Application Gateway

# Search by listener name and operation ```kusto AzureDiagnostics | where TimeGenerated >= ago(2h) | where listenerName_s == 'listener-name' | where OperationName == 'ApplicationGatewayAccess' // | extend nonce=extract(@"CSRFNONCE=([\d\w]*)[\n|\&|\?|$]", 1, url_decode(originalRequestUriWithArgs_s)) | summarize count() by requestUri_s | order by count_ desc ``` # Enrich with geo-data ```kusto let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']; AzureDiagnostics | where TimeGenerated >= ago(2h) | where listenerName_s == 'listener-name' | where OperationName == 'ApplicationGatewayAccess' | extend nonce=extract(@"CSRFNONCE=([\d\w]*)[\n|\&|\?|$]", 1, url_decode(originalRequestUriWithArgs_s)) | evaluate ipv4_lookup(IP_Data, clientIP_s, network, return_unmatched = true) | summarize count() by | order by count_ desc ``` # Extract URL parameter into field ```kusto // let StartTimeGenerated = '2022-01-10 01:49:00'; // let StopTimeGenerated = '2022-01-11 02:30:00'; // let TimeOffset = '+8'; // let StartTimeActual = todatetime(strcat(StartTimeGenerated, TimeOffset)); // let StopTimeActual = todatetime(strcat(StopTimeGenerated, TimeOffset)); AzureDiagnostics | where TimeGenerated >= ago(2h) | where listenerName_s == 'listener-name' | where OperationName == 'ApplicationGatewayAccess' | extend nonce=extract(@"CSRFNONCE=([\d\w]*)[\n|\&|\?|$]", 1, url_decode(originalRequestUriWithArgs_s)) | extend net=tostring( extract(@"(\d+\.\d+\.)", 1, clientIP_s)) | where net startswith "79" | make-series C=count() on TimeGenerated from todatetime('2022-01-13 09:00') -8h to now() step 1m by net | render timechart ``` # Get a list of URL parameters and then filter on those parameters ```kusto let StartTimeGenerated = '2022-01-10 01:49:00'; let StopTimeGenerated = '2022-01-11 02:30:00'; let TimeOffset = '+8'; let StartTimeActual = todatetime(strcat(StartTimeGenerated, TimeOffset)); let StopTimeActual = todatetime(strcat(StopTimeGenerated, TimeOffset)); let suspicious_nonces = (AzureDiagnostics | where TimeGenerated >= StartTimeActual and TimeGenerated <= StopTimeActual | where listenerName_s == 'listener-name' | where OperationName == 'ApplicationGatewayAccess' | where originalRequestUriWithArgs_s contains 'CSRFNONCE' | extend nonce=extract(@"CSRFNONCE=([\d\w]*)[\n|\&|\?|$]", 1, url_decode(originalRequestUriWithArgs_s)) | where isnotempty(nonce) and isnotnull( nonce) | summarize count() by nonce | where count_ > 1 | summarize make_list(nonce)); AzureDiagnostics | where TimeGenerated >= StartTimeActual and TimeGenerated <= StopTimeActual | where listenerName_s == 'backend_name' | where OperationName == 'ApplicationGatewayAccess' | where originalRequestUriWithArgs_s contains 'CSRFNONCE' | extend nonce=extract(@"CSRFNONCE=([\d\w]*)[\n|\&|\?|$]", 1, url_decode(originalRequestUriWithArgs_s)) | where nonce in (suspicious_nonces) | order by nonce, TimeGenerated desc ``` # Create a time series chart on unique client IPs ```kusto AzureDiagnostics | where hostname_s contains 'www.site.com' or host_s contains 'www.site.com' | where originalRequestUriWithArgs_s contains 'SOMEVALUE' | make-series C=count() on TimeGenerated from todatetime('2022-01-07 11:00:00') -8h to todatetime('2022-01-07 17:00:00') -8h step 30m by clientIP_s | render timechart // | summarize count() by requestUri_s ```