The Default Rule Set 2.1 (DRS 2.1) on Azure's global Web Application Firewall (WAF) with updated rules against new attack signatures is now available to Web Application Firewall customers. This ruleset is available on the Azure Front Door Premium tier.
DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and includes the Microsoft Threat Intelligence (MSTIC) rules that are written in partnership with the Microsoft Intelligence team.
As with the previous DRS 2.0, the MSTIC team analyzes Common Vulnerabilities and Exposures (CVEs) and adapts the CRS ruleset to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction. Also, Azure Front Door WAF with DRS 2.1 uses anomaly scoring mode, hence rule matches are not considered independently.
There are 17 rule groups in DRS 2.1, each group containing multiple rules customizable at rule group and rule set levels.
DRS is enabled by default in Detection mode in WAF policies. You can disable or enable individual rules within the default Rule and enable specific actions per rule. However, some rules are disabled upon deployment- these rules have been improved upon by the Microsoft Threat Intelligence team and replaced with MSTIC signatures (Identified by the 8-digit IDs) with improved signatures.
You can also enable the following rules to detect and protect SpringShell vulnerability
For additional information on the disabled rules and signature replacement, see Disabled rules table.
Improvements in WAF with Default Rule Set 2.1
These updates are not available in the WAF for Azure Front Door classic and standard tiers. Consider migrating to Premium Tier to take advantage of these security improvements.
Resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.