![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 17%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
737 questions
Hello @Barik, Monalisa ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to check Azure Front Door WAF logs and how to know which managed rule blocking the request in Azure Front Door managed WAF rules.
You've mentioned that you have already set diagnostic settings to log Azure Front Door WAF rules following the below doc:
https://learn.microsoft.com/en-us/azure/frontdoor/standard-premium/how-to-logs#configure-logs
When enabling diagnostic setting, you choose a destination where the logs should be stored such log analytics or storage account or event hub etc.
Now, the way to access the logs will differ depending on which destination you've selected.
If you've selected log analytics, then you can run a query from the Azure Front Door log pane or go to configured log analytics workspace and then go to logs pane, select a scope (your Azure Front Door resource in this case), specify time range and run a query.
Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/tutorial-resource-logs
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial
An example Azure Front Door WAF query is provided in the below doc:
You can run the below query to get the complete WAF logs:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
To get only the blocked requests, you can run the below query:
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
The WAF log result will have a column called "RuleName" and this is where you can find which managed rule has blocked a specific request.
If you've selected the logs to be sent to Azure storage, then you need to go to the configured Azure storage and look for the JSON logs which are written to blobs based on the time a log was received. For the naming convention of the blob containing the logs, please refer below doc:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs#send-to-azure-storage
If you've selected the logs to be sent to Azure event hub, then you can stream data to external systems such as third-party SIEMs and other Log Analytics solutions.
Refer: https://learn.microsoft.com/en-us/azure/event-hubs/
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 10%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)