Unexpected Azure API calls indicating WAF policy deletion
Description
AlphaSOC detected deletion of an Azure Web Application Firewall (WAF) policy. WAF policies protect web applications from common attacks such as SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. Deleting WAF policies removes these critical security controls.
Impact
Deleting WAF policies exposes web applications to attacks that were previously blocked. This may enable exploitation of vulnerabilities in the protected applications, leading to data breaches, unauthorized access, or service disruption.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review Azure Activity logs for the
Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/delete
action. Identify which WAF policy was deleted and what resources it protected.
Determine the principal responsible for the deletion.
If unauthorized, immediately recreate the WAF policy or apply an existing policy to protect the affected applications. Review application logs for attack attempts during the unprotected period. Rotate credentials for the compromised identity and implement RBAC policies to restrict WAF policy management.
Known False Positives
- Migration to new WAF configurations
- Consolidation of security policies
- Decommissioning of applications no longer requiring protection