Azure: Are there best practices for intrusion dectection alerts?

Question

Hey,

we are trying to find best practices for our alert-management in Azure. We have a next generation Azure firewall/Application Gateway/WAF and the OWASP rules activated.
Now we are trying to create "good" alerts to notify us. Does anybody have a set of rules they can share e.g. alert by 100 blocked requests/minute?

Thanks in advance!

Frank

Answer 1

Hi Frank,
I have some guidelines, but I prefer making my rules to match the required conditions for a given web site...

Guidelines:

• understand the web site(s) your protecting
• identify vulnerable access points such as login pages (any page where data can be entered), and create detections for those specific links.
• consider some 'deception links' - i.e. if anyone tries to access these links, generate an alert for early warning (then block those source IPs)
• worry less about static pages that have nothing that can be exploited.

Here are some common use cases for waf:

• Count of DISTINCT alert names per destination - my usual threshold for this is 3 or more per hour.
• Unsupported user-agents - alert on any user-agents except the regular browser types.
• Periodically review the OWASP top threats and ensure you have detections enabled for these, if possible.
• log your WAF events to Sentinel and use threat intelligence feeds to alert if matched.
• Use Sentinel to easily create scan/rate based detections - eg. high rate of login denies from 1 or more sources.
• Enable all of the waf detections provided by Sentinel - see screenshot.

Good luck!