Challenge 2 — Name the Rule¶

Difficulty: Easy — Skills: Rule ID lookup, log analysis

Scenario¶

An attacker has been sending XSS (Cross-Site Scripting) payloads containing the string WAF-CHALLENGE-2026. All payloads use <script>alert('WAF-CHALLENGE-2026')</script> injected into various query parameters.

A specific WAF managed rule detected and flagged every single one of these requests.

Your mission: Find the Rule ID that detected these XSS attacks.

Prerequisites¶

Lab infrastructure deployed
WAF logs flowing to Log Analytics

Generate Challenge Traffic¶

Script: challenge-traffic.ps1

cd scripts/
.\challenge-traffic.ps1 -TargetUrl "http://<your-appgw-fqdn>" -Challenge 2

Wait 10-15 minutes for logs to appear in Log Analytics before investigating.

Investigation¶

Search the WAF logs for events related to the WAF-CHALLENGE-2026 payload and identify which rule triggered.

Hint 1 — Search for the payload

Look for WAF-CHALLENGE-2026 in requestUri_s or details_data_s fields.

Hint 2 — Group by rule

Use summarize count() by ruleId_s, message_s to find which rule matched.

Hint 3 — KQL Query

AzureDiagnostics
| where Category == "ApplicationGatewayFirewallLog"
| where requestUri_s contains "WAF-CHALLENGE-2026"
    or details_data_s contains "WAF-CHALLENGE-2026"
| summarize Count = count() by ruleId_s, message_s
| order by Count desc

Submit Your Answer¶

What is the Rule ID that detected the XSS attacks?

{% include "challenges/challenge-ui.html" %}

[:octicons-arrow-left-24: Challenge 1](challenge-01.md)

[Challenge 3 :octicons-arrow-right-24:](challenge-03.md)