With particular because of Pete Bryan, Principal Safety Analysis Supervisor, Microsoft Safety.
The SQL injection assault stays one of many crucial assaults within the OWASP Prime 10, and it entails injecting a SQL question by way of the enter information discipline into an internet utility with out enter validation. Based on Microsoft Digital Protection Report 2022, 67 % of net utility exploits embrace SQL injections.
Azure Internet Utility Firewall (Azure WAF) offers centralized safety of your net purposes from exploits and vulnerabilities. It protects in opposition to OWASP Prime 10 assaults, bot assaults, utility layer Distributed Denial of Service (DDoS) assaults, and different net assaults.
Azure WAF detects SQL injection assaults and blocks them by default. In sure cases, this might be a false optimistic that requires investigation and creation of Azure WAF exclusions. To finish a profitable investigation, full context concerning the assault is required and a course of that guides you thru the investigation is required.
We’re happy to announce a brand new Azure WAF guided investigation to tune WAF coverage Pocket book in preview. It guides you thru an investigation expertise to grasp the Azure WAF incidents in Microsoft Sentinel, establish false positives, and mechanically apply exclusions to WAF guidelines to deal with the false positives. This Pocket book lets you perceive the WAF alert and pivot on key entities of the WAF occasion such because the request URI, consumer IP, hostname, and correlate with Risk Intelligence feeds to get a holistic view of the assault floor.
Azure WAF investigations powered by Microsoft Sentinel
Azure WAF is deeply built-in with Microsoft Sentinel, Microsoft’s Safety Info and Occasion Administration (SIEM) resolution. Utilizing the prevailing Azure WAF information connector, WAF logs are ingested and later analyzed for a wide range of net utility assaults and highly effective visualizations pivoting on the complete assault sample are introduced to you. This Pocket book is constructed utilizing Microsoft Risk Intelligence Middle’s MSTICpy packages. With this Pocket book, you’ll be able to entry wealthy historic contextual data utilizing Microsoft Sentinel’s capabilities like incident technology, entity graph, and risk intelligence correlation, at the side of Azure WAF’s SQL injection detections primarily based on OWASP guidelines and Microsoft Risk Intelligence guidelines.
Automated investigation and mitigation of net utility assaults
Our new Azure WAF guided investigation to tune WAF coverage Pocket book offers an automatic guided investigation for triaging Sentinel incidents triggered by Azure WAF SQL injection guidelines.
The answer consists of the next elements:
- Azure WAF information connector in Microsoft Sentinel.
- Microsoft Sentinel incidents which can be generated on account of SQL injection assault detected by the Microsoft Sentinel analytic guidelines.
- Azure WAF Pocket book that helps examine Azure WAF logs and mechanically applies WAF exclusions to the WAF coverage.
A high-level diagram explaining the information circulate is given under:
Allow us to have a look at two use case eventualities for utilizing this Pocket book:
Understanding the assault panorama when there’s a true optimistic
Utilizing the Pocket book, you’ll be able to pivot on numerous assault artifacts corresponding to IP, URL, or area risk intelligence, and perceive the entity graph. This Pocket book retrieves the WAF SQLi rule that generated the detection and appears up associated SQLi rule occasions throughout the pre-selected time. Based mostly on the above particulars, for those who resolve that the SQL injection assault is legitimate then you’ll be able to replace the incident severity and precedence. On this state of affairs, the online utility stays protected by Azure WAF.
Perceive the assault sample and create exclusions if there is a false optimistic
Utilizing the Pocket book, you’ll be able to pivot on numerous assault artifacts corresponding to IP, URL, or area risk intelligence, and perceive the entity graph. This Pocket book retrieves the WAF SQLi rule that generated the detection and appears up associated rule occasions. It additionally retrieves uncooked WAF logs to grasp the relations between the request URI, consumer Ips, hostname entities and lets you dynamically entry the OWASP rule set in GitHub to grasp the rule match sample. Based mostly on the investigations, for those who resolve this incident is a false optimistic, the method to mechanically create granular exclusions is introduced to you and the exclusions are utilized to the Azure WAF coverage utilizing Azure WAF APIs.
The next personas would profit from this Pocket book:
Persona: Developer at SomeUnionFlight.com
Understanding SQL injection detection logic
Chris is a developer at SomeUnionFlight.com. His firm hosts a web site for customers to seek for flights and make flight reservations. They’ve hosted their web site behind WAF with Azure Entrance Door (AFD) the place AFD accepts person requests to go looking their web site. SomeUnionFlight.com has an SQL backend the place they retailer flight data. He notices that when customers attempt to entry the web site, their entry is getting blocked as a result of the URL has “Union” key phrase which is triggering the SQL injection rule. This detection is taken into account as a false optimistic as a result of the “Union” key phrase is used to say a web site identify and never an SQL injection assault. He would love an investigation expertise that helps him perceive tips on how to analyze this detection utilizing Microsoft Sentinel and decide if it’s a false optimistic. He would additionally wish to mechanically create exclusions for false positives for the URL with out having to disable the complete rule.
Persona: SecOps analyst at Contoso.com
Understanding collateral assault vectors
Ashley is a Safety Operations analyst at Contoso.com. Her firm has bought each Azure WAF and Microsoft Sentinel. She oversees analyzing WAF logs and figuring out assault patterns. She want to perceive if the consumer IP or the request URI related to the WAF rule that triggered the SQL injection are Indicators of Compromise (IoC). By understanding associated Risk Intelligence Indicators of Compromises, she will be able to stop future assaults on her group.
Get began in the present day
SQL injection assaults are getting extra prevalent by the day and Azure WAF protects net purposes from these assaults. To allow a high-quality investigation expertise for Azure WAF prospects, now we have created this new Azure WAF guided investigation Pocket book that permits you shortly perceive full assault floor and take actions on the incidents. You’ll be able to comply with our step-by-step directions to discover ways to use the Pocket book.
This new Azure WAF Pocket book could be present in Microsoft Sentinel below the Notebooks within the Risk Administration part.
