Azure WAF Sensitive data scrubbing and InitialBodyContents match
We have requests that have application/x-www-form-urlencoded body contents which trigger false positives for the WAF rule "URL Encoding Abuse Attack Attempt" matching on the variable InitialBodyContents .
Annoyingly part of the match contains sensitive data that we do not want logged.
It seems you cannot add exclusions on InitialBodyContents, also it seems the "Senstive Data" WAF feature also cannot use InitialBodyContents as one of its variables to scrub.
The only options seems to be to disable the rule entirely - is there some way to scrub InitialBodyContents so sensitive data is not logged?
TBH this particular rule seems a bit over-zealous and I can just turn it off, but it also concerns me that this could happen with other rules and there doesn't seem to be a way to scrub information if the matched value is InitialBodyContents.