Azure Web Application Firewall
An Azure service that provides protection for web apps.
Clarification on Addition and Updates of Rules in Azure WAF Managed Rule Sets (OWASP CRS) and Impact on Exclusions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Amritpal Brar
0
Reputation points
Hello Azure Support Team,
We have some questions regarding the management and update process of Azure Web Application Firewall (WAF) managed rule sets, specifically around the OWASP Core Rule Set (CRS) versions:
- How are new rules added to the managed rule sets? Are new rules only included in new OWASP CRS versions, or can they also be pushed as updates to existing versions?
If our WAF policy is currently using OWASP CRS version 3.2, can we consider this a stable and unchanging set of rules?
Does the OWASP 3.2 rule set receive updates over time, such as adding new rules or modifying existing ones, without requiring a manual upgrade to a newer CRS version?
When new rules are added to an existing rule set, are they by default added in log mode (monitoring only), or are they enforced immediately?
Additionally, we want to understand the implications of enabling managed rule sets with specific exclusions or customizations. For example:
If we have created exclusions to avoid blocking legitimate traffic based on known rules, but later new rules are added to the same rule set, is there a risk that these new rules might inadvertently block legitimate traffic that hasn’t been tested by us?
How does Azure WAF handle such situations to prevent unexpected blocking, especially if new rules are added and enforced automatically without manual intervention?
Understanding this is critical for us to manage WAF policies safely and avoid potential disruptions caused by automatic updates or new rules.
Thank you for your guidance and support.Hello Azure Support Team,
We have some questions regarding the management and update process of Azure Web Application Firewall (WAF) managed rule sets, specifically around the OWASP Core Rule Set (CRS) versions:
How are new rules added to the managed rule sets? Are new rules only included in new OWASP CRS versions, or can they also be pushed as updates to existing versions?
If our WAF policy is currently using OWASP CRS version 3.2, can we consider this a stable and unchanging set of rules?
Does the OWASP 3.2 rule set receive updates over time, such as adding new rules or modifying existing ones, without requiring a manual upgrade to a newer CRS version?
When new rules are added to an existing rule set, are they by default added in log mode (monitoring only), or are they enforced immediately?
Additionally, we want to understand the implications of enabling managed rule sets with specific exclusions or customizations. For example:
If we have created exclusions to avoid blocking legitimate traffic based on known rules, but later new rules are added to the same rule set, is there a risk that these new rules might inadvertently block legitimate traffic that hasn’t been tested by us?
How does Azure WAF handle such situations to prevent unexpected blocking, especially if new rules are added and enforced automatically without manual intervention?
Understanding this is critical for us to manage WAF policies safely and avoid potential disruptions caused by automatic updates or new rules.
Thank you for your guidance and support.
Azure Web Application Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Jeevan Shanigarapu 5 Reputation points Microsoft External Staff Moderator2025-08-12T15:12:48.0033333+00:00 Hello @Amritpal Brar,
Hope you are doing well.
Thanks for reaching out to Microsoft Q&A.
When new rules are added to a managed rule set, their behavior depends on the WAF’s configured mode either Detection or Prevention.
By default, Azure WAF with CRS 3.2 or DRS 2.1 uses anomaly scoring, where each triggered rule adds severity points.
- In Detection mode, new rules are logged but do not block traffic.
- In Prevention mode, if the total anomaly score from triggered rules (including new ones) reaches 5 or higher, the request is blocked.
New rules follow the current WAF mode and are not automatically set to “log-only.” To minimize risk, it’s recommended to test new rules in Detection mode first before enabling blocking.
Process for Adding New Rules: Microsoft typically introduces most new detection rules in new OWASP CRS versions (such as moving from 3.2 to 3.3), Occasionally, critical security updates or fixes for false positives are applied to an existing CRS version. These updates may involve:
- Modifying current rule logic.
- Adjusting detection thresholds.
- In rare instances, adding new rules to an existing version.
The stability of a specific CRS version, although a CRS version like 3.2 is generally stable, it is not entirely fixed. Microsoft may continue to update rules within the same version to respond to new threats or enhance accuracy.
Are updates possible without changing the version, yes, updates can be applied to your current CRS version without needing a manual upgrade to a newer version. This enables Microsoft to quickly protect customers against newly identified threats.
Default Enforcement of New Rules, New rules added to a managed set are usually enforced right away, rather than starting in log-only mode.
If you'd like to test them first, you can set up a custom override to put those rules in Detection (log) mode before turning on enforcement.
Effect on exclusions, Exclusions that you set up will only affect the specific rules you select.
Any newly added rule won't inherit these exclusions automatically, which means there's a possibility that new rules could block legitimate traffic until they are properly reviewed and tested.
Ways to avoid unexpected blocking
- Keep track of Microsoft’s WAF managed rules and release notes in the below link
CRS and DRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn
- Turn on WAF logging to Log Analytics or your SIEM to analyze traffic patterns after rule updates.
- Whenever possible, test changes in a staging or non-production WAF policy.
- Set new rules to Detection mode temporarily before enforcing them in production.
- After each update, review and adjust exclusions to ensure legitimate traffic isn’t blocked.
CRS versions tend to be stable, but updates can occur that add new rules without changing the version number. These new rules are usually applied right away, so it’s important to keep an eye on logs and check exclusions after updates to make sure legitimate traffic isn’t blocked.
When new rules are added to a managed rule set, their behavior depends on the WAF’s configured mode either Detection or Prevention.
By default, Azure WAF with CRS 3.2 or DRS 2.1 uses anomaly scoring, where each triggered rule adds severity points.
- In Detection mode, new rules are logged but do not block traffic.
- In Prevention mode, if the total anomaly score from triggered rules (including new ones) reaches 5 or higher, the request is blocked.
New rules follow the current WAF mode and are not automatically set to “log-only.” To minimize risk, it’s recommended to test new rules in Detection mode first before enabling blocking.
Process for Adding New Rules: Microsoft typically introduces most new detection rules in new OWASP CRS versions (such as moving from 3.2 to 3.3), Occasionally, critical security updates or fixes for false positives are applied to an existing CRS version. These updates may involve:
- Modifying current rule logic.
- Adjusting detection thresholds.
- In rare instances, adding new rules to an existing version.
The stability of a specific CRS version, although a CRS version like 3.2 is generally stable, it is not entirely fixed. Microsoft may continue to update rules within the same version to respond to new threats or enhance accuracy.
Are updates possible without changing the version, yes, updates can be applied to your current CRS version without needing a manual upgrade to a newer version. This enables Microsoft to quickly protect customers against newly identified threats.
Default Enforcement of New Rules, New rules added to a managed set are usually enforced right away, rather than starting in log-only mode.
If you'd like to test them first, you can set up a custom override to put those rules in Detection (log) mode before turning on enforcement.
Effect on exclusions, Exclusions that you set up will only affect the specific rules you select.
Any newly added rule won't inherit these exclusions automatically, which means there's a possibility that new rules could block legitimate traffic until they are properly reviewed and tested.
Ways to avoid unexpected blocking
- Keep track of Microsoft’s WAF managed rules and release notes in the below link
CRS and DRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn
- Turn on WAF logging to Log Analytics or your SIEM to analyze traffic patterns after rule updates.
- Whenever possible, test changes in a staging or non-production WAF policy.
- Set new rules to Detection mode temporarily before enforcing them in production.
- After each update, review and adjust exclusions to ensure legitimate traffic isn’t blocked.
CRS versions tend to be stable, but updates can occur that add new rules without changing the version number. These new rules are usually applied right away, so it’s important to keep an eye on logs and check exclusions after updates to make sure legitimate traffic isn’t blocked.
Kindly let us know if the above helps or you need further assistance on this issue.
Sign in to comment
Sign in to answer