Merge pull request #519 from shabaz-github/master

andrewmathuj · web-flow · commit 3725bd4bd45e · 2026-02-16T10:56:20.000+03:00
Add detection for CAPTCHA bot traffic in AFD WAF logs
diff --git a/Azure WAF/Playbook - Sentinel additional detections/AFD-WAF-Detection Based on Captcha Bot Traffic Thresholds.kql b/Azure WAF/Playbook - Sentinel additional detections/AFD-WAF-Detection Based on Captcha Bot Traffic Thresholds.kql
@@ -0,0 +1,17 @@
+//This detection identifies source IPs repeatedly served a CAPTCHA challenge by Azure Front Door WAF within the selected lookback window (default 90 days). It groups Front Door WAF events by socketIP_s (labeled as SourceIp) and raises findings for any IP that hit the CAPTCHA action ≥ 3 times. For each flagged IP, it provides the first/last seen times, total challenge count, and unique URIs the IP requested. This helps surface persistent or recurring bot/automated traffic that was challenged by the WAF, so analysts can decide whether to block, rate‑limit, or tune bot protections.
+
+let lookback = 90d;
+let minChallenges = 3;
+AzureDiagnostics
+| where Category =~ "FrontDoorWebApplicationFirewallLog"
+| where TimeGenerated > ago(lookback)
+| where (action_s in~ ("Captcha") 
+        or tostring(details_msg_s) contains "captcha")
+| project TimeGenerated, clientIp_s, requestUri_s, socketIP_s
+| summarize Count = count(),
+            FirstSeen = min(TimeGenerated),
+            LastSeen = max(TimeGenerated),
+            URIs = make_set(requestUri_s)
+    by SourceIp=socketIP_s
+| where Count >= minChallenges
+| order by Count desc
