Snippets

KQL snippet: list Azure WAF blocked URIs quickly

A short KQL query to identify the most blocked URIs by Azure Web Application Firewall on Application Gateway.

02 Jun 2026 azurewafkqlapplication-gatewaysecurity

When a WAF blocks traffic, starting with the most affected URIs avoids chasing an isolated request. This query gives a first usable view by hostname, URI, and rule.

kusto top-blocked-waf-uris.kql

AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "ApplicationGatewayFirewallLog"
| where action_s =~ "Blocked"
| summarize hits = count() by hostname_s, requestUri_s, ruleId_s, Message
| top 20 by hits desc

Read the result carefully: high volume does not automatically mean false positive. Check HTTP method, parameters, source IP, user-agent, and application context before adding an exclusion.