|
| 1 | +--- |
| 2 | +title: Azure Application Gateway WAF Insights Dashboards |
| 3 | +description: Learn how to use Azure Application Gateway WAF insights dashboards to monitor, investigate, and report on web application firewall activity. |
| 4 | +author: halkazwini |
| 5 | +ms.author: halkazwini |
| 6 | +ms.service: azure-web-application-firewall |
| 7 | +ms.topic: concept-article |
| 8 | +ms.date: 02/20/2026 |
| 9 | +--- |
| 10 | + |
| 11 | +# Azure Application Gateway Web Application Firewall (WAF) insights dashboards |
| 12 | + |
| 13 | +The WAF Insights dashboards for Azure Application Gateway provide a unified experience for monitoring, investigation, and reporting of WAF activity. They help security and operations teams detect attack patterns, validate WAF policy effectiveness, identify misconfigurations, and accelerate incident response through deep drill-down analysis. By combining high-level visibility with detailed request-level insights, the dashboards support both strategic monitoring and hands-on troubleshooting. |
| 14 | + |
| 15 | +The solution includes two main dashboards: |
| 16 | + |
| 17 | +**Monitor tab** - designed for continuous visibility. It surfaces high-level metrics and trends such as total request volumes, managed rule matches, custom rule matches, and JavaScript challenge activity. The Monitor tab helps operators detect anomalies, track the effectiveness of WAF protections, and understand overall application security posture at a glance. |
| 18 | + |
| 19 | +**Triage tab** - designed for investigation. It provides drill-down views to identify affected hosts, URLs, requests, and rules involved in a specific security event. This supports root cause analysis and faster incident response. |
| 20 | + |
| 21 | + |
| 22 | +## Prerequisites |
| 23 | + |
| 24 | +To view WAF data in the dashboards, **Diagnostic Settings** must be enabled for the Application Gateway associations you want to monitor. Without diagnostic logs, no WAF data will be available in the dashboards. To learn more about how to enable diagnostic settings, see [Monitor logs for Azure Web Application Firewall](/azure/web-application-firewall/ag/web-application-firewall-logs?tabs=AppGW) and [Diagnostic logs - Azure Application Gateway](/azure/application-gateway/application-gateway-diagnostics) |
| 25 | + |
| 26 | +## Azure workbooks |
| 27 | + |
| 28 | +Both dashboards are implemented as Azure Monitor workbooks, allowing customization, exploration, and extension of visualizations based on operational and security needs. |
| 29 | + |
| 30 | +## Data sources and architecture |
| 31 | + |
| 32 | +The dashboards combine **Metrics** and **Logs**, which complement each other: |
| 33 | + |
| 34 | +| Source | Description | Retention | Best for | |
| 35 | +|----|----|----|----| |
| 36 | +| **Metrics** | Aggregated counters collected at minute intervals. Optimized for trend analysis. | Controlled by Azure Monitor metrics retention settings. | Near real-time anomaly detection, activity trends. | |
| 37 | +| **Logs (Azure diagnostics)** | Full per-request event data from WAF diagnostic logging. | Controlled by Log Analytics Workspace retention policy. | Deep forensic investigation, compliance, and auditing. | |
| 38 | + |
| 39 | +> [!IMPORTANT] |
| 40 | +> - Metrics are ideal for fast anomaly detection but don't contain full request details. |
| 41 | +> - Logs contain full forensic information but may take longer to query for large datasets. |
| 42 | +
|
| 43 | +## Dashboard structure |
| 44 | + |
| 45 | +The WAF Insights experience is divided into two main tabs: |
| 46 | + |
| 47 | +- **Monitor** - High-level reporting and trend tracking. |
| 48 | + |
| 49 | +- **Triage** - Drill-down investigations of events. |
| 50 | + |
| 51 | + |
| 52 | +Each tab offers a different perspective and is often used together: monitor overall health in the **Monitor tab**, then use the **Triage tab** to investigate anomalies. |
| 53 | + |
| 54 | + |
| 55 | +### Monitor tab |
| 56 | + |
| 57 | +The Monitor tab provides visibility and reporting through two main views – **WAF logs** and **WAF metrics**. |
| 58 | + |
| 59 | + |
| 60 | +The **WAF logs** view gives a detailed request-level perspective sourced from the AzureDiagnostics table in LAW. It includes visualizations such as total WAF requests by rule group, WAF actions by type (for example, Blocked), top blocked URIs, top triggered rules, rules over time, and details of triggered rule events with timestamps, hosts, AppGW instances, and client IPs. Analysts can also correlate data by tracking ID, review top offending IPs, and inspect related requests to detect targeted attacks, validate rule effectiveness, and support audits or compliance reviews. |
| 61 | + |
| 62 | +:::image type="content" source="../media/insights/insights-dashboard-monitor-tab.png" alt-text="Screenshot of the monitor tab of the WAF insights dashboard." lightbox="../media/insights/insights-dashboard-monitor-tab.png"::: |
| 63 | + |
| 64 | +The **WAF metrics** view provides near real-time visibility into WAF activity using Azure Monitor metrics. It includes visualizations showing total WAF requests, managed rule matches by association (both blocked and non-blocked), JS challenge request counts, and custom rule matches. This data helps detect sudden traffic surges, monitor rule behavior, evaluate JS challenge enforcement, and verify correct policy configuration. Metrics offer an operational perspective that complements the detailed forensic insights provided by logs. |
| 65 | + |
| 66 | +:::image type="content" source="../media/insights/insights-dashboard-waf-metrics.png" alt-text="Screenshot of the Azure WAF metrics tab of the WAF insights dashboard." lightbox="../media/insights/insights-dashboard-waf-metrics.png"::: |
| 67 | + |
| 68 | +### Triage tab |
| 69 | + |
| 70 | +The Triage tab is built for investigation and troubleshooting of WAF events. It uses data from AzureDiagnostics within the Log Analytics Workspace (LAW) and supports two investigation modes: **Triage by Rule** and **Triage by URL**. |
| 71 | +Except for the first visualization, each component dynamically filters based on selections from the previous step, allowing a natural drill-down flow that narrows from a broad scope to specific impacted requests. |
| 72 | + |
| 73 | +#### Triage by rule |
| 74 | + |
| 75 | +In **Triage by Rule**, investigation starts from a triggered rule. The flow begins with selecting the WAF policy scope (Listener, URI Path, or Global). Next, you can view an overview of triggered rules, including rule ID, action, ruleset version, scope, and the number of impacted requests. From there, the investigation drills down to the affected hosts, URLs, and individual transactions. This approach helps identify which rules are responsible for most of the blocked traffic, detect false positives, and understand which hosts and URLs are most affected. |
| 76 | + |
| 77 | +:::image type="content" source="../media/insights/insights-dashboard-triage-tab.png" alt-text="Screenshot of the triage tab of the WAF insights dashboard." lightbox="../media/insights/insights-dashboard-triage-tab.png"::: |
| 78 | + |
| 79 | +#### Triage by URL |
| 80 | + |
| 81 | +In **Triage by URL**, investigation begins with a URL path. Analysts select the relevant Application Gateway and policy scope, identify the hosts or IPs targeting specific URLs, and view the rules triggered for those impacted requests. This approach is useful for investigating suspicious activity on sensitive endpoints such as login pages, verifying whether blocked requests are legitimate or malicious, and mapping attack patterns across URLs. |
| 82 | + |
| 83 | +## Summary of dashboards |
| 84 | + |
| 85 | +| **Dashboard** | **Purpose** | **Investigation flow** | **Example use cases** | |
| 86 | +|----|----|----|----| |
| 87 | +| **Monitor - WAF logs** | Log-based monitoring | Pulls structured data from LAW | Validate policy effectiveness, perform audits, investigate requests | |
| 88 | +| **Monitor - WAF metrics** | Metric-based monitoring | Uses Azure Monitor metrics | Near real-time monitoring, detect anomalies, track trends | |
| 89 | +| **Triage by rule** | Investigate by rule ID | Scope → Rule → Hosts → URLs → Requests | Identify noisy rules, analyze blocks, fine-tune rules | |
| 90 | +| **Triage by URL** | Investigate by URL path | Scope → URL → Hosts → Rules → Requests | Investigate attacks on sensitive endpoints, validate rule effectiveness | |
| 91 | + |
| 92 | + |
| 93 | +## Glossary |
| 94 | + |
| 95 | +**Association**: The binding between a WAF policy and an Application Gateway listener or path. |
| 96 | + |
| 97 | +**Scope**: The level at which a WAF policy applies (Listener, URI Path, Global). |
| 98 | + |
| 99 | +**Rule ID**: Identifier of a managed rule triggered by the WAF. |
| 100 | + |
| 101 | +**LAW (Log Analytics workspace)**: Repository where logs are stored and queried. |
| 102 | + |
| 103 | +**Metrics**: Aggregated counters optimized for fast monitoring. |
| 104 | + |
| 105 | +## Limitations and considerations |
| 106 | + |
| 107 | +- **Latency:** Metrics are near real-time, but Logs may have ingestion delay (typically 1-5 minutes). |
| 108 | + |
| 109 | +- **Retention:** Ensure Log Analytics retention is configured to match compliance/audit needs. |
| 110 | + |
| 111 | +- **Scale:** Large volumes of diagnostic logs can increase query latency and storage costs. |
| 112 | + |
| 113 | +## Best practices |
| 114 | + |
| 115 | +- Always enable **both metrics and logs** to balance visibility and detail. |
| 116 | + |
| 117 | +- Use the **Monitor tab daily** for operational awareness, and the **Triage tab on demand** during incidents. |
| 118 | + |
| 119 | +- Periodically review *noisy rules* in the **Triage by rule** view to fine-tune WAF configuration. |
| 120 | + |
| 121 | +- Configure alerts on **sudden spikes** in WAF metrics (for example, challenge requests or blocked requests). |
| 122 | + |
| 123 | +- Align dashboard use with **incident response workflows**, ensuring security and networking teams collaborate using the same views. |
| 124 | + |
| 125 | +## Related content |
| 126 | + |
| 127 | +- [Monitor Azure Application Gateway](/azure/application-gateway/monitor-application-gateway) |
| 128 | + |
| 129 | +- [Examining logs using Azure Log Analytics - Azure Application Gateway](/azure/application-gateway/log-analytics) |
| 130 | + |
| 131 | +- [Diagnostic logs - Azure Application Gateway](/azure/application-gateway/application-gateway-diagnostics) |
| 132 | + |
| 133 | +- [Azure Monitor metrics for Application Gateway](/azure/application-gateway/application-gateway-metrics) |
| 134 | + |
| 135 | +- [Azure Workbooks overview - Azure Monitor](/azure/azure-monitor/visualize/workbooks-overview) |
| 136 | + |
| 137 | +- [Monitoring metrics for Azure Application Gateway Web Application Firewall](/azure/web-application-firewall/ag/application-gateway-waf-metrics) |
| 138 | + |
| 139 | +- [Monitor logs for Azure Web Application Firewall](/azure/web-application-firewall/ag/web-application-firewall-logs?tabs=AppGW) |
| 140 | + |
0 commit comments