KQL example WAF

 let src = AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayFirewall";
let stage1 = src | summarize make_set(clientIp_s) by requestUri_s
| extend AttackerCount = array_length(set_clientIp_s);
let stage2 = src | summarize make_set(Message) by requestUri_s
| extend TacticCount = array_length(set_Message);
stage1
| join stage2 on requestUri_s
| project requestUri_s, AttackerCount, TacticCount
| render areachart