Depends on the following being created [[Application Gateway Access and Firewall Views]] # List of Alowed and Blocked Transactions ```kusto let ApplicationGatewayAccessLog = view() { AzureDiagnostics | where Category == 'ApplicationGatewayAccessLog' | project-keep TenantId,TimeGenerated,ResourceId,Category,ResourceGroup,SubscriptionId,ResourceProvider,Resource,ResourceType,OperationName,requestUri_s,userAgent_s,ruleName_s,httpMethod_s,instanceId_s,httpVersion_s,clientIP_s,host_s,requestQuery_s,sslEnabled_s,clientPort_d,httpStatus_d,receivedBytes_d,sentBytes_d,timeTaken_d,SourceSystem,timeStamp_t,listenerName_s,backendPoolName_s,backendSettingName_s,originalRequestUriWithArgs_s,clientResponseTime_d,WAFEvaluationTime_s,WAFMode_s,transactionId_g,sslCipher_s,sslProtocol_s,sslClientVerify_s,serverRouted_s,serverStatus_s,serverResponseLatency_s,upstreamSourcePort_s,originalHost_s,Type,_ResourceId let SearchTime = todatetime('2022-01-01T01:00:00.000Z'); let Window = 5m; let SourceIP = '1.1.1.1'; let AllowedTX = ( ApplicationGatewayFirewallExtended | where TimeGenerated >= SearchTime - Window and TimeGenerated <= SearchTime + Window | where clientIp_s == SourceIP | summarize Result=anyif('Blocked', action_s=='Blocked') by transactionId_g | extend Result = case(isempty(Result), 'Allowed', Result) | where Result=='Allowed'); ApplicationGatewayFirewallExtended | where TimeGenerated >= SearchTime - Window and TimeGenerated <= SearchTime + Window | where transactionId_g in (AllowedTX) ``` # Details of All Allowed Transactions ```kusto let SearchTime = todatetime('2022-01-01T01:00:00.000Z'); let Window = 5m; let SourceIP = '1.1.1.1'; ApplicationGatewayFirewallExtended | where TimeGenerated >= SearchTime - Window and TimeGenerated <= SearchTime + Window | where clientIp_s == SourceIP | summarize Result=anyif('Blocked', action_s=='Blocked') by transactionId_g | extend Result = case(isempty(Result), 'Allowed', Result) ```