Access logs, firewall logs, backend health, and metrics each tell a partial truth about what Application Gateway is doing. Here’s how they mislead you in isolation, and the KQL that fixes that.
Most teams think a WAF in Detection mode is partially protecting them. It isn’t. Here’s what actually happens to requests, why the logs actively mislead, and how organisations end up stuck in Detection mode indefinitely without noticing.
