What logic in custom rules of WAF should be used?

Testa 551 Reputation points
2022-10-05T16:40:31.64+00:00

Hi,

Recently, we received about 100 emails (web forms) from the same IP address.
We want to create alert if someone is doing the same or similar things. I found the below document, but I am not sure what logic I should use for WAF custom alert (I cannot use IP address since which IP address will be used for future).

https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/web-application-firewall-security-baseline#27-enable-alerts-for-anomalous-activities

could you please advise what custom rules should be set?

Azure Web Application Firewall
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 36,396 Reputation points Microsoft Employee
    2022-10-06T12:47:19.203+00:00

    Hi @Testa ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
    I understand that you would like to create an alert using Azure WAF.

    Custom rules are used for one-time hits and they do not understand pattern-attacks.

    You can consider using Azure Bot Protection with WAF
    You can enable a managed bot protection rule set for your WAF to block or log requests from known malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed

    This should help you with blocking any traffic from malicious IPs.

    You can also consider using Rate Limiting if you are using Azure Front Door WAF,
    Refer : https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit

    Please let me know if you have further queries on this.

    Cheers,
    Kapil

    1 person found this answer helpful.