February 7, 2025
Azure WAF guided investigation Pocket book utilizing Microsoft Sentinel for automated false constructive tuning | Azure Weblog and Updates

With particular because of Pete Bryan, Principal Safety Analysis Supervisor, Microsoft Safety.

The SQL injection assault stays one of many important assaults within the OWASP Top 10, and it entails injecting a SQL question through the enter information subject into an internet utility with out enter validation. In keeping with Microsoft Digital Defense Report 2022, 67 p.c of net utility exploits embrace SQL injections.

Azure Net Software Firewall (Azure WAF) gives centralized safety of your net functions from exploits and vulnerabilities. It protects in opposition to OWASP High 10 assaults, bot assaults, utility layer Distributed Denial of Service (DDoS) assaults, and different net assaults.

Azure WAF detects SQL injection assaults and blocks them by default. In sure situations, this could possibly be a false constructive that requires investigation and creation of Azure WAF exclusions. To finish a profitable investigation, full context concerning the assault is required and a course of that guides you thru the investigation is required.

We’re happy to announce a brand new Azure WAF guided investigation to tune WAF policy Notebook in preview. It guides you thru an investigation expertise to grasp the Azure WAF incidents in Microsoft Sentinel, determine false positives, and mechanically apply exclusions to WAF guidelines to handle the false positives. This Pocket book permits you to perceive the WAF alert and pivot on key entities of the WAF occasion such because the request URI, consumer IP, hostname, and correlate with Menace Intelligence feeds to get a holistic view of the assault floor.

Azure WAF investigations powered by Microsoft Sentinel

Azure WAF is deeply built-in with Microsoft Sentinel, Microsoft’s Safety Data and Occasion Administration (SIEM) answer. Utilizing the prevailing Azure WAF information connector, WAF logs are ingested and later analyzed for quite a lot of net utility assaults and highly effective visualizations pivoting on the complete assault sample are introduced to you. This Pocket book is constructed utilizing Microsoft Threat Intelligence Center’s MSTICpy packages. With this Pocket book, you may entry wealthy historic contextual data utilizing Microsoft Sentinel’s capabilities like incident technology, entity graph, and risk intelligence correlation, along side Azure WAF’s SQL injection detections based mostly on OWASP guidelines and Microsoft Menace Intelligence guidelines.

Automated investigation and mitigation of net utility assaults

Our new Azure WAF guided investigation to tune WAF policy Notebook gives an automatic guided investigation for triaging Sentinel incidents triggered by Azure WAF SQL injection guidelines.

The answer contains the next elements:

  • Azure WAF information connector in Microsoft Sentinel.
  • Microsoft Sentinel incidents which can be generated as a consequence of SQL injection assault detected by the Microsoft Sentinel analytic guidelines.
  • Azure WAF Pocket book that helps examine Azure WAF logs and mechanically applies WAF exclusions to the WAF coverage.

A high-level diagram explaining the info move is given under:

High-level diagram explaining the data flow is given below: This picture describes Azure WAF protecting backends hosted in Azure, other clouds and on-premises from traffic originating from malicious actors as well as legitimate users. A WAF triggered log is analyzed by the Sentinel Notebook and an automated exclusion is applied for a confirmed false positive.

Allow us to take a look at two use case eventualities for utilizing this Pocket book:

Understanding the assault panorama when there’s a true constructive

Utilizing the Pocket book, you may pivot on varied assault artifacts resembling IP, URL, or area risk intelligence, and perceive the entity graph. This Pocket book retrieves the WAF SQLi rule that generated the detection and appears up associated SQLi rule occasions inside the pre-selected time. Primarily based on the above particulars, in case you determine that the SQL injection assault is legitimate then you may replace the incident severity and precedence. On this state of affairs, the online utility stays protected by Azure WAF.

Understanding the attack landscape when there is a true positive:This picture describes a threat actor trying to access a SQL database connected to a web application protected Azure WAF. WAF detects SQL injection attack and blocks the call. The log is analyzed in Sentinel Notebook to correlate with Threat Intelligence and visualize in the alert entity graph.

Perceive the assault sample and create exclusions if there is a false constructive

Utilizing the Pocket book, you may pivot on varied assault artifacts resembling IP, URL, or area risk intelligence, and perceive the entity graph. This Pocket book retrieves the WAF SQLi rule that generated the detection and appears up associated rule occasions. It additionally retrieves uncooked WAF logs to grasp the relations between the request URI, consumer Ips, hostname entities and permits you to dynamically entry the OWASP rule set in GitHub to grasp the rule match sample. Primarily based on the investigations, in case you determine this incident is a false constructive, the method to mechanically create granular exclusions is introduced to you and the exclusions are utilized to the Azure WAF coverage utilizing Azure WAF APIs.

Understand the attack pattern and create exclusions when there is a false positive: This picture describes a legitimate user trying to access the web application and the first request is blocked by WAF as a SQL injection attack. This log is analyzed by the Sentinel Notebook and an automated exclusion is applied since it is confirmed as a false positive. Subsequent requests go through successfully.

The next personas would profit from this Pocket book:

Persona: Developer at SomeUnionFlight.com

Understanding SQL injection detection logic

Chris is a developer at SomeUnionFlight.com. His firm hosts a web site for customers to seek for flights and make flight reservations. They’ve hosted their web site behind WAF with Azure Entrance Door (AFD) the place AFD accepts consumer requests to look their web site. SomeUnionFlight.com has an SQL backend the place they retailer flight data. He notices that when customers attempt to entry the web site, their entry is getting blocked as a result of the URL has “Union” key phrase which is triggering the SQL injection rule. This detection is taken into account as a false constructive as a result of the “Union” key phrase is used to say a web site title and never an SQL injection assault. He would really like an investigation expertise that helps him perceive how one can analyze this detection utilizing Microsoft Sentinel and decide if it’s a false constructive. He would additionally wish to mechanically create exclusions for false positives for the URL with out having to disable your complete rule.

Persona: SecOps analyst at Contoso.com

Understanding collateral assault vectors

Ashley is a Safety Operations analyst at Contoso.com. Her firm has bought each Azure WAF and Microsoft Sentinel. She oversees analyzing WAF logs and figuring out assault patterns. She want to perceive if the consumer IP or the request URI related to the WAF rule that triggered the SQL injection are Indicators of Compromise (IoC). By understanding associated Menace Intelligence Indicators of Compromises, she will stop future assaults on her group.

Get began right this moment

SQL injection assaults are getting extra prevalent by the day and Azure WAF protects net functions from these assaults. To allow a high-quality investigation expertise for Azure WAF clients, we’ve got created this new Azure WAF guided investigation Pocket book that permits you shortly perceive full assault floor and take actions on the incidents. You possibly can observe our step-by-step instructions to discover ways to use the Pocket book.

This new Azure WAF Pocket book may be present in Microsoft Sentinel beneath the Notebooks within the Menace Administration part.

1)	This picture describes that this new Notebook can be found by hovering over the Notebooks blade on the left side and searching for the keyword “WAF”. The Azure WAF – guided investigation Notebook is presented to you.

2)	This picture displays the Notebook description and allows users to launch the Notebook using the “Create from template”.