Azure Front Door WAF policy deleted
Description
AlphaSOC detected deletion of an Azure Front Door Web Application Firewall
policy via the
Microsoft.Network/frontdoorWebApplicationFirewallPolicies/delete action. Front
Door WAF policies protect web applications from common attacks including SQL
injection, cross-site scripting, and other OWASP threats.
Deleting WAF policies removes critical security controls protecting web-facing applications. Attackers may delete WAF policies before exploiting web application vulnerabilities that would otherwise be blocked.
Impact
Removal of WAF protection exposes web applications to common attack vectors. Applications that rely on WAF rules for security become immediately vulnerable to exploitation. This can lead to data breaches, account compromise, or further penetration into backend systems.
Severity
| Severity | Condition |
|---|---|
Medium | Front Door WAF policy deleted |
Investigation and Remediation
Review Azure Activity logs to identify who deleted the WAF policy and the applications that were protected by it. Check web application logs for attack attempts following the WAF deletion. Assess whether any applications were compromised during the protection gap.
If unauthorized, immediately recreate or restore the WAF policy to protect affected applications. Investigate the principal's other activities and rotate their credentials. Implement RBAC policies to restrict WAF management to designated security administrators.
Known False Positives
- Migration to different WAF solutions