Skip to main content

Azure WAF

Download With Dependencies

Azure Web Application Firewall is used to detect web related attacks targeting your web servers hosted in azure and allow quick respond to threats

Azure Web Application Firewall

Azure WAF Integration

Overview

Azure Web Application Firewall (WAF) is designed to actively shield your web applications from common web exploits and vulnerabilities, such as SQL injection and cross-site scripting.

It operates as an application-level firewall, focusing on web application traffic.

Azure WAF integrates with Azure services like Azure Application Gateway, Azure Front Door, and Azure CDN.

Azure Web Application Firewall

Overview

Azure Web Application Firewall (WAF) is designed to actively shield your web applications from common web exploits and vulnerabilities, such as SQL injection and cross-site scripting.

It operates as an application-level firewall, focusing on web application traffic.

Azure WAF integrates with Azure services like Azure Application Gateway, Azure Front Door, and Azure CDN.

This pack includes:

  • Log Normalization - XDM mapping for key event types.

Supported log categories

Category Category Display Name
ApplicationGatewayAccessLog Application Gateway Access Log
ApplicationGatewayFirewallLog Application Gateway Firewall Log
FrontDoorAccessLog Frontdoor Access Log
FrontDoorWebApplicationFirewallLog Frontdoor Web Application Firewall Log

Supported Timestamp Formats:

  1. MMM dd yyyy HH:mm:ss
  2. yyyy-MM-ddThh:mm:ssEz
  3. yyyy-MM-ddThh:mm:ssZ
  4. yyyy-MM-ddThh:mm:ss.E7SZ

For msft_azure_waf_raw, timestamp ingestion is according to the fields below in UTC (00:00) time zone.

  • timeStamp
  • timeStamp_t
  • time
  • TimeGenerated

Examples:

  • May 03 2025 04:00:00
  • 2025-05-03T00:27:53+00:00
  • 2025-05-03T00:27:53Z
  • 2025-05-02T13:26:25.3391768Z

Time offsets from UTC is supported.

See RFC 3339 for more information.

Data Collection

To configure Microsoft Azure WAF to send logs to Cortex XSIAM, follow the below steps.

Prerequisites

Stream Logs Flow

  1. Sign in to the Microsoft Entra admin center.

  2. Navigate to IdentityMonitoring & healthDiagnostic settings.

    • To stream Front Door logs, select the relevant Front Door profile
    • Within the profile, navigate to Monitoring, and select Diagnostic Setting.
    • Select the log options for FrontDoorAccessLog and FrontDoorWebApplicationFirewallLog.

  3. Select + Add diagnostic setting to create a new integration or select Edit setting for an existing integration.

  4. Enter a Diagnostic setting name. If you're editing an existing integration, you can't change the name.

  5. Select the log categories that you want to stream. Refer to the Log Normalization section for the supported log categories for normalization.

  6. Select the streaming and storing method.

    6.1. For Event Hub:

    • Click the Stream to an event hub checkbox.
    • (Optional) Click Archive to a storage account to save the diagnostic logs.
    • Under Subscription choose the relevant Azure subscription.
    • Under Event Hub Namespace select the event hub namespace.
    • (Optional) Select event hub name.

    6.2. For Log Analytics:

    • Click the Send To Log Analytics checkbox.
    • (Optional) Click Archive to a storage account to save the diagnostic logs.
    • Under Subscription choose the relevant Azure subscription.
    • Under Log Analytics Workspace select the Log Analytics workspace to store the logs.

For more information, refer to Microsoft's official documentation.

For more information on creating a Log Analytics workspace, see Create a Log Analytics workspace.

Cortex XSIAM side

To connect Cortex XSIAM to the Azure Event Hub, follow the below steps.

Azure Event Hub Collector

  1. Navigate to SettingsData Sources.
  2. If you have already configured an Azure Event Hub Collector, select the 3 dots, and then select + Add New Instance. If not, select + Add Data Source, search for "Azure Event Hub" and then select Connect.
  3. Fill in the attributes based on the Azure Event Hub you streamed your data to.
  4. Leave the Use audit logs in analytics checkbox selected, unless you were told otherwise.

More information can be found here.

MicrosoftEntraID_Azure_Event_Hub

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedDecember 22, 2020
Last ReleaseMay 14, 2025
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.