General availability of Default Ruleset (DRS) 2.2 for Web Application Firewall

Introduction

As attackers continue to evolve their techniques, organizations require web application security that keeps pace with emerging threats without disrupting legitimate traffic. Azure Web Application Firewall (WAF) continues to evolve to meet these demands and now supports Default Rule Set (DRS) 2.2 across both Azure Front Door and Azure Application Gateway.

The latest recommended Azure WAF ruleset, based on OWASP Core Rule Set (CRS) 3.3.4., DRS 2.2 combines OWASP CRS protections with Microsoft-authored rules developed with the Microsoft Threat Intelligence team, delivering broader coverage, updated signatures, reduced false positives, and a more modern security baseline for your internet-facing applications.

What is new in DRS 2.2?

DRS 2.2 builds on earlier rule sets with improvements focused on three areas: breadth of coverage, quality of detections, and false positive reductions.

Broader security coverage 

DRS 2.2 is based on the OWASP Core Rule Set 3.3.4, delivering improvements in rule accuracy and new protections for common web vulnerabilities. DRS 2.2 contains 18 rule groups, organizing protections across SQL injections, XSS, protocol violations, remote code execution, and more, making it easier to understand and manage the scope of coverage. Notable improvements include:

• Detection of mismatched content types, where the declared content-type header does not match the actual payload format. This is a common tactic in evasion and obfuscation attacks.
• Improved Remote Code Execution (RCE) detections to catch increasingly sophisticated payloads used by threat actors.

Microsoft Threat Intelligence rules

In addition to the OWASP improvements, DRS 2.2 introduces new Microsoft Threat Intelligence rules. These rules expand coverage for:

• SQL Injection.
• Cross-Site Scripting (XSS).
• Advanced application security attack patterns.

Improved false positive reduction with paranoia levels

One of the standout features of DRS 2.2 is its paranoia level (PL) configuration, which allows you to balance security and usability. Paranoia levels (PL) determine how aggressively rules in the OWASP Core Rule Set (CRS) detect and block potential threats in a Web Application Firewall (WAF). OWASP CRS defines four paranoia levels (PL1–PL4), each offering progressively stricter security controls:

• PL1 (Default): Offers baseline protection against common web attacks, minimizes false positives, and is appropriate for most applications.
• PL2: Adds additional rules targeting more sophisticated threats, which may result in more false positives.
• PL3: Strict detection rules aimed at high-security environments.
• PL4: Implements the most aggressive security rules, suitable for highly secure environments, requiring extensive management and tuning efforts.

Azure WAF currently does not support rules from paranoia levels 3 and 4. For more information on Azure WAF paranoia levels refer to Paranoia Levels.

DRS 2.2 ships with paranoia level 1 (PL1) enabled by default. This gives customers the strongest baseline protection with minimal tuning overhead. DRS 2.2 rules configured in paranoia level 2 are disabled by default. Customers can leave PL2 disabled or selectively enable individual PL2 rules based on their threat model and application behavior.

Enabling and upgrading to DRS 2.2

Upgrading to DRS 2.2 is straightforward, but there is an important planning consideration: when you assign a new managed ruleset version through the Azure portal, previous managed-ruleset customizations such as rule state overrides, rule action overrides, and rule-level exclusions are reset to the new defaults. Due to this, it is recommended to use PowerShell, CLI, REST API, or templates when you want to preserve overrides and exclusions, and validating changes in a test environment before production rollout.

Please refer to Upgrade CRS or DRS Ruleset Version - Azure Web Application Firewall.

To use DRS 2.2:

1. Open your WAF policy (associated with your Azure Front Door or Application Gateway).
2. Navigate to Managed Rules.
3. Select “Assign”.
4. Choose DRS 2.2 from the ruleset dropdown.
5. Review enabled rule groups and optionally configure the rule actions.

After upgrading, monitor your logs and metrics to understand traffic behavior and fine-tune as required.

Figure 1: Enabling DRS 2.2 in Azure Front Door WAF

Figure 2: Enabling DRS 2.2 in Azure Front Door WAF

Conclusion

Default Rule Set 2.2 marks a significant advancement for Azure Web Application Firewall, providing stronger security coverage, improved detection accuracy, and better control over false positives. By bringing the same modern ruleset experience to both Azure Front Door WAF and Application Gateway WAF, customers can apply a consistent web security baseline across global, regional, and internal application architectures. For customers already using Azure WAF, upgrading to DRS 2.2 is the simplest way to benefit from the latest protections while maintaining operational flexibility.

References

• Web Application Firewall (WAF) on Azure Front Door | Microsoft Learn
• Web Application Firewall on Azure Application Gateway | Microsoft Learn
• Azure Front Door WAF - DRS and CRS rule groups and rules | Microsoft Learn
• Azure Application Gateway WAF - DRS and CRS rule groups and rules
• Azure Front Door WAF - Default Ruleset 2.2 | Microsoft Learn
• Application Gateway WAF – Default Ruleset 2.2 | Microsoft Learn
• Upgrade CRS or DRS Ruleset Version - Azure Web Application Firewall | Microsoft Learn