AzureDiagnostics table not showing action_s and ruleId_s columns

%3CLINGO-SUB%20id%3D%22lingo-sub-1403017%22%20slang%3D%22en-US%22%3EAzureDiagnostics%20table%20not%20showing%20action_s%20and%20ruleId_s%20columns%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1403017%22%20slang%3D%22en-US%22%3E%3CP%3ELogs%20are%20coming%20from%20an%20Application%20Gateway%20setup%20as%20a%20WAF%20v2.0.%3C%2FP%3E%3CP%3EThe%20logs%20are%20sent%20to%20my%20workspace%2C%20but%20the%20action_s%20and%20ruleId_s%20fields%20are%20not%20present%20in%20the%20AzureDiagnostics%20table.%20This%20prevents%20me%20from%20detecting%20which%20HTTP%20requests%20are%20being%20flagged%20by%20OWASP%20rules.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20second%20Application%20Gateway%20setup%20as%20a%20WAF%20with%20logs%20going%20to%20another%20workspace%2C%20and%20there%20the%20AzureDiagnostics%20table%20shows%20the%20action_s%20and%20ruleId_s%20fields.%20Both%26nbsp%3B%20firewalls%20are%20setup%20the%20same.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1403017%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Logs are coming from an Application Gateway setup as a WAF v2.0.

The logs are sent to my workspace, but the action_s and ruleId_s fields are not present in the AzureDiagnostics table. This prevents me from detecting which HTTP requests are being flagged by OWASP rules.

 

I have a second Application Gateway setup as a WAF with logs going to another workspace, and there the AzureDiagnostics table shows the action_s and ruleId_s fields. Both  firewalls are setup the same.

0 Replies