Skip to main content

How it works

If you've gone through the Getting Started section, the required steps for Azure WAF Manager to have access to your data should be completed. Just in case we will summarize them.

  • Log in to the portal and create an organization
  • Sign up for the Azure Lighthouse offer and provide Azure WAF Manager Log Analytics Reader access
  • Add your WAF policies to the portal

---- this is enough for most of the functionality to work

  • Create a Service Principal (for whitelisting)

Here is how things work behind the scenes

Fetching WAF Logs

This is how we fetch the WAF logs behind the scene

Fetching Logs


We use precompiled queries, so our middleware doesn't run any queries against your Log Analytics workspace that are not connected to the functionality of the Azure WAF Manager.

In a little more detail, here is what's happening in the diagram above

For example you fetch the Front Door WAF logs for the last 24 hours.

  1. We construct a query that will go through a logic app and will ultimately be run against your own Log Analytics workspace.
  2. The Log Analytics workspace will return the result to our Logic App and it will on its own return the result to our portal API
  3. The portal API will send the log to our log enrichment engine which will enrich the log with various charts and will calculate malicious confidence and scoring of all requests
  4. The portal API will then display this back to the user in a filterable grid so you can drill down to all possible depths of the log