Azure Web Application Firewall (WAF) provides protection for your web applications and APIs from common exploits and vulnerabilities. Web applications increasingly encounter malicious attacks that exploit commonly known vulnerabilities. For more details refer to Microsoft’s official documentation.
Integration Method: EventHub
To ingest Azure WAF events via API, refer to the guide, Azure WAF.
Tables: HTTP Activity (4002), Web Resources Activity (6001)
This integration supports the following events.
Event | Description |
|---|---|
Firewall | To monitor, analyse, and troubleshoot security incidents. |
Access | Access Control mechanisms, which determine who or what can interact with web applications. |
Note:
EventHub doesn’t follow a traditional versioning system. Instead, it is a continuously updated cloud service.
Prerequisites
The user should have access to the Azure portal.
The user should have access to the Application gateway to create a diagnostic setting.
The user should have access to the Event Hub.
The user should have access to the DataBee console.
Configuration Overview
Create an Event Hub in the Azure Portal.
Create a diagnostic setting in the Application Gateway.
Get the Event Hub namespace, Event Hub name and connection string.
Add the Azure WAF in the DataBee console with the below parameters.
DataBee Parameter
Azure WAF Parameter
Event Hub Namespace URL
Event Hub Name
Event Hub Name
Consumer Group
$Default
Connection String
Connection String
Azure Configuration
Create EventHub
Sign in to the Azure portal and navigate to Marketplace to create an EventHub. If you have already configured EventHub, then skip to step 6.
Provide basic information to create an event hub namespace.
Provide project details which include subscription details.
Enter a valid event hub namespace name. Copy it and save it for later use.
Select the region for your Event Hub namespace.
Note:
Choose the same region where your Databee cluster is deployed to minimize latency when receiving logs from the Event Hub.
Select the Pricing Tier. For this guide, the Standard tier will be used.
Note:
The Standard tier is the minimum requirement, as it’s needed to enable Apache Kafka support.
Provide Throughput Units. For this guide, we will be using one (1) Throughput Unit (TU). A higher number may be required if you know the amount of data sent from Azure. More about Throughput Units.
Enable the Auto-Inflate option to prevent issues when traffic exceeds the assigned Throughput Unit (TU) capacity. Auto-Inflate automatically increases the number of TUs for your Standard Tier Event Hubs Namespace as traffic grows, up to a specified maximum limit.
Note:
Once Auto-Inflate is enabled, it does not automatically scale down. You’ll need to manually reduce the TUs if required.
Click on Next: Advanced > button.
Provide Advance Security Details. Click on Next: Networking > button.
Select Public access as a ‘Connectivity method’. Click Next: Tags > button.
Add Tags relevant to your organization for viewing consolidated billing.
Click Next: Review + create > button.
EventHub Namespace
Navigate to Entities > Event Hubs. Click on + Event Hub button.
Enter basic details to create an Event Hub.
Enter valid Event Hub name. Save it for later use.
Specify the Partition count.
Note:
Partitions enable parallel processing, helping your applications scale. It is recommended to set this between 10-15 for better scalability.
Select Cleanup policy.
Specify the Retention Period for the logs.
Note:
A longer retention period ensures that more logs are retained in Event Hub, reducing the risk of data loss. It is recommended setting the retention period to the maximum allowed value.
Click on Next: Capture > button.
Turn Capture to Off and click Next: Review + create > button.
Create Event Hub.
Create Diagnostic settings in application gateway
This step is needed to send the Azure WAF logs to Event Hub.
Sign in to the Azure Portal and open your Application Gateway. If you haven’t configured your application gateway, follow this guide to create one.
Create Diagnostic settings.
Open the Monitoring section.
Click on Diagnostic settings.
Click on Add diagnostic setting button.
Note:
To create a Diagnostic Setting, the user must have at least the Monitoring Contributor role, which provides the necessary permissions to configure diagnostic settings.
Enter Diagnostic setting details.
Enter Diagnostic setting name.
Select Log categories, Application Gateway Access Log and Application Gateway Firewall Log.
Add destination details
Select Stream to an event hub option.
Select Subscription.
Select Event hub namespace.
Select Event hub name (required in our case, to capture logs in one event hub only).
Select Event hub policy name.
Click on Save button.
Get the connection string
Navigate to Event Hub.
Navigate to Settings > Shared access policies. Click on the + Add button.
Add SAS Policy.
Enter valid ‘Policy name’.
Select Listen option.
Click on Create button.
Click on the Share policy you created. Copy the Primary connection string for later use.
DataBee Configuration
Login to the DataBee UI, navigate to Data Management > Data Feeds and click the Add New Data Feed button.
Search for Azure WAF and click on it as shown below.
Click on the Azure Event Hub collection method.
In configuration, enter the feed contact information.
Enter Azure Event Hub connection details
Replace <Namespace> placeholder with Event Hub namespace.
Enter the Consumer Group, otherwise please keep the default value: “$Default”
Enter Event Hub name.
Select PLAIN as Authorization Method. Enter Event Hub Connection String.
Click on Test Connection button.
Click on Submit button.
Troubleshooting Tips
If you are facing an error while testing the connection, then make sure the Event hub namespace, event hub name is the desired one. Make sure the connection string has Listen Claims.