Challenge 1 — Identify the Attacker¶

Difficulty: Easy — Skills: KQL queries, IP analysis

Scenario¶

Your Azure WAF has detected a burst of SQL injection attacks. A single IP address is responsible for all of them — 50 requests containing classic SQLi payloads like OR 1=1, UNION SELECT, and DROP TABLE.

Your mission: Analyze the WAF logs and identify the attacker's IP address.

Prerequisites¶

Lab infrastructure deployed
WAF logs flowing to Log Analytics

Generate Challenge Traffic¶

Script: challenge-traffic.ps1

cd scripts/
.\challenge-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -Challenge 1

Wait 10-15 minutes for logs to appear in Log Analytics before investigating.

Investigation¶

Use Log Analytics or WAF Insights to find which IP address sent the SQL injection attacks.

Hint 1 — Which log table to use

Query the AzureDiagnostics table filtered by Category == "ApplicationGatewayFirewallLog".

Hint 2 — How to filter for SQLi

Filter where ruleGroup_s contains "SQLI" or look at rule IDs in the 942xxx range.

Hint 3 — KQL Query

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where ruleGroup_s contains "SQLI"
| summarize AttackCount = count() by clientIp_s
| order by AttackCount desc
| take 5

Submit Your Answer¶

What is the IP address of the attacker?

{% include "challenges/challenge-ui.html" %}

[:octicons-arrow-left-24: All Challenges](index.md)

[Challenge 2 :octicons-arrow-right-24:](challenge-02.md)