@Rajiv Bansal
Thank you for reaching out.
I understand you wish to know which ruleset Microsoft Default Rule Set 2.1 or OWASP 3.2 is more comprehensive coverage.
I think the Microsoft Default Rule Set 2.1 will be better option here because DRS 2.1 is baselined off the Open Web Application Security Project (OWASP) Core Rule Set (CRS) 3.3.2 and extended to include additional proprietary protections rules developed by Microsoft Threat Intelligence team. The Microsoft Threat Intel team analyzes Common Vulnerabilities and Exposures (CVEs) and further adapts the CRS ruleset to address CVEs and reduce false positives.
This is information currently documented here
Additional reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=owasp32#drs-21
Is there any option to apply both rule sets together and is it advisable?
Currently it is not possible to apply both the rulesets. Although you can explore the option of using Per Site/ Per URI policies supported by Application Gateway. More information can be found here.
Although documentation says that both rule sets are applied by default in detection mode
Meanwhile can you please share a link to the documentation where this is documented so that we can take a look and update the doc.
Hope this helps! Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.