With particular due to Pete Bryan, Principal Security Research Manager, Microsoft Security.
The SQL injection assault stays one of many important assaults within the OWASP Top 10, and it includes injecting a SQL question through the enter knowledge area into an internet software with out enter validation. According to Microsoft Digital Defense Report 2022, 67 p.c of internet software exploits embody SQL injections.
Azure Web Application Firewall (Azure WAF) gives centralized safety of your internet functions from exploits and vulnerabilities. It protects towards OWASP Top 10 assaults, bot assaults, software layer Distributed Denial of Service (DDoS) assaults, and different internet assaults.
Azure WAF detects SQL injection assaults and blocks them by default. In sure situations, this might be a false optimistic that requires investigation and creation of Azure WAF exclusions. To full a profitable investigation, full context concerning the assault is required and a course of that guides you thru the investigation is required.
We are happy to announce a brand new Azure WAF guided investigation to tune WAF coverage Notebook in preview. It guides you thru an investigation expertise to grasp the Azure WAF incidents in Microsoft Sentinel, establish false positives, and robotically apply exclusions to WAF guidelines to deal with the false positives. This Notebook means that you can perceive the WAF alert and pivot on key entities of the WAF occasion such because the request URI, shopper IP, hostname, and correlate with Threat Intelligence feeds to get a holistic view of the assault floor.
Azure WAF investigations powered by Microsoft Sentinel
Azure WAF is deeply built-in with Microsoft Sentinel, Microsoft’s Security Information and Event Management (SIEM) resolution. Using the prevailing Azure WAF knowledge connector, WAF logs are ingested and later analyzed for a wide range of internet software assaults and highly effective visualizations pivoting on the total assault sample are introduced to you. This Notebook is constructed utilizing Microsoft Threat Intelligence Center’s MSTICpy packages. With this Notebook, you may entry wealthy historic contextual data utilizing Microsoft Sentinel’s capabilities like incident technology, entity graph, and menace intelligence correlation, along with Azure WAF’s SQL injection detections primarily based on OWASP guidelines and Microsoft Threat Intelligence guidelines.
Automated investigation and mitigation of internet software assaults
Our new Azure WAF guided investigation to tune WAF coverage Notebook gives an automatic guided investigation for triaging Sentinel incidents triggered by Azure WAF SQL injection guidelines.
The resolution contains the next elements:
- Azure WAF knowledge connector in Microsoft Sentinel.
- Microsoft Sentinel incidents which can be generated on account of SQL injection assault detected by the Microsoft Sentinel analytic guidelines.
- Azure WAF Notebook that helps examine Azure WAF logs and robotically applies WAF exclusions to the WAF coverage.
A high-level diagram explaining the information move is given under:
Let us take a look at two use case eventualities for utilizing this Notebook:
Understanding the assault panorama when there’s a true optimistic
Using the Notebook, you may pivot on numerous assault artifacts akin to IP, URL, or area menace intelligence, and perceive the entity graph. This Notebook retrieves the WAF SQLi rule that generated the detection and appears up associated SQLi rule occasions inside the pre-selected time. Based on the above particulars, in the event you determine that the SQL injection assault is legitimate then you may replace the incident severity and precedence. In this state of affairs, the online software stays protected by Azure WAF.
Understand the assault sample and create exclusions if there is a false optimistic
Using the Notebook, you may pivot on numerous assault artifacts akin to IP, URL, or area menace intelligence, and perceive the entity graph. This Notebook retrieves the WAF SQLi rule that generated the detection and appears up associated rule occasions. It additionally retrieves uncooked WAF logs to grasp the relations between the request URI, shopper Ips, hostname entities and means that you can dynamically entry the OWASP rule set in GitHub to grasp the rule match sample. Based on the investigations, in the event you determine this incident is a false optimistic, the method to robotically create granular exclusions is introduced to you and the exclusions are utilized to the Azure WAF coverage utilizing Azure WAF APIs.
The following personas would profit from this Notebook:
Persona: Developer at SomeUnionFlight.com
Understanding SQL injection detection logic
Chris is a developer at SomeUnionFlight.com. His firm hosts an internet site for customers to seek for flights and make flight reservations. They have hosted their web site behind WAF with Azure Front Door (AFD) the place AFD accepts consumer requests to go looking their web site. SomeUnionFlight.com has an SQL backend the place they retailer flight data. He notices that when customers attempt to entry the web site, their entry is getting blocked as a result of the URL has “Union” key phrase which is triggering the SQL injection rule. This detection is taken into account as a false optimistic as a result of the “Union” key phrase is used to say an internet site identify and never an SQL injection assault. He would really like an investigation expertise that helps him perceive find out how to analyze this detection utilizing Microsoft Sentinel and decide if it’s a false optimistic. He would additionally prefer to robotically create exclusions for false positives for the URL with out having to disable the whole rule.
Persona: SecOps analyst at Contoso.com
Understanding collateral assault vectors
Ashley is a Security Operations analyst at Contoso.com. Her firm has bought each Azure WAF and Microsoft Sentinel. She oversees analyzing WAF logs and figuring out assault patterns. She want to perceive if the shopper IP or the request URI related to the WAF rule that triggered the SQL injection are Indicators of Compromise (IoC). By understanding associated Threat Intelligence Indicators of Compromises, she will stop future assaults on her group.
Get began right this moment
SQL injection assaults are getting extra prevalent by the day and Azure WAF protects internet functions from these assaults. To allow a high-quality investigation expertise for Azure WAF prospects, we’ve created this new Azure WAF guided investigation Notebook that permits you rapidly perceive full assault floor and take actions on the incidents. You can comply with our step-by-step directions to discover ways to use the Notebook.
This new Azure WAF Notebook could be present in Microsoft Sentinel underneath the Notebooks within the Threat Management part.
