Hello @romero ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if the latest 3.2 version of CRS in Azure WAF is created based on the OWASP 3.2 version or newer.
As mentioned in the Azure WAF documentation, CRS 3.2 ruleset is based off OWASP CRS 3.2.0 version.
But the newly added default rule set DRS 2.1 is baselined off the OWASP Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team.
Since there have been quite a few false positives with the default OWASP rules, the Microsoft Threat Intelligence Collection rules were written in partnership with the Microsoft Threat Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
The team is refining/fine tuning the WAF rules to minimize false positives.
The DRS 2.1 ruleset was introduced on October 31, 2023. Post which, there has been no changes so far.
I will discuss with the Azure WAF Product Group team and update you on any future improvements which are in pipeline.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.