Azure Web Application Firewall
Overview
Azure Web Application Firewall (WAF) is designed to actively shield your web applications from common web exploits and vulnerabilities, such as SQL injection and cross-site scripting.
It operates as an application-level firewall, focusing on web application traffic.
Azure WAF integrates with Azure services like Azure Application Gateway, Azure Front Door, and Azure CDN.
This pack includes:
- Log Normalization - XDM mapping for key event types.
Supported log categories
- yyyy-MM-ddThh:mm:ssZ
- yyyy-MM-ddThh:mm:ssEz
- MMM dd yyyy HH:mm:ss
For msft_azure_waf_raw, timestamp ingestion is according to the fields below in UTC (00:00) time zone.
- timeStamp
- timeStamp_t
- time
- TimeGenerated
Examples:
- 2025-03-26T05:39:46Z
- 2024-11-19T10:50:39+05:00
- Nov 19 2024 12:50:39
[!NOTE]
Time offsets from UTC is supported.
See RFC 3339 for more information.
Data Collection
To configure Microsoft Azure WAF to send logs to Cortex XSIAM, follow the below steps.
Prerequisites
- Create an Azure event hub. For more information, refer to Microsoft's official documentation.
- Make sure that you have at least a Security Administrator role.
- For Azure WAF Front Door event logs you will need to Create an Azure Front Door profile
Stream logs to an event hub
- Sign in to the Microsoft Entra admin center.
- Navigate to Identity → Monitoring & health → Diagnostic settings.
- To stream Front Door logs, select the relevant Front Door profile
- Within the profile, navigate to Monitoring, and select Diagnostic Setting.
- Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.
- Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.
- Select the log categories that you want to stream. Refer to the Log Normalization section for the supported log categories for normalization.
- Select the Stream to an event hub checkbox.
- Select the Azure subscription, Event Hubs namespace, and optional event hub where you want to route the logs.
For more information, refer to Microsoft's official documentation.
Cortex XSIAM side
To connect Cortex XSIAM to the Azure Event Hub, follow the below steps.
Azure Event Hub Collector
- Navigate to Settings → Data Sources.
- If you have already configured an Azure Event Hub Collector, select the 3 dots, and then select + Add New Instance. If not, select + Add Data Source, search for "Azure Event Hub" and then select Connect.
- Fill in the attributes based on the Azure Event Hub you streamed your data to.
- Leave the Use audit logs in analytics checkbox selected, unless you were told otherwise.
More information can be found here.
