Schema Changes in AzureDiagnostics Table Affecting WAF analytic rules #11712
Assignees
Labels
Comments
|
Hi @paloaltosensei , Thanks for reporting this issue, we are checking on it with team and get back to you with some update. Thanks! |
|
Hi @paloaltosensei, Could you please share the AzureDiagnostics table schema with us? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
We identified an issue with the schema of the AzureDiagnostics table, specifically affecting following analytic rules: "Application Gateway WAF - SQLi Detection" and "Application Gateway WAF - XSS Detection". Previously, the fields transactionId_g and hostname_s were available as top-level columns, but they are now nested within the AdditionalFields column as transactionId and hostname. Additionally, the fields details_message_s and details_data_s have been removed from the schema entirely.
Due to this schema change, the analytic rules relying on these fields to detect and analyze WAF events, such as SQL injection attacks, will be inefficient and require significant modifications. Could you please help us adjust these detection rules to align with the new schema changes of the AzureDiagnostics table?
Many thanks!
The text was updated successfully, but these errors were encountered: