Rules (XIF)
/*
Handles Azure WAF Common Fields
*/
[RULE: msft_azure_resourcelogs_common_fields]
alter
xdm.event.type = if(
Category = "FrontDoorAccessLog", "Front Door Access Log",
Category = "FrontDoorWebApplicationFirewallLog", "Front Door Web Application Firewall Log",
category = "ApplicationGatewayAccessLog", "Application Gateway Access Log",
category = "ApplicationGatewayFirewallLog", "Application Gateway Firewall Log",
type = "AGWAccessLogs", "Application Gateway Access Log",
type = "AGWFirewallLogs", "Application Gateway Firewall Log"),
xdm.event.log_level = if(level ~= "Information", XDM_CONST.LOG_LEVEL_INFORMATIONAL, level = "Warning", XDM_CONST.LOG_LEVEL_WARNING, level = "Error", XDM_CONST.LOG_LEVEL_ERROR, level = "Critical", XDM_CONST.LOG_LEVEL_CRITICAL, level = null, null, to_string(level)),
xdm.event.original_event_type = coalesce(if(len(category) != 0, category, null),if(len(Category) != 0, Category, null), if(len(type) != 0, type, null)),
xdm.event.operation_sub_type = operationName,
xdm.source.user.username = to_string(identity),
xdm.source.cloud.project_id = coalesce(SubscriptionId, arrayindex(regextract(resourceId, "/SUBSCRIPTIONS/([^\/]+)"), 0), tenantId),
xdm.source.cloud.region = location,
xdm.source.cloud.provider = XDM_CONST.CLOUD_PROVIDER_AZURE,
xdm.session_context_id = correlationId,
xdm.target.resource.id = resourceId;
/*
Handles Front Door Common Fields
FrontDoorAccessLog and FrontDoorWebApplicationFirewallLog
*/
[RULE: front_door_common_fields]
filter Category in ("FrontDoorAccessLog", "FrontDoorWebApplicationFirewallLog")
| alter CallerIPAddress = if(len(CallerIPAddress) = 0,null, CallerIPAddress )
| alter tmp_ip_address = coalesce(CallerIPAddress, clientIP_s)
| alter
source_ipv4 = arrayindex(regextract(tmp_ip_address, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
source_ipv6 = arrayindex(regextract(tmp_ip_address, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
source_socket_ipv4 = regextract(socketIP_s, "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),
source_socket_ipv6 = regextract(socketIP_s, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),
clientPort_s = to_integer(clientPort_s),
clientPort_d = to_integer(clientPort_d)
| alter
xdm.event.id = trackingReference_s,
xdm.source.port = coalesce(to_integer(clientPort_d) , to_integer(clientPort_s)),
xdm.source.ipv4 = source_ipv4 ,
xdm.source.ipv6 = source_ipv6,
xdm.source.host.ipv4_addresses = source_socket_ipv4,
xdm.source.host.ipv6_addresses = source_socket_ipv6,
xdm.target.url = requestUri_s,
xdm.target.resource.name = Resource,
xdm.target.resource.parent_id = ResourceGroup ,
xdm.target.resource.type = ResourceType;
/*
Handles Front Door WAF Logs
*/
[RULE: front_door_waf_log]
alter
xdm.event.description = details_data_s,
xdm.observer.action = action_s,
xdm.network.rule = ruleName_s,
xdm.target.domain = host_s;
/*
Handle Frond Door Access Logs
*/
[RULE: front_door_access_log]
alter
UserAgent = if(len(UserAgent ) = 0, null, UserAgent ),
check_response_code = coalesce(to_integer(httpStatusCode_s) , to_integer(httpStatusCode_d) ,to_integer(httpStatusDetails_s)),
http_method = httpMethod_s,
tmp_tls_version = if(originCryptProtocol_s = "N/A", securityProtocol_s, originCryptProtocol_s ),
target_ipv4 = arrayindex(regextract(originIp_s , "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0),
target_ipv6 = arrayindex(regextract(originIp_s, "([a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5}[a-fA-F0-9\:]{1,5})"),0),
trim_domain = replex(domain_s , ":\d+",""),
error_information_outcome = if(errorInfo_s = "NoError", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
error_information_outcome_reason= if(
errorInfo_s ="NoError", "NoError: No error was found.",
errorInfo_s ="CertificateError","CertificateError: Generic SSL certificate error.",
errorInfo_s ="CertificateNameCheckFailed","CertificateNameCheckFailed: The host name in the SSL certificate is invalid or doesn't match the requested URL.",
errorInfo_s ="ClientDisconnected","ClientDisconnected: The request failed because of a client network connection issue.",
errorInfo_s ="ClientGeoBlocked","ClientGeoBlocked: The client was blocked due to the geographical location of the IP address.",
errorInfo_s ="UnspecifiedClientError","UnspecifiedClientError: Generic client error.",
errorInfo_s ="InvalidRequest","InvalidRequest: Invalid request. This response indicates a malformed header, body, or URL.",
errorInfo_s ="DNSFailure","DNSFailure: A failure occurred during DNS resolution.",
errorInfo_s ="DNSTimeout","DNSTimeout: The DNS query to resolve the origin IP address timed out.",
errorInfo_s ="DNSNameNotResolved","DNSNameNotResolved: The server name or address couldn't be resolved.",
errorInfo_s ="OriginConnectionAborted","OriginConnectionAborted: The connection with the origin was disconnected abnormally.",
errorInfo_s ="OriginConnectionError","OriginConnectionError: Generic origin connection error.",
errorInfo_s ="OriginConnectionRefused","OriginConnectionRefused: The connection with the origin wasn't established.",
errorInfo_s ="OriginError","OriginError: Generic origin error.",
errorInfo_s ="ResponseHeaderTooBig","ResponseHeaderTooBig: The origin returned a too large of a response header.",
errorInfo_s ="OriginInvalidResponse","OriginInvalidResponse: The origin returned an invalid or unrecognized response.",
errorInfo_s ="OriginTimeout","OriginTimeout: The time-out period for the origin request expired.",
errorInfo_s ="ResponseHeaderTooBig","ResponseHeaderTooBig: The origin returned a too large of a response header.",
errorInfo_s ="RestrictedIP","RestrictedIP: The request was blocked because of restricted IP address.",
errorInfo_s ="SSLHandshakeError","SSLHandshakeError: Azure Front Door was unable to establish a connection with the origin because of an SSL handshake failure.",
errorInfo_s ="SSLInvalidRootCA","SSLInvalidRootCA: The root certification authority's certificate was invalid.",
errorInfo_s ="SSLInvalidCipher","SSLInvalidCipher: The HTTPS connection was established using an invalid cipher.",
errorInfo_s ="OriginConnectionAborted","OriginConnectionAborted: The connection with the origin was disconnected abnormally.",
errorInfo_s ="OriginConnectionRefused","OriginConnectionRefused: The connection with the origin wasn't established.",
errorInfo_s ="UnspecifiedError","UnspecifiedError: An error occurred that did not fit in any of the errors in the table.")
| alter
xdm.network.tls.protocol_version = tmp_tls_version,
xdm.network.http.response_code = if(check_response_code = 0, "The request to the origin timed out", check_response_code = 499, "The client closed the connection", check_response_code = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, check_response_code = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, check_response_code = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, check_response_code = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, check_response_code = 200, XDM_CONST.HTTP_RSP_CODE_OK, check_response_code = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, check_response_code = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, check_response_code = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, check_response_code = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, check_response_code = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, check_response_code = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, check_response_code = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, check_response_code = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, check_response_code = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, check_response_code = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, check_response_code = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, check_response_code = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, check_response_code = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, check_response_code = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, check_response_code = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, check_response_code = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, check_response_code = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, check_response_code = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, check_response_code = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, check_response_code = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, check_response_code = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, check_response_code = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, check_response_code = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, check_response_code = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, check_response_code = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, check_response_code = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, check_response_code = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, check_response_code = 410, XDM_CONST.HTTP_RSP_CODE_GONE, check_response_code = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, check_response_code = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, check_response_code = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, check_response_code = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, check_response_code = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, check_response_code = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, check_response_code = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, check_response_code = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, check_response_code = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, check_response_code = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, check_response_code = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, check_response_code = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, check_response_code = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, check_response_code = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, check_response_code = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, check_response_code = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, check_response_code = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, check_response_code = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, check_response_code = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, check_response_code = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, check_response_code = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, check_response_code = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, check_response_code = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, check_response_code = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, check_response_code = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, check_response_code = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, check_response_code = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, check_response_code = null, null, to_string(check_response_code)),
xdm.network.http.method = if(http_method = "GET", XDM_CONST.HTTP_METHOD_GET, http_method = "POST", XDM_CONST.HTTP_METHOD_POST, http_method = "PUT", XDM_CONST.HTTP_METHOD_PUT, http_method = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, http_method = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, http_method = "ACL", XDM_CONST.HTTP_METHOD_ACL, http_method = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, http_method = "BIND", XDM_CONST.HTTP_METHOD_BIND, http_method = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, http_method = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, http_method = "COPY", XDM_CONST.HTTP_METHOD_COPY, http_method = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, http_method = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, http_method = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, http_method = "LINK", XDM_CONST.HTTP_METHOD_LINK, http_method = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, http_method = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, http_method = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, http_method = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, http_method = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, http_method = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, http_method = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, http_method = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, http_method = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, http_method = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, http_method = "PRI", XDM_CONST.HTTP_METHOD_PRI, http_method = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, http_method = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, http_method = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, http_method = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, http_method = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, http_method = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, http_method = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, http_method = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, http_method = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, http_method = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, http_method = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, http_method = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, http_method = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, http_method),
xdm.source.sent_bytes = to_integer(requestBytes_s),
xdm.target.sent_bytes = to_integer(responseBytes_s),
xdm.network.application_protocol = requestProtocol_s,
xdm.network.tls.cipher = securityCipher_s,
xdm.network.http.referrer = referer_s,
xdm.event.duration = to_integer(coalesce(multiply(to_float(timeTaken_d),1000), multiply(to_float(timeTaken_s),1000), multiply(to_float(TimeTaken),1000), to_integer(DurationMs))),
xdm.source.user_agent = coalesce(userAgent , userAgent_s),
xdm.source.location.country = clientCountry_s ,
xdm.network.rule = routingRuleName_s,
xdm.target.ipv4 = target_ipv4,
xdm.target.ipv6 = target_ipv6,
xdm.network.http.url = originUrl_s ,
xdm.target.host.fqdn = sni_s,
xdm.target.domain = coalesce(sni_s ,trim_domain ),
xdm.network.http.domain = coalesce(sni_s ,trim_domain ),
xdm.intermediate.host.hostname = endpoint_s,
xdm.target.host.hostname = if(originName_s = "N/A", "The request was served from the Azure Front Door cache", originName_s ),
xdm.event.outcome = error_information_outcome ,
xdm.event.outcome_reason = error_information_outcome_reason;
/*
Handles Application Gateway logs
*/
[RULE: application_gateway_access_and_waf_logs]
alter
get_properties_action = coalesce(properties -> action, action),
get_properties_httpStatus = coalesce(to_integer(properties -> httpStatus),to_integer(httpstatus)),
get_properties_host = coalesce(properties -> host, host),
get_properties_hostname = coalesce(properties -> hostname, hostname),
get_properties_originalHost = coalesce(properties -> originalHost, originalhost ),
get_properties_httpMethod = coalesce(properties -> httpMethod,httpmethod),
get_properties_requestQuery = properties -> requestQuery,
get_properties_requestUri = coalesce(properties -> requestUri, requesturi),
get_properties_originalRequestUriWithArgs = coalesce(properties -> originalRequestUriWithArgs,originalrequesturiwithargs),
get_properties_clientip = if(properties -> clientIp != null, properties -> clientIp, properties -> clientIP != null, properties -> clientIP, len(clientip) > 0, clientip),
get_resultSignature_resCode = if(resultSignature ~= "^\d{3}$", to_integer(resultSignature)),
get_callerIpAddress_ipv4 = if(callerIpAddress ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(callerIpAddress, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
get_callerIpAddress_ipv6 = if(callerIpAddress ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", arrayindex(regextract(callerIpAddress, "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}"), 0)),
get_ruleSetType = coalesce(rulesettype , properties -> ruleSetType),
get_ruleSetVersion = coalesce(rulesetversion , properties -> ruleSetVersion),
get_ruleID = coalesce(ruleid , properties -> ruleId),
get_ruleGroup = coalesce(ruleGroup_s, properties -> ruleGroup),
get_details = object_create("Detailed Data", detaileddata , "Detailed Message", detailedmessage , "Configuration Rule File Name", filedetails ),
get_intermediate_port = to_integer(arrayindex(regextract(serverrouted ,":(\d+)"),0)),
get_intermediate_ipv4 = arrayindex(regextract(serverrouted ,"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"),0)
| alter
get_properties_clientip_ipv4 = if(get_properties_clientip ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_clientip, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
get_properties_clientip_ipv6 = if(get_properties_clientip ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_clientip),
get_properties_host_ipv4 = if(get_properties_host ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_host, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
get_properties_host_ipv6 = if(get_properties_host ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_host),
get_properties_host_name = if(get_properties_host ~= "[a-zA-Z0-9]", get_properties_host),
get_properties_hostname_ipv4 = if(get_properties_hostname ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_hostname, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
get_properties_hostname_ipv6 = if(get_properties_hostname ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_hostname),
get_properties_hostname_name = if(get_properties_hostname ~= "[a-zA-Z0-9]", get_properties_hostname),
get_properties_originalHost_ipv4 = if(get_properties_originalHost ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", arrayindex(regextract(get_properties_originalHost, "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"), 0)),
get_properties_originalHost_ipv6 = if(get_properties_originalHost ~= "(?:[a-fA-F\d]{0,4}\:){1,7}[a-fA-F\d]{0,4}", get_properties_originalHost),
get_properties_originalHost_name = if(get_properties_originalHost ~= "[a-zA-Z0-9]", get_properties_originalHost),
get_error_information_outcome = if(errorinfo = "ERRORINFO_NO_ERROR", XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED),
get_error_information_outcome_reason = if(
errorinfo = "ERRORINFO_NO_ERROR", "No error was found.",
errorinfo = "ERRORINFO_INVALID_METHOD", "The client sent a request that is non-RFC compliant. Possible reasons: client using HTTP method not supported by server, misspelled method, incompatible HTTP protocol version etc.",
errorinfo = "ERRORINFO_INVALID_REQUEST", "The server can't fulfill the request because of incorrect syntax.",
errorinfo = "ERRORINFO_INVALID_VERSION", "The application gateway received a request with an invalid or unsupported HTTP version.",
errorinfo = "ERRORINFO_INVALID_09_METHOD", "The client sent request with HTTP Protocol version 0.9.",
errorinfo = "ERRORINFO_INVALID_HOST", "The value provided in the Host header is either missing, improperly formatted, or does not match the expected host value. For example, when there's no Basic listener, and none of the hostnames of Multisite listeners match with the host.",
errorinfo = "ERRORINFO_INVALID_CONTENT_LENGTH", "The length of the content specified by the client in the content-Length header does not match the actual length of the content in the request.",
errorinfo = "ERRORINFO_INVALID_METHOD_TRACE", "The client sent HTTP TRACE method, which the application gateway doesn't support.",
errorinfo = "ERRORINFO_CLIENT_CLOSED_REQUEST", "The client closed the connection with the application gateway before the idle timeout period elapsed. Check whether the client timeout period is greater than the idle timeout period for the application gateway.",
errorinfo = "ERRORINFO_REQUEST_URI_INVALID", "Indicates issue with the Uniform Resource Identifier (URI) provided in the client's request.",
errorinfo = "ERRORINFO_HTTP_NO_HOST_HEADER", "Client sent a request without Host header.",
errorinfo = "ERRORINFO_HTTP_TO_HTTPS_PORT", "The client sent a plain HTTP request to an HTTPS port.",
errorinfo = "ERRORINFO_HTTPS_NO_CERT", "Indicates client isn't sending a valid and properly configured TLS certificate during Mutual TLS authentication.",
errorinfo = "ERRORINFO_UPSTREAM_NO_LIVE", "The application gateway is unable to find any active or reachable backend servers to handle incoming requests.",
errorinfo = "ERRORINFO_UPSTREAM_CLOSED_CONNECTION", "The backend server closed the connection unexpectedly or before the request was fully processed. This condition could happen due to backend server reaching its limits, crashing etc.",
errorinfo = "ERRORINFO_UPSTREAM_TIMED_OUT", "The established TCP connection with the server was closed as the connection took longer than the configured timeout value.",
errorinfo = "ERRORINFO_INVALID_HEADER", "Application Gateway detected a partial invalid header and forwarded the remaining header to the backend, which responded with 500. Ensure the client's request header does not contain CR, LF, NULL, or similar characters. Replace such characters with SP (whitespace)."),
get_resultType_outcome_reason = if(resultType !~= "\d+", resultType, resultType ~= "\d+" and resultDescription != null, concat(resultDescription, " Error Code: ", resultType), concat("Error Code: ", resultType)),
get_resultType_outcome= if(get_properties_action ~= "lock", XDM_CONST.OUTCOME_FAILED, get_properties_action = "Allowed", XDM_CONST.OUTCOME_SUCCESS, get_properties_action ~= "Matched|Detected", XDM_CONST.OUTCOME_PARTIAL, resultType ~= "Start", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "[Pp]rogress", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Succe", XDM_CONST.OUTCOME_SUCCESS, resultType ~= "Fail", XDM_CONST.OUTCOME_FAILED, resultType ~= "Active", XDM_CONST.OUTCOME_UNKNOWN, resultType ~= "Resolv", XDM_CONST.OUTCOME_SUCCESS, resultType = null, null, to_string(resultType))
| alter
check_response_code = coalesce(get_properties_httpStatus, get_resultSignature_resCode),
check_duration = coalesce(to_integer(properties -> timeTaken), to_integer(durationMs),multiply(to_float(timetaken),1000)),
check_hostname = arraydistinct(arraycreate(get_properties_host_name, get_properties_hostname_name, get_properties_originalHost_name)),
check_type_for_rule_name = if(type = "AGWAccessLogs", rulename, type = "AGWFirewallLogs", to_string(object_create("ruleSetType", get_ruleSetType , "ruleSetVersion", get_ruleSetVersion , "ruleId", get_ruleID , "ruleGroup", get_ruleGroup )))
| alter
xdm.alert.description = coalesce(properties -> message,message),
xdm.event.description = coalesce(to_string(properties -> details{}), to_string(get_details)),
xdm.event.duration = check_duration,
xdm.event.id = coalesce(properties -> transactionId,transactionId),
xdm.event.outcome_reason = coalesce(if(len(get_resultType_outcome_reason) > 0, get_resultType_outcome_reason, null) , if(len(get_error_information_outcome_reason) > 0, get_error_information_outcome_reason, null)),
xdm.event.outcome = coalesce(get_resultType_outcome , get_error_information_outcome ),
xdm.network.http.content_type = properties -> contentType,
xdm.network.http.method = if(get_properties_httpMethod = "ACL", XDM_CONST.HTTP_METHOD_ACL, get_properties_httpMethod = "BASELINE_CONTROL", XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, get_properties_httpMethod = "BIND", XDM_CONST.HTTP_METHOD_BIND, get_properties_httpMethod = "CHECKIN", XDM_CONST.HTTP_METHOD_CHECKIN, get_properties_httpMethod = "CHECKOUT", XDM_CONST.HTTP_METHOD_CHECKOUT, get_properties_httpMethod = "CONNECT", XDM_CONST.HTTP_METHOD_CONNECT, get_properties_httpMethod = "COPY", XDM_CONST.HTTP_METHOD_COPY, get_properties_httpMethod = "DELETE", XDM_CONST.HTTP_METHOD_DELETE, get_properties_httpMethod = "GET", XDM_CONST.HTTP_METHOD_GET, get_properties_httpMethod = "HEAD", XDM_CONST.HTTP_METHOD_HEAD, get_properties_httpMethod = "LABEL", XDM_CONST.HTTP_METHOD_LABEL, get_properties_httpMethod = "LINK", XDM_CONST.HTTP_METHOD_LINK, get_properties_httpMethod = "LOCK", XDM_CONST.HTTP_METHOD_LOCK, get_properties_httpMethod = "MERGE", XDM_CONST.HTTP_METHOD_MERGE, get_properties_httpMethod = "MKACTIVITY", XDM_CONST.HTTP_METHOD_MKACTIVITY, get_properties_httpMethod = "MKCALENDAR", XDM_CONST.HTTP_METHOD_MKCALENDAR, get_properties_httpMethod = "MKCOL", XDM_CONST.HTTP_METHOD_MKCOL, get_properties_httpMethod = "MKREDIRECTREF", XDM_CONST.HTTP_METHOD_MKREDIRECTREF, get_properties_httpMethod = "MKWORKSPACE", XDM_CONST.HTTP_METHOD_MKWORKSPACE, get_properties_httpMethod = "MOVE", XDM_CONST.HTTP_METHOD_MOVE, get_properties_httpMethod = "OPTIONS", XDM_CONST.HTTP_METHOD_OPTIONS, get_properties_httpMethod = "ORDERPATCH", XDM_CONST.HTTP_METHOD_ORDERPATCH, get_properties_httpMethod = "PATCH", XDM_CONST.HTTP_METHOD_PATCH, get_properties_httpMethod = "POST", XDM_CONST.HTTP_METHOD_POST, get_properties_httpMethod = "PRI", XDM_CONST.HTTP_METHOD_PRI, get_properties_httpMethod = "PROPFIND", XDM_CONST.HTTP_METHOD_PROPFIND, get_properties_httpMethod = "PROPPATCH", XDM_CONST.HTTP_METHOD_PROPPATCH, get_properties_httpMethod = "PUT", XDM_CONST.HTTP_METHOD_PUT, get_properties_httpMethod = "REBIND", XDM_CONST.HTTP_METHOD_REBIND, get_properties_httpMethod = "REPORT", XDM_CONST.HTTP_METHOD_REPORT, get_properties_httpMethod = "SEARCH", XDM_CONST.HTTP_METHOD_SEARCH, get_properties_httpMethod = "TRACE", XDM_CONST.HTTP_METHOD_TRACE, get_properties_httpMethod = "UNBIND", XDM_CONST.HTTP_METHOD_UNBIND, get_properties_httpMethod = "UNCHECKOUT", XDM_CONST.HTTP_METHOD_UNCHECKOUT, get_properties_httpMethod = "UNLINK", XDM_CONST.HTTP_METHOD_UNLINK, get_properties_httpMethod = "UNLOCK", XDM_CONST.HTTP_METHOD_UNLOCK, get_properties_httpMethod = "UPDATE", XDM_CONST.HTTP_METHOD_UPDATE, get_properties_httpMethod = "UPDATEREDIRECTREF", XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF, get_properties_httpMethod = "VERSION_CONTROL", XDM_CONST.HTTP_METHOD_VERSION_CONTROL, get_properties_httpMethod = null, null, to_string(get_properties_httpMethod)),
xdm.network.http.response_code = if(check_response_code = 100, XDM_CONST.HTTP_RSP_CODE_CONTINUE, check_response_code = 101, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, check_response_code = 102, XDM_CONST.HTTP_RSP_CODE_PROCESSING, check_response_code = 103, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, check_response_code = 200, XDM_CONST.HTTP_RSP_CODE_OK, check_response_code = 201, XDM_CONST.HTTP_RSP_CODE_CREATED, check_response_code = 202, XDM_CONST.HTTP_RSP_CODE_ACCEPTED, check_response_code = 203, XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION, check_response_code = 204, XDM_CONST.HTTP_RSP_CODE_NO_CONTENT, check_response_code = 205, XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT, check_response_code = 206, XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT, check_response_code = 207, XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS, check_response_code = 208, XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED, check_response_code = 226, XDM_CONST.HTTP_RSP_CODE_IM_USED, check_response_code = 300, XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES, check_response_code = 301, XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY, check_response_code = 302, XDM_CONST.HTTP_RSP_CODE_FOUND, check_response_code = 303, XDM_CONST.HTTP_RSP_CODE_SEE_OTHER, check_response_code = 304, XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED, check_response_code = 305, XDM_CONST.HTTP_RSP_CODE_USE_PROXY, check_response_code = 307, XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT, check_response_code = 308, XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT, check_response_code = 400, XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST, check_response_code = 401, XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED, check_response_code = 402, XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED, check_response_code = 403, XDM_CONST.HTTP_RSP_CODE_FORBIDDEN, check_response_code = 404, XDM_CONST.HTTP_RSP_CODE_NOT_FOUND, check_response_code = 405, XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED, check_response_code = 406, XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE, check_response_code = 407, XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED, check_response_code = 408, XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT, check_response_code = 409, XDM_CONST.HTTP_RSP_CODE_CONFLICT, check_response_code = 410, XDM_CONST.HTTP_RSP_CODE_GONE, check_response_code = 411, XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED, check_response_code = 412, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED, check_response_code = 413, XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE, check_response_code = 414, XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG, check_response_code = 415, XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE, check_response_code = 416, XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE, check_response_code = 417, XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED, check_response_code = 421, XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST, check_response_code = 422, XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT, check_response_code = 423, XDM_CONST.HTTP_RSP_CODE_LOCKED, check_response_code = 424, XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY, check_response_code = 425, XDM_CONST.HTTP_RSP_CODE_TOO_EARLY, check_response_code = 426, XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED, check_response_code = 428, XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED, check_response_code = 429, XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS, check_response_code = 431, XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE, check_response_code = 451, XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS, check_response_code = 500, XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR, check_response_code = 501, XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED, check_response_code = 502, XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY, check_response_code = 503, XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE, check_response_code = 504, XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT, check_response_code = 505, XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED, check_response_code = 506, XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES, check_response_code = 507, XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE, check_response_code = 508, XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED, check_response_code = 511, XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED, check_response_code = null, null, to_string(check_response_code)),
xdm.network.session_id = to_string(properties -> connectionSerialNumber),
xdm.network.tls.cipher = coalesce(properties -> sslCipher, sslcipher),
xdm.network.tls.client_certificate.issuer = properties -> sslClientCertificateIssuerName,
xdm.network.tls.protocol_version = coalesce(properties -> sslProtocol, sslProtocol),
xdm.network.rule = to_string(check_type_for_rule_name),
xdm.source.cloud.project = Tenant,
xdm.source.host.hostname = arrayindex(check_hostname, 0),
xdm.source.host.ipv4_addresses = arraydistinct(arraycreate(get_properties_host_ipv4, get_properties_hostname_ipv4, get_properties_originalHost_ipv4)),
xdm.source.host.ipv6_addresses = arraydistinct(arraycreate(get_properties_host_ipv6, get_properties_hostname_ipv6, get_properties_originalHost_ipv6)),
xdm.source.ipv4 = coalesce(get_properties_clientip_ipv4, get_callerIpAddress_ipv4),
xdm.source.ipv6 = coalesce(get_properties_clientip_ipv6, get_callerIpAddress_ipv6),
xdm.source.port = to_integer(coalesce(to_string(properties -> clientPort), to_string(upstreamsourceport))),
xdm.source.sent_bytes = coalesce(to_integer(properties -> sentBytes), to_integer(sentBytes)),
xdm.source.user_agent = coalesce(properties -> userAgent,useragent),
xdm.intermediate.host.hostname = coalesce(properties -> instanceId, instanceid),
xdm.intermediate.port = get_intermediate_port,
xdm.intermediate.ipv4 = get_intermediate_ipv4,
xdm.observer.action = get_properties_action,
xdm.observer.name = coalesce(properties -> WAFMode, wafmode ,arrayindex(regextract(resourceId, "/([^\/]+)$"), -1)),
xdm.observer.unique_identifier = properties -> WAFPolicyID,
xdm.observer.type = if(properties -> engine = "Azwaf", "MICROSOFT.NETWORK/APPLICATIONGATEWAYS"),
xdm.target.sent_bytes = coalesce(to_integer(properties -> receivedBytes), to_integer(receivedbytes)),
xdm.target.resource.type = if(get_properties_requestQuery = null, null, get_properties_requestQuery ~= "^\s*$", null, "requestQuery"),
xdm.target.resource.value = if(get_properties_requestQuery = null, null, get_properties_requestQuery ~= "^\s*$", null, get_properties_requestQuery),
xdm.target.url = coalesce(get_properties_originalRequestUriWithArgs, get_properties_requestUri);
[MODEL: dataset=msft_azure_waf_raw]
filter Category = "FrontDoorAccessLog"
| call msft_azure_resourcelogs_common_fields
| call front_door_common_fields
| call front_door_access_log;
filter Category = "FrontDoorWebApplicationFirewallLog"
| call msft_azure_resourcelogs_common_fields
| call front_door_common_fields
| call front_door_waf_log ;
filter Category in ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog") OR type in ("AGWAccessLogs", "AGWFirewallLogs")
| call msft_azure_resourcelogs_common_fields
| call application_gateway_access_and_waf_logs;