Query Details
KQL To Check Azure API Spray Attacks
Query
// KQL to check Azure API spray attacks // https://www.linkedin.com/posts/activity-7197794002526457857-Y09J/ ApiManagementGatewayLogs | where TimeGenerated > ago(1d) | where IsRequestSuccess == "false" | summarize Count=count() by CallerIpAddress | sort by Count desc // Block the attack IPs on your Azure Application Gateway WAF
Explanation
This KQL (Kusto Query Language) query is designed to detect potential spray attacks on Azure APIs. Here's a simple summary:
- Data Source: It looks at the logs from the Azure API Management Gateway.
- Time Frame: It focuses on logs generated in the last day (24 hours).
- Filter: It filters out only the failed requests (where
IsRequestSuccessis "false"). - Summarize: It counts the number of failed requests for each IP address (
CallerIpAddress). - Sort: It sorts these counts in descending order, showing the IPs with the most failed requests at the top.
The purpose is to identify IP addresses that have a high number of failed requests, which could indicate a spray attack. These IPs can then be blocked on your Azure Application Gateway Web Application Firewall (WAF) to prevent further attacks.
Details
Steven Lim
Released: August 2, 2024
Tables
ApiManagementGatewayLogs
Keywords
ApiManagementGatewayLogsTimeGeneratedIsRequestSuccessCallerIpAddressCount
Operators
where>ago==summarizecount()bysortdesc