Seems like URL here is malformed. Can you guide how to fix it?

@LaraibKhan555 Thank you for submitting an Issue to the Azure Network Security GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

Hello @LaraibKhan555 ,

You need to provide the App Gateway Resource ID in the ResourceID1 column of the playbook.

If you are using this Playbook for App Gateway WAF, please refer to the example given below, this should be the complete URL

Get App Gateway: https://management.azure.com@{variables('ResourceID1')}?api-version=2020-05-01

Example ResourceID1: /subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/WAFAttackTestingLab22-Shabaz/providers/Microsoft.Network/applicationGateways/SOC-NS-AG-WAFv2

Full Url will become: https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/WAFAttackTestingLab22-Shabaz/providers/Microsoft.Network/applicationGateways/SOC-NS-AG-WAFv2?api-version=2020-05-01

If you are using this Playbook for Front Door Classic WAF, please refer to the example given below, this should be the complete URL

Get Front Door: https://management.azure.com@{variables('ResourceID2')}?api-version=2019-05-01

Example ResourceID2: /subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/WAFAttackTestingLab22-Shabaz/providers/Microsoft.Network/frontdoors/Demowasp-kmgxev4p32zq4

Full Url will become: https://management.azure.com/subscriptions/1c61ccbf-70b3-45a3-a1fb-848ce46d70a6/resourceGroups/WAFAttackTestingLab22-Shabaz/providers/Microsoft.Network/frontdoors/Demowasp-kmgxev4p32zq4?api-version=2019-05-01

This has been even simplified in our new playbook(link mentioned below) which now supports AFD premium and Standard along with App Gateway, where we can give these Resource ID inputs during the deployment of the playbook itself.

We highly recommend using this new playbook unless you have a specific requirement for Front Door Classic that only old Playbook supports. New Playbook works well with App Gateway as well as Front Door Premium and Standard.

New Playbook Github Link: https://github.com/Azure/Azure-Network-Security/tree/master/Azure%20WAF/Playbook%20-%20WAF%20Sentinel%20Playbook%20Block%20IP%20-%20New

Reference Blog on how to use the new playbook: https://techcommunity.microsoft.com/t5/azure-network-security-blog/automated-detection-and-response-for-azure-waf-with-sentinel/ba-p/3692525

Perfect I understand the resource-id now. I tested both old and new and one thing that crosses my mind is that -- what if this playbook can correlate the Application gateway and its policy against a URL entity that has been targetted. Or is there any strong reason behind only creating/updating the custom rule "SentinelBlockIP" only in global policy in an application gateway?

@LaraibKhan555 , Glad to know that the above details were helpful. If any malicious IP is trying to attack a particular URL, from a security stand point, it is always recommended to block it at the global level to other URLs as well. Identifying a particular URL specific policy on the App GW and modifying it is also a possibility, however it needs extra steps and logic and need to be tested. I hope that answers your question. I'm closing this issue for now, please feel free to reach out in case there are any other concerns.