` and
-`FrontdoorWebApplicationFirewallLog` logs.
+::: zone pivot="front-door-standard-premium"
+
+"{{azure-ref}}" inserts the unique reference string in the response body. The value matches the TrackingReference field in the `FrontDoorAccessLog` and `FrontDoorWebApplicationFirewallLog` logs.
+
+::: zone-end
+
+::: zone pivot="front-door-classic"
+
+"{{azure-ref}}" inserts the unique reference string in the response body. The value matches the TrackingReference field in the `FrontdoorAccessLog` and `FrontdoorWebApplicationFirewallLog` logs.
+
+::: zone-end
 
 ## Configure custom response status code and message use PowerShell
 

articles/web-application-firewall/afds/waf-front-door-monitor.md

@@ -5,7 +5,7 @@ author: vhorne
 ms.service: web-application-firewall
 ms.topic: article
 services: web-application-firewall
-ms.date: 05/11/2022
+ms.date: 08/16/2022
 ms.author: victorh
 zone_pivot_groups: front-door-tiers
 ---
@@ -52,6 +52,7 @@ The following example query returns the access log entries:
 AzureDiagnostics
 | where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
 ```
+
 ::: zone-end
 
 ::: zone pivot="front-door-classic"
@@ -65,6 +66,42 @@ AzureDiagnostics
 
 The following shows an example log entry:
 
+::: zone pivot="front-door-standard-premium"
+
+```json
+{
+  "time": "2020-06-09T22:32:17.8383427Z",
+  "category": "FrontDoorAccessLog",
+  "operationName": "Microsoft.Cdn/Profiles/AccessLog/Write",
+  "properties": {
+    "trackingReference": "08Q3gXgAAAAAe0s71BET/QYwmqtpHO7uAU0pDRURHRTA1MDgANjMxNTAwZDAtOTRiNS00YzIwLTljY2YtNjFhNzMyOWQyYTgy",
+    "httpMethod": "GET",
+    "httpVersion": "2.0",
+    "requestUri": "https://wafdemofrontdoorwebapp.azurefd.net:443/?q=%27%20or%201=1",
+    "requestBytes": "715",
+    "responseBytes": "380",
+    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4157.0 Safari/537.36 Edg/85.0.531.1",
+    "clientIp": "xxx.xxx.xxx.xxx",
+    "socketIp": "xxx.xxx.xxx.xxx",
+    "clientPort": "52097",
+    "timeTaken": "0.003",
+    "securityProtocol": "TLS 1.2",
+    "routingRuleName": "WAFdemoWebAppRouting",
+    "rulesEngineMatchNames": [],
+    "backendHostname": "wafdemowebappuscentral.azurewebsites.net:443",
+    "sentToOriginShield": false,
+    "httpStatusCode": "403",
+    "httpStatusDetails": "403",
+    "pop": "SJC",
+    "cacheStatus": "CONFIG_NOCACHE"
+  }
+}
+```
+
+::: zone-end
+
+::: zone pivot="front-door-classic"
+
 ```json
 {
   "time": "2020-06-09T22:32:17.8383427Z",
@@ -95,6 +132,8 @@ The following shows an example log entry:
 }
 ```
 
+::: zone-end
+
 ### WAF logs
 
 ::: zone pivot="front-door-standard-premium"
@@ -114,19 +153,29 @@ The following table shows the values logged for each request:
 | Property  | Description |
 | ------------- | ------------- |
 | Action |Action taken on the request. Logs include requests with all actions. Metrics include requests with all actions except *Log*.|
-| ClientIp | The IP address of the client that made the request. If there was an `X-Forwarded-For` header in the request, the client IP address is taken from that header field instead. |
+| ClientIP | The IP address of the client that made the request. If there was an `X-Forwarded-For` header in the request, the client IP address is taken from that header field instead. |
 | ClientPort | The IP port of the client that made the request. |
 | Details | Additional details on the request, including any threats that were detected. <br />matchVariableName:   HTTP parameter name of the request matched, for example, header names (up to 100 characters maximum).<br /> matchVariableValue:  Values that triggered the match (up to 100 characters maximum). |
 | Host | The `Host` header of the request. |
 | Policy | The name of the WAF policy that processed the request. |
 | PolicyMode | Operations mode of the WAF policy. Possible values are `Prevention` and `Detection`. |
 | RequestUri | Full URI of the request. |
 | RuleName | The name of the WAF rule that the request matched. |
-| SocketIp | The source IP address seen by WAF. This IP address is based on the TCP session, and does not consider any request headers. |
+| SocketIP | The source IP address seen by WAF. This IP address is based on the TCP session, and does not consider any request headers. |
 | TrackingReference | The unique reference string that identifies a request served by Front Door. This value is sent to the client in the `X-Azure-Ref` response header. Use this field when searching for a specific request in the log. |
 
 The following example query shows the requests that were blocked by the Front Door WAF:
 
+::: zone pivot="front-door-standard-premium"
+
+```kusto
+AzureDiagnostics 
+| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog" 
+| where action_s == "Block" 
+```
+
+::: zone-end
+
 ::: zone pivot="front-door-classic"
 
 ```kusto
@@ -137,17 +186,41 @@ AzureDiagnostics
 
 ::: zone-end
 
+The following shows an example log entry, including the reason that the request was blocked:
+
 ::: zone pivot="front-door-standard-premium"
 
-```kusto
-AzureDiagnostics 
-| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog" 
-| where action_s == "Block" 
+```json
+{
+  "time": "2020-06-09T22:32:17.8376810Z",
+  "category": "FrontdoorWebApplicationFirewallLog",
+  "operationName": "Microsoft.Cdn/Profiles/Write",
+  "properties": {
+    "clientIP": "xxx.xxx.xxx.xxx",
+    "clientPort": "52097",
+    "socketIP": "xxx.xxx.xxx.xxx",
+    "requestUri": "https://wafdemofrontdoorwebapp.azurefd.net:443/?q=%27%20or%201=1",
+    "ruleName": "Microsoft_DefaultRuleSet-1.1-SQLI-942100",
+    "policy": "WafDemoCustomPolicy",
+    "action": "Block",
+    "host": "wafdemofrontdoorwebapp.azurefd.net",
+    "trackingReference": "08Q3gXgAAAAAe0s71BET/QYwmqtpHO7uAU0pDRURHRTA1MDgANjMxNTAwZDAtOTRiNS00YzIwLTljY2YtNjFhNzMyOWQyYTgy",
+    "policyMode": "prevention",
+    "details": {
+      "matches": [
+        {
+          "matchVariableName": "QueryParamValue:q",
+          "matchVariableValue": "' or 1=1"
+        }
+      ]
+    }
+  }
+}
 ```
 
 ::: zone-end
 
-The following shows an example log entry, including the reason that the request was blocked:
+::: zone pivot="front-door-classic"
 
 ```json
 {
@@ -177,6 +250,8 @@ The following shows an example log entry, including the reason that the request
 }
 ```
 
+::: zone-end
+
 ## Next steps
 
 - Learn more about [Front Door](../../frontdoor/front-door-overview.md).