Start AG WAF JS challenge

vhorne · vhorne · commit b1f23c2d36f9 · 2024-06-10T07:32:42.000-07:00
diff --git a/articles/web-application-firewall/afds/waf-javascript-challenge.md b/articles/web-application-firewall/afds/waf-javascript-challenge.md
diff --git a/articles/web-application-firewall/ag/application-gateway-waf-metrics.md b/articles/web-application-firewall/ag/application-gateway-waf-metrics.md
@@ -38,9 +38,12 @@ New WAF metrics are only available for Core Rule Set 3.2 or greater, or with bot
 |**WAF Managed Rule Matches**|Count of total managed rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Group, Rule ID, Rule Set Name|
 |**WAF Custom Rule Matches**|Count of custom rule matches| Action, Country/Region, Mode, Policy Name, Policy Scope, Rule Name|
 |**WAF Bot Protection Matches**<sup>1</sup>|Count of total bot protection rule matches that have been blocked or logged from malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed.| Action, Country/Region, Bot Type, Mode, Policy Name, Policy Scope|
+|**WAF JS Challenge Request Count**|Count the number of requests that match JS Challenge WAF rules.|Action, Policy Name, Policy Scope, Rule<sup>2</sup>|
 
 <sup>1</sup> Only Bot Manager Rule Set 0.1 will be displayed under “WAF Bot Protection Matches”. Requests matching Bot Manager Rule Set 1.0 will increase “WAF Total Requests” metrics, not “WAF Bot Protection Matches”.
 
+<sup>2</sup> Rule name for custom rules and Rule ID for the Bot Manager Rule Set.
+
 For metrics supported by Application Gateway V2 SKU, see [Application Gateway v2 metrics](../../application-gateway/application-gateway-metrics.md#metrics-supported-by-application-gateway-v2-sku)
 
 ## Application Gateway WAF v1 Metrics
diff --git a/articles/web-application-firewall/ag/web-application-firewall-logs.md b/articles/web-application-firewall/ag/web-application-firewall-logs.md
@@ -225,7 +225,7 @@ The firewall log is generated only if you have enabled it for each application g
 |ruleSetVersion     | Rule set version used. Available values are 2.2.9 and 3.0.     |
 |ruleId     | Rule ID of the triggering event.        |
 |message     | User-friendly message for the triggering event. More details are provided in the details section.        |
-|action     |  **Policy Mode:** Detection</br>   - **Detected** - This is the only action for the WAF when in detection mode. All the conditions for a given rule were matched and the request was logged then passed to the backend.</br></br>**Policy Mode:** Prevention</br>   - **Allowed** - All conditions were matched for a given rule and the request was passed to the backend.</br>   - **Blocked** - All of the conditions were matched for a given rule and the request was blocked.</br>   - **Matched** - One/more conditions were matched for a given rule, but the decision to block or pass the request will need further evaluation and will be evaluated based on the final anomaly scoring rule.      |
+|action     |**Policy Mode:** Detection</br>- **Detected** - This is the only action for the WAF when in detection mode. All the conditions for a given rule were matched and the request was logged then passed to the backend.</br></br>**Policy Mode:** Prevention</br>   - **Allowed** - All conditions were matched for a given rule and the request was passed to the backend.</br>   - **Blocked** - All of the conditions were matched for a given rule and the request was blocked.</br>   - **Matched** - One/more conditions were matched for a given rule, but the decision to block or pass the request will need further evaluation and will be evaluated based on the final anomaly scoring rule.<br><br>**Policy Mode:** JS challenge<br>- **JSChallengeIssued**: Issued due to missing/invalid challenge clearance, missing answer.<br><br>This log is created when a client requests access to a web application for the first time and has not been challenged previously. This client receives the JS challenge page and proceeds to compute the JS challenge. Upon successful computation, the client is granted the validity cookie.<br><br>- **JSChallengePass**: Passed due to valid challenge answer.<br><br>This log is created when a client solves the JS challenge and resubmits the request with the correct answer. In this case, Azure WAF validates the cookie and proceeds to process the remaining rules without generating another JS challenge.<br><br>- **JSChallengeValid**: Logged/passthrough due to valid challenge<br><br>This log is created when a client has previously solved a challenge. In this case, Azure WAF logs the request and proceeds to process the remaining rules.<br><br>- **JSChallengeBlock**: Blocked<br><br>This log is created when a JS challenge computation fails.   |
 |site     | Site for which the log was generated. Currently, only Global is listed because rules are global.|
 |details     | Details of the triggering event.        |
 |details.message     | Description of the rule.        |
diff --git a/articles/web-application-firewall/toc.yml b/articles/web-application-firewall/toc.yml
@@ -87,6 +87,8 @@ items:
       href: ./afds/waf-front-door-rate-limit.md
     - name: Geo-filtering
       href: ./afds/waf-front-door-geo-filtering.md
+    - name: JavaScript challenge
+      href: ./afds/waf-javascript-challenge.md
     - name: Best practices
       href: ./afds/waf-front-door-best-practices.md
     - name: FAQ
@@ -101,8 +103,6 @@ items:
       href: waf-copilot.md
   - name: WAF and Azure Policy
     href: ./shared/waf-azure-policy.md
-  - name: JavaScript challenge
-    href: waf-javascript-challenge.md
 - name: How-to guides
   items:
   - name: Application Gateway
