How it works

If you've gone through the Getting Started section, the required steps for Azure WAF Manager to have access to your data should be completed. Just in case we will summarize them.

• Log in to the portal and create an organization
• Sign up for the Azure Lighthouse offer and provide Azure WAF Manager Log Analytics Reader access
• Add your WAF policies to the portal

---- this is enough for most of the functionality to work

• Create a Service Principal (for whitelisting)

Here is how things work behind the scenes

Fetching WAF Logs

This is how we fetch the WAF logs behind the scene

NOTE: We use precompiled queries, so our middleware doesn't run any queries against your Log Analytics workspace that are not connected to the functionality of the Azure WAF Manager.

In a little more detail, here is what's happening in the diagram above

For example you fetch the Front Door WAF logs for the last 24 hours.

1. User requests WAF Logs. We construct a query that will be run against your own Log Analytics workspace.
2. We send this query to your log analytics workspace and because we have Log Analytics Reader access from Azure Lighthouse, your log analytics will execute the query and return the results to our backend
3. The backend will send the log to our log enrichment engine which will enrich the log with various data, identify false positives, provide suggestions for whitelists and will calculate malicious confidence and scoring of all requests
4. The backend will provide the entire enriched log to the frontend and it will then display this back to the user with charts and will display the whole enriched log in a filterable data grid so you can drill down to all possible depths of the log and will also provide you with the ability to whitelist directly from the data grid

Previous - Go to - Getting started

Next - Go to - Log enrichment