Snippets

KQL snippet: correlate WAF and APIM on an Azure private API

A short query to see whether a private API request is blocked by Application Gateway WAF, received by APIM or missing from the expected path.

08 Jun 2026 kqlazureapi-managementapplication-gatewaywaflogsmonitoringrunbook

When a private API published through Application Gateway and internal APIM fails, first check where the request appears. This query brings Application Gateway/WAF and APIM logs into the same time window.

kusto waf-apim-private-api-correlation.kql

let Window = 2h;
let Hostname = "api.internal.example.com";
let ApiPath = "/orders";
let Gateway =
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where ResourceProvider == "MICROSOFT.NETWORK"
| where Category in ("ApplicationGatewayAccessLog", "ApplicationGatewayFirewallLog")
| where tostring(host_s) == Hostname or tostring(requestUri_s) has ApiPath
| project TimeGenerated,
        Layer="application-gateway",
        Action=tostring(action_s),
        Status=tostring(httpStatus_d),
        RuleId=tostring(ruleId_s),
        Uri=tostring(requestUri_s),
        ClientIp=tostring(clientIP_s),
        CorrelationId=tostring(transactionId_g);
let Apim =
AzureDiagnostics
| where TimeGenerated > ago(Window)
| where ResourceProvider == "MICROSOFT.APIMANAGEMENT"
| where tostring(Url) has ApiPath or tostring(RequestUri) has ApiPath
| project TimeGenerated,
        Layer="apim",
        Action=tostring(OperationName),
        Status=tostring(ResponseCode),
        RuleId="",
        Uri=tostring(Url),
        ClientIp=tostring(CallerIPAddress),
        CorrelationId=tostring(CorrelationId);
Gateway
| union Apim
| order by TimeGenerated desc

Fast reading: Blocked on the gateway side points to WAF; gateway presence without APIM presence points to pool, probe, SNI or host header; APIM presence without backend evidence points to policy, private DNS, route or identity.