Introduction:
Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and Cross-site scripting are among the most common attacks. Preventing such attacks in application code is challenging. It can require rigorous maintenance, patching, and monitoring at multiple layers of the application topology. A WAF solution can react to a security threat faster by centrally patching a known vulnerability, instead of securing each individual web application. Azure Web Application Firewall (WAF) is a cloud-native service that protects web apps from common web-hacking techniques. This service can be deployed in a matter of minutes to get complete visibility into the web application traffic and block malicious web attacks.
Integrating Azure WAF with Microsoft Sentinel (Cloud Native SIEM/SOAR solution) for automated detection and response to threats/incidents/alerts would be an added advantage and reduces the manual intervention needed to update the WAF policy. In this blog, we will discuss about WAF detection templates in Sentinel, deploying a Playbook, and configuring the detection and response in Sentinel using these templates and the Playbook.
SQLi and XSS WAF Detection templates:
We now have built in detection query templates for SQLi and XSS attacks in Sentinel for Azure WAF. If we navigate to the respective Log Analytics workspace in Sentinel, we can find these templates under the Analytics tab in the Configuration section as shown below. By using these templates, we can create analytic rules that detect specific type of attack patterns in the WAF logs and further notify the security analyst by creating an incident. The automation section of these rules can help us respond to this incident by blocking the source IP of the attacker on the WAF Policy which in turn stops subsequent attacks upfront from these source Ips. We are continuously working to include additional Detection Templates for more detection and response scenarios.
Playbook Deployment:
A Sentinel Playbook ‘Block-IPAzureWAF’ gets executed in response to WAF Incidents. The goal of this Playbook is to create or modify a custom rule in a WAF Policy to block requests from a certain IP address. This is accomplished using the Azure REST API. This Playbook can be deployed from our GitHub repository. Playbook
i. Logic Implemented:
The Playbook template needs the following inputs during the deployment:
This Playbook can work with both App Gateway and Front door WAF Policies in the following scenarios.
ii. Prerequisites:
For this playbook to work as expected, follow the below steps:
Configuring Detection and Response:
The following steps need to be implemented to complete the setup.
Once the Analytic rule is created with respective Automation rule settings, we are now ready for Detection and Response. The following flow of events happen during an attack:
An important point to note here is that by default Azure WAF will block any malicious web attacks with the help of core ruleset of the Azure WAF engine. However, this automated detection and response configuration will further enhance the security by modifying or adding new Custom block rules on the Azure WAF policy for the respective source IPs. This will make sure that the traffic from these source IPs get blocked before it even hits the Azure WAF engine ruleset.
Conclusion:
As we have seen above, the newly added detection rule templates simplify the process of setting up automated Detection and Response for Attacks like SQL Injection and Cross Site Scripting on Azure WAF, which will indeed help us strengthening our Security Posture.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.