Azure Web Application Firewall

The Azure WAF (Web Application Firewall) integration provides centralized protection of your web applications from common exploits and vulnerabilities. It enables you to control policies that are configured in the Azure Firewall management platform, and allows you to add, delete, or update policies, and also to get details of a specific policy or a list of policies.

Configure AzureWAF on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AzureWAF.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    app_idApp IDTrue
    subscription_idSubscription IDTrue
    resource_group_nameDefault Resource Group NameTrue
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-waf-policies-get


Retrieves protection policies within a resource group.

Base Command

azure-waf-policies-get

Input

Argument NameDescriptionRequired
policy_nameThe name of a policy. Used to retrieve a protection policy with a specified name within a resource group. If policy_name is not provided, will retrieve all policies.Optional
resource_group_nameThe name of the resource group. If not provided, the instance's default resource group name will be used.Optional
verboseWhether to retrieve full details of the policy. Possible values are: "true" and "false". Default is "false". Possible values are: true, false. Default is false.Optional
limitMaximum number of policies to fetch. Default is "10". Default is 10.Optional

Context Output

PathTypeDescription
AzureWAF.Policy.nameStringResource name.
AzureWAF.Policy.idStringResource ID.
AzureWAF.Policy.typeStringResource type.
AzureWAF.Policy.etagStringA unique read-only string that changes whenever the resource is updated.
AzureWAF.Policy.tagsStringResource tag.
AzureWAF.Policy.locationStringResource location.
AzureWAF.Policy.properties.resourceStateStringResource status of the policy.
AzureWAF.Policy.properties.provisioningStateStringThe provisioning state of the application gateway resource.
AzureWAF.Policy.properties.policySettings.stateStringThe state of the policy.
AzureWAF.Policy.properties.policySettings.modeStringThe mode of the policy.
AzureWAF.Policy.properties.policySettings.maxRequestBodySizeInKbNumberMaximum request body size in Kb for WAF.
AzureWAF.Policy.properties.policySettings.fileUploadLimitInMbNumberMaximum file upload size in Mb for WAF.
AzureWAF.Policy.properties.policySettings.requestBodyCheckBooleanWhether to allow WAF to check the request body.
AzureWAF.Policy.properties.customRules.nameStringThe name of the resource that is unique within a policy. This name can be used to access the resource.
AzureWAF.Policy.properties.customRules.priorityNumberPriority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
AzureWAF.Policy.properties.customRules.ruleTypeStringThe rule type.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.variableNameStringMatch variable.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.selectorStringThe selector of the match variable.
AzureWAF.Policy.properties.customRules.matchConditions.operatorStringThe operator to be matched.
AzureWAF.Policy.properties.customRules.matchConditions.negationConditionBooleanWhether this is a negate condition.
AzureWAF.Policy.properties.customRules.matchConditions.matchValuesStringMatch value.
AzureWAF.Policy.properties.customRules.actionStringType of actions.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetTypeStringThe rule set type to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetVersionStringThe version of the rule set to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.ruleGroupNameStringThe managed rule group to override.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.ruleIdStringIdentifier for the managed rule.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.stateStringThe state of the managed rule. Defaults to disabled if not specified.
AzureWAF.Policy.properties.managedRules.exclusions.matchVariableStringThe variable to be excluded.
AzureWAF.Policy.properties.managedRules.exclusions.selectorMatchOperatorStringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
AzureWAF.Policy.properties.managedRules.exclusions.selectorStringWhen matchVariable is a collection, the operator used to specify which elements in the collection this exclusion applies to.

Command Example

!azure-waf-policies-get limit=2

Context Example

{
"AzureWAF": {
"Policy": [
{
"etag": "W/\"4bf9c37a-81b7-4c14-a27c-67962c7af825\"",
"id": "/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policy",
"location": "example_location",
"name": "example_policy",
"properties": {
"customRules": [],
"managedRules": {
"exclusions": [],
"managedRuleSets": [
{
"ruleGroupOverrides": [],
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0"
}
]
},
"policySettings": {
"fileUploadLimitInMb": 750,
"maxRequestBodySizeInKb": 128,
"mode": "Detection",
"requestBodyCheck": true,
"state": "Disabled"
},
"provisioningState": "Succeeded"
},
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}
]
}
}

Human Readable Output

Policy: example_policy

etagidlocationnametype
W/"4bf9c37a"/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policywestusexample_policyMicrosoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Policy: test_policy

etagidlocationnametype
W/"4e844e6c"/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/test_policywestustest_policyMicrosoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Showing 2 policies out of 7

azure-waf-policies-list-all-in-subscription


Retrieves all the WAF policies in a subscription.

Base Command

azure-waf-policies-list-all-in-subscription

Input

Argument NameDescriptionRequired
verboseWhether to retrieve the full details of the policy. Possible values are "true" and "false". Default is "false". Possible values are: true, false. Default is false.Optional
limitMaximum number of policies to be shown. (This will only affect visualized data, not context.). Default is 10.Optional

Context Output

PathTypeDescription
AzureWAF.Policy.nameStringResource name.
AzureWAF.Policy.idStringResource ID.
AzureWAF.Policy.typeStringResource type.
AzureWAF.Policy.etagStringA unique read-only string that changes whenever the resource is updated.
AzureWAF.Policy.tagsStringResource tags.
AzureWAF.Policy.locationStringResource location.
AzureWAF.Policy.properties.resourceStateStringResource status of the policy.
AzureWAF.Policy.properties.provisioningStateStringThe provisioning state of the application gateway resource.
AzureWAF.Policy.properties.policySettings.stateStringThe state of the policy.
AzureWAF.Policy.properties.policySettings.modeStringThe mode of the policy.
AzureWAF.Policy.properties.policySettings.maxRequestBodySizeInKbNumberMaximum request body size in Kb for WAF.
AzureWAF.Policy.properties.policySettings.fileUploadLimitInMbNumberMaximum file upload size in Mb for WAF.
AzureWAF.Policy.properties.policySettings.requestBodyCheckBooleanWhether to allow WAF to check the request body.
AzureWAF.Policy.properties.customRules.nameStringThe name of the resource that is unique within a policy. This name can be used to access the resource.
AzureWAF.Policy.properties.customRules.priorityNumberPriority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
AzureWAF.Policy.properties.customRules.ruleTypeStringThe rule type.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.variableNameStringMatch variable.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.selectorStringThe selector of the match variable.
AzureWAF.Policy.properties.customRules.matchConditions.operatorStringThe operator to be matched.
AzureWAF.Policy.properties.customRules.matchConditions.negationConditonBooleanWhether this is a negate condition.
AzureWAF.Policy.properties.customRules.matchConditions.matchValuesStringMatch value.
AzureWAF.Policy.properties.customRules.actionStringType of actions.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetTypeStringThe rule set type to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetVersionStringThe version of the rule set to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.ruleGroupNameStringThe managed rule group to override.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.ruleIdStringIdentifier for the managed rule.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.stateStringThe state of the managed rule. Defaults to disabled if not specified.
AzureWAF.Policy.properties.managedRules.exclusions.matchVariableStringThe variable to be excluded.
AzureWAF.Policy.properties.managedRules.exclusions.selectorMatchOperatorStringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
AzureWAF.Policy.properties.managedRules.exclusions.selectorStringWhen matchVariable is a collection, the operator used to specify which elements in the collection this exclusion applies to.

Command Example

!azure-waf-policies-list-all-in-subscription limit=2

Context Example

{
"AzureWAF": {
"Policy": [
{
"etag": "W/\"4bf9c37a-81b7-4c14-a27c-67962c7af825\"",
"id": "/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policy",
"location": "westus",
"name": "example_policy",
"properties": {
"customRules": [],
"managedRules": {
"exclusions": [],
"managedRuleSets": [
{
"ruleGroupOverrides": [],
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0"
}
]
},
"policySettings": {
"fileUploadLimitInMb": 750,
"maxRequestBodySizeInKb": 128,
"mode": "Detection",
"requestBodyCheck": true,
"state": "Disabled"
},
"provisioningState": "Succeeded"
},
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}
]
}
}

Human Readable Output

Policy: example_policy

etagidlocationnametype
W/"4bf9c37a"/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policywestusexample_policyMicrosoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Policy: testpolicy_1608641948

etagidlocationnametype
W/"422867fc-a697-4978-83f5-20a57ab51511"/subscriptions/0f907ea4-bc8b-4c11-9d7e-805c2fd144fb/resourceGroups/demisto-sentinel2/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/testpolicy_1608641948westustestpolicy_1608641948Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Showing 2 policies out of 6

azure-waf-policy-update-or-create


Creates or updates a policy with a specified rule set name within a resource group.

Base Command

azure-waf-policy-update-or-create

Input

Argument NameDescriptionRequired
policy_nameThe name of a policy. Used to retrieve a protection policy with a specified name within a resource group. If policy_name is not provided, will retrieve all policies.Required
resource_group_nameThe name of the resource group. If not provided, the instance's default resource group name will be used.Optional
managed_rulesDescribes the managedRules structure.Required
resource_idResource ID.Optional
locationDescribes the resource location.Optional
custom_rulesThe custom rules inside the policy.Optional
policy_settingsThe policy setting for the policy.Optional
verboseWhether to retrieve the full details of the policy. Possible values are: "true" and "false". Default is "false". Possible values are: true, false. Default is false.Optional

Context Output

PathTypeDescription
AzureWAF.Policy.nameStringResource name.
AzureWAF.Policy.idStringResource ID.
AzureWAF.Policy.typeStringResource type.
AzureWAF.Policy.etagStringA unique read-only string that changes whenever the resource is updated.
AzureWAF.Policy.tagsStringResource type.
AzureWAF.Policy.locationStringResource location.
AzureWAF.Policy.properties.resourceStateStringResource status of the policy.
AzureWAF.Policy.properties.provisioningStateStringThe provisioning state of the application gateway resource.
AzureWAF.Policy.properties.policySettings.stateStringThe state of the policy.
AzureWAF.Policy.properties.policySettings.modeStringThe mode of the policy.
AzureWAF.Policy.properties.policySettings.maxRequestBodySizeInKbNumberMaximum request body size in Kb for WAF.
AzureWAF.Policy.properties.policySettings.fileUploadLimitInMbNumberMaximum file upload size in Mb for WAF.
AzureWAF.Policy.properties.policySettings.requestBodyCheckBooleanWhether to allow WAF to check the request body.
AzureWAF.Policy.properties.customRules.nameStringThe name of the resource that is unique within a policy. This name can be used to access the resource.
AzureWAF.Policy.properties.customRules.priorityNumberPriority of the rule. Rules with a lower value will be evaluated before rules with a higher value.
AzureWAF.Policy.properties.customRules.ruleTypeStringThe rule type.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.variableNameStringMatch variable.
AzureWAF.Policy.properties.customRules.matchConditions.matchVariables.selectorStringThe selector of the match variable.
AzureWAF.Policy.properties.customRules.matchConditions.operatorStringThe operator to be matched.
AzureWAF.Policy.properties.customRules.matchConditions.negationConditonBooleanWhether this is a negate condition.
AzureWAF.Policy.properties.customRules.matchConditions.matchValuesStringMatch value.
AzureWAF.Policy.properties.customRules.actionStringType of actions.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetTypeStringDefines the rule set type to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleSetVersionStringDefines the version of the rule set to use.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.ruleGroupNameStringThe managed rule group to override.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.ruleIdStringIdentifier for the managed rule.
AzureWAF.Policy.properties.managedRules.managedRuleSets.ruleGroupOverrides.rules.stateStringThe state of the managed rule. Defaults to disabled if not specified.
AzureWAF.Policy.properties.managedRules.exclusions.matchVariableStringThe variable to be excluded.
AzureWAF.Policy.properties.managedRules.exclusions.selectorMatchOperatorStringWhen matchVariable is a collection, operate on the selector to specify which elements in the collection this exclusion applies to.
AzureWAF.Policy.properties.managedRules.exclusions.selectorStringWhen matchVariable is a collection, the operator used to specify which elements in the collection this exclusion applies to.

Command Example

!azure-waf-policy-update-or-create policy_name="example_policy" resource_group_name="demisto-sentinel2" location="WestUs" managed_rules="{ \"managedRuleSets\": [{\"ruleSetType\": \"OWASP\",\"ruleSetVersion\": \"3.0\"}]}"

Context Example

{
"AzureWAF": {
"Policy": {
"etag": "W/\"f1121c83-d9c1-47a4-912b-6f6731c991a4\"",
"id": "/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policy",
"location": "westus",
"name": "example_policy",
"properties": {
"customRules": [],
"managedRules": {
"exclusions": [],
"managedRuleSets": [
{
"ruleGroupOverrides": [],
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0"
}
]
},
"policySettings": {
"fileUploadLimitInMb": 100,
"maxRequestBodySizeInKb": 128,
"mode": "Detection",
"requestBodyCheck": true,
"state": "Disabled"
},
"provisioningState": "Updating"
},
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}
}
}

Human Readable Output

Policy: example_policy

etagidlocationnametype
W/"f1121c83"/subscriptions/example_subscription/resourceGroups/example_resource_group/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/example_policywestusexample_policyMicrosoft.Network/ApplicationGatewayWebApplicationFirewallPolicies

Showing 1 policies out of 1

azure-waf-policy-delete


Deletes a policy.

Base Command

azure-waf-policy-delete

Input

Argument NameDescriptionRequired
policy_nameThe name of a policy. Used to retrieve a protection policy with a specified name within a resource group. If policy_name is not provided, will retrieve all policies.Required
resource_group_nameThe name of the resource group. If not provided, the instance's default resource group name will be used.Optional

Context Output

There is no context output for this command.

Command Example

!azure-waf-policy-delete policy_name="example_policy"

Human Readable Output

Policy example_policy was deleted successfully.

azure-waf-auth-start


Run this command to start the authorization process and follow the instructions in the command results.

Base Command

azure-waf-auth-start

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-waf-auth-start

Human Readable Output

Authorization instructions

1. To sign in, use a web browser to open the page:
[https://microsoft.com/devicelogin](https://microsoft.com/devicelogin)
and enter the code **CKVE788YV** to authenticate.
2. Run the **!azure-waf-auth-complete** command in the War Room.

azure-waf-auth-complete


Run this command to complete the authorization process. Should be used after running the azure_waf-auth-start command.

Base Command

azure-waf-auth-complete

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-waf-auth-complete

Human Readable Output

✅ Authorization completed successfully.

azure-waf-auth-reset


Run this command if for some reason you need to rerun the authentication process.

Base Command

azure-waf-auth-reset

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-waf-auth-reset

Human Readable Output

Authorization was reset successfully. You can now run !azure-waf-auth-start and !azure-waf-auth-complete.

azure-waf-auth-test


Tests connectivity to the Azure Web Application Firewall.

Base Command

azure-waf-auth-test

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!azure-waf-auth-test

Human Readable Output

✅ Great Success!