Skip to content

Commit 9b1ec72

Browse files
Jak-MSJak-MS
authored
Merge pull request #124872 from idiosyncrati/patch-1
Update waf-new-threat-detection.md
2 parents 996dca4 + b7f52b3 commit 9b1ec72

File tree

1 file changed

+0
-3
lines changed

1 file changed

+0
-3
lines changed

articles/web-application-firewall/waf-new-threat-detection.md

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,17 +51,14 @@ Use the following steps to configure an analytic rule in Sentinel.
5151

5252
```
5353
let Threshold = 3;
54-
5554
AzureDiagnostics
5655
| where Category == "ApplicationGatewayFirewallLog"
5756
| where action_s == "Matched"
5857
| where Message has "Injection" or Message has "File Inclusion"
5958
| where ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-931-APPLICATION-ATTACK-RFI" or ruleGroup_s == "REQUEST-932-APPLICATION-ATTACK-RCE" or ruleGroup_s == "REQUEST-933-APPLICATION-ATTACK-PHP" or ruleGroup_s == "REQUEST-942-APPLICATION-ATTACK-SQLI" or ruleGroup_s == "REQUEST-921-PROTOCOL-ATTACK" or ruleGroup_s == "REQUEST-941-APPLICATION-ATTACK-XSS"
6059
| project transactionId_g, hostname_s, requestUri_s, TimeGenerated, clientIp_s, Message, details_message_s, details_data_s
6160
| join kind = inner(
62-
6361
AzureDiagnostics
64-
6562
| where Category == "ApplicationGatewayFirewallLog"
6663
| where action_s == "Blocked") on transactionId_g
6764
| extend Uri = strcat(hostname_s,requestUri_s)

0 commit comments

Comments
 (0)