Azure API calls indicating WAF policy disabled
Description
AlphaSOC detected that an Azure Web Application Firewall (WAF) policy was disabled. WAF policies protect web applications from common attacks like SQL injection, cross-site scripting, and other OWASP Top 10 vulnerabilities. Adversaries may disable WAF rules to allow malicious traffic through or facilitate web application attacks.
Impact
Disabling WAF protection exposes web applications to a wide range of attacks that would otherwise be blocked. This may enable exploitation of application vulnerabilities, data exfiltration through web interfaces, or injection attacks against backend systems. The change may indicate preparation for or execution of a web application attack.
Severity
| Severity | Condition |
|---|---|
Low | WAF policy disabled by user for first time |
Investigation and Remediation
Review the WAF policy change and determine which applications are now unprotected. Verify the identity of the user who disabled the policy and confirm the action was authorized. Re-enable the WAF policy immediately if the change was unauthorized. Monitor web application logs for attack activity during the period WAF was disabled.
Known False Positives
- Temporary disabling during application troubleshooting
- Migration to alternative WAF solutions
- Testing scenarios requiring direct application access