App Gateway Most Attacked Host Name
Query
//Visualize the most attacked hostname behind an Azure App Gateway/WAF
//Data connector required for this query - Azure Diagnostics (Application Gateways)
AzureDiagnostics
| where TimeGenerated > ago(30d)
| where ResourceType == "APPLICATIONGATEWAYS"
| where isnotempty(ruleId_s)
| summarize ['WAF Hit Count']=count() by hostname_s
| where isnotempty(hostname_s)
| sort by ['WAF Hit Count'] desc
| render barchart with (title="Most WAF Hits by Hostname", xtitle="Hostname")Explanation
This query analyzes data from Azure Diagnostics for Application Gateways to find the hostname that has been attacked the most behind an Azure App Gateway/WAF. It filters the data for the past 30 days and selects only application gateways. It then counts the number of WAF hits for each hostname and displays the results in a bar chart, sorted in descending order. The chart title is "Most WAF Hits by Hostname" and the x-axis represents the hostnames.
Details

Matt Zorich
Released: June 17, 2022
Tables
AzureDiagnostics
Keywords
AzureDiagnosticsApplicationGatewaysWAFHostname
Operators
where>ago==isnotemptysummarizecount()bysort bydescrender