{"id":7465,"date":"2023-03-02T09:00:00","date_gmt":"2023-03-02T17:00:00","guid":{"rendered":""},"modified":"2025-06-10T09:21:01","modified_gmt":"2025-06-10T16:21:01","slug":"azure-waf-guided-investigation-notebook-using-microsoft-sentinel-for-automated-false-positive-tuning","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-waf-guided-investigation-notebook-using-microsoft-sentinel-for-automated-false-positive-tuning\/","title":{"rendered":"Azure WAF guided investigation Notebook using Microsoft Sentinel for automated false positive tuning"},"content":{"rendered":"\n

With special thanks to Pete Bryan, Principal Security Research Manager, Microsoft Security.<\/em><\/p>\n\n\n\n

The SQL injection attack remains one of the critical attacks in the OWASP Top 10<\/a>, and it involves injecting a SQL query via the input data field into a web application without input validation. According to Microsoft Digital Defense Report 2022<\/a>, 67 percent of web application exploits include SQL injections.<\/p>\n\n\n\n

Azure Web Application Firewall (Azure WAF)<\/a> provides centralized protection of your web applications from exploits and vulnerabilities. It protects against OWASP Top 10 attacks, bot attacks, application layer Distributed Denial of Service (DDoS) attacks, and other web attacks.<\/p>\n\n\n\n

Azure WAF detects SQL injection attacks and blocks them by default. In certain instances, this could be a false positive that requires investigation and creation of Azure WAF exclusions<\/a>. To complete a successful investigation, full context about the attack is needed and a process that guides you through the investigation is required.<\/p>\n\n\n\n

We are pleased to announce a new Azure WAF guided investigation to tune WAF policy Notebook<\/a> in preview. It guides you through an investigation experience to understand the Azure WAF incidents in Microsoft Sentinel, identify false positives, and automatically apply exclusions to WAF rules to address the false positives. This Notebook allows you to understand the WAF alert and pivot on key entities of the WAF event such as the request URI, client IP, hostname, and correlate with Threat Intelligence feeds to get a holistic view of the attack surface.<\/p>\n\n\n\n

Azure WAF investigations powered by Microsoft Sentinel<\/h2>\n\n\n\n

Azure WAF is deeply integrated with Microsoft Sentinel, Microsoft\u2019s Security Information and Event Management (SIEM) solution. Using the existing Azure WAF data connector, WAF logs are ingested and later analyzed for a variety of web application attacks and powerful visualizations pivoting on the full attack pattern are presented to you. This Notebook is built using Microsoft Threat Intelligence Center\u2019s MSTICpy packages<\/a>. With this Notebook, you can access rich historical contextual information using Microsoft Sentinel\u2019s capabilities like incident generation, entity graph, and threat intelligence correlation, in conjunction with Azure WAF\u2019s SQL injection detections based on OWASP rules and Microsoft Threat Intelligence rules.<\/p>\n\n\n\n

Automated investigation and mitigation of web application attacks<\/h2>\n\n\n\n

Our new Azure WAF guided investigation to tune WAF policy Notebook<\/a> provides an automated guided investigation for triaging Sentinel incidents triggered by Azure WAF SQL injection rules.<\/p>\n\n\n\n

The solution includes the following components:<\/p>\n\n\n\n