Search code examples
azurepolicyazure-front-doorweb-application-firewallamazon-waf

Azure Front door WAF policy Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110 block request with Inbound Anomaly Score Exceeded message

I have front door and WAF configured for one of my web application. The WAF is currently in detection mode. While reviewing the logs, I majorly see below details in all the block requests

ruleName_s : Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110 action_s : Block policyMode_s : detection details_matches_s : [] details_msg_s : Inbound Anomaly Score Exceeded Type: AzureDiagnostics

The above is logged on random requestUri_s that have .html, .js, .jpeg etc. I did follow the trackingReference_s , but didnt get any derails with the trackingReference in the log.

I just want to see how can I evaluate false positive in this case. Is it ok to change the policy mode to prevention if these request are blocked in prevention mode.

Thanks Rajesh

Solution

  • To evaluate if these are false positives you'll need to look at several things.

    An Azure Front Door log entry with the field "ruleName_s" of "Microsoft_DefaultRuleSet-2.0-BLOCKING-EVALUATION-949110" and an "action_s" of "Block" follows one or more log entries with an "action_s" of "AnomalyScoring". You can see all the relevant entries for a blocking evaluation by using the "trackingReference_s" field.

    enter image description here

    Text of the query:

    AzureDiagnostics
| where trackingReference_s == '03VuQZAAAAABzkx+f3NXPRoWkytsHgm/vQVRBRURHRTEyMTYANTcxYzNhYmEtNjFlOC00NmZhLWJlNTktOTEyMjlkMTIyNzkz'
| project TimeGenerated, Category, ruleName_s, action_s, trackingReference_s
| order by TimeGenerated desc

    After you know which rules triggered the block (in the example image, Microsoft_DefaultRuleSet-2.0-XSS-941170 and Microsoft_DefaultRuleSet-2.0-XSS-941130) you can investigate the "details_matches_s" and details_msg_s" columns to see what data from the request matched the blocking rule.

    You can also determine how these rules evaluate by cross referencing the Web Application Firewall core rule sets here. For example, the rule in the Azure Front Door log for "Microsoft_DefaultRuleSet-2.0-XSS-941170" is a hit for the REQUEST-941-APPLICATION-ATTACK-XSS, specifically rule 941170 for "NoScript XSS InjectionChecker: Attribute Injection"

    You can then download the rule definitions from the OWASP site to see the regex used to evaluate the rule.