Query Details
App Gateway Most Attacked Host Name
Query
//Visualize the most attacked hostname behind an Azure App Gateway/WAF //Data connector required for this query - Azure Diagnostics (Application Gateways) AzureDiagnostics | where TimeGenerated > ago(30d) | where ResourceType == "APPLICATIONGATEWAYS" | where isnotempty(ruleId_s) | summarize ['WAF Hit Count']=count() by hostname_s | where isnotempty(hostname_s) | sort by ['WAF Hit Count'] desc | render barchart with (title="Most WAF Hits by Hostname", xtitle="Hostname")
Explanation
This query analyzes data from Azure Diagnostics for Application Gateways to find the hostname that has been attacked the most behind an Azure App Gateway/WAF. It filters the data for the past 30 days and selects only application gateways. It then counts the number of WAF hits for each hostname and displays the results in a bar chart, sorted in descending order. The chart title is "Most WAF Hits by Hostname" and the x-axis represents the hostnames.
Details
Matt Zorich
Released: June 17, 2022
Tables
AzureDiagnostics
Keywords
AzureDiagnostics,ApplicationGateways,WAF,Hostname
Operators
where>ago==isnotemptysummarizecount()bysort bydescrender