View Azure WAF V2 Blocking Logs

Summary: Azure WAF Blocking Logs can be viewed via a KQL Query in the Azure Portal Log Analytics Workspace. The Application Gateway hosting the WAF must be configured to forward logs to the Log Analytics Workspace (see Diagnostic Settings for the Application Gateway in the Portal).

The following query is used to grab blocking WAF logs:

| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "ApplicationGatewayFirewallLog"

Run this query in the Azure Portal.

Expanding a log entry will show the Source IP, Destination Host IP, Rule Name, and Rule Action.

These logs can be exported to a CSV file and imported into Excel for further review.