Azure Front Door WAF Policy Deletion Detection
Detection of Azure Front Door Web Application Firewall (WAF) policy deletion, which can indicate an attacker's attempt to evade defenses by removing a security layer protecting web applications.
This threat brief focuses on the detection of unauthorized or malicious deletion of Azure Front Door Web Application Firewall (WAF) policies. Azure Front Door WAF policies are critical security controls that protect web applications by filtering and monitoring HTTP requests, blocking malicious traffic and preventing exploitation of vulnerabilities. An adversary may delete these policies to bypass security measures, facilitating unauthorized access, data exfiltration, or other malicious activities. The deletion of a WAF policy can have a significant impact, potentially exposing web applications to a wide range of attacks, including SQL injection, cross-site scripting (XSS), and other web-based threats. Defenders should monitor for unexpected deletions of these policies and promptly investigate any such events. This brief provides guidance for detection engineers to identify and respond to this type of defense evasion.
Attack Chain
- Initial Access: The attacker gains access to an Azure account with sufficient privileges to manage Front Door WAF policies, possibly through compromised credentials or exploiting a privilege escalation vulnerability.
- Discovery: The attacker enumerates existing Front Door WAF policies to identify targets for disabling or deletion.
- Defense Evasion: The attacker initiates the deletion of a Front Door WAF policy using the Azure portal, Azure CLI, or PowerShell. The specific operation name is "MICROSOFT.NETWORK/FRONTDOORWEBAPPLICATIONFIREWALLPOLICIES/DELETE".
- Persistence (Optional): The attacker may attempt to prevent detection by disabling logging or other security monitoring features within Azure.
- Impact: With the WAF policy removed, web applications protected by the policy become vulnerable to a wide range of web-based attacks.
- Further Exploitation: The attacker leverages the unprotected web applications to gain unauthorized access to sensitive data, deploy malware, or perform other malicious activities.
Impact
Successful deletion of a Front Door WAF policy can expose web applications to a variety of attacks, including SQL injection, cross-site scripting (XSS), and DDoS attacks. This can lead to data breaches, service disruptions, and reputational damage. The severity of the impact depends on the criticality of the protected applications and the sensitivity of the data they process.
Recommendation
- Deploy the Sigma rule
Azure Front Door WAF Policy Deletedto your SIEM to detect unauthorized WAF policy deletions by monitoring Azure activity logs. - Enable Azure Activity Log monitoring and ensure logs are ingested into your SIEM to provide the data source for the detection rule.
- Implement Role-Based Access Control (RBAC) with the principle of least privilege to restrict access to Azure management operations and minimize the risk of unauthorized policy modifications.
- Investigate any identified WAF policy deletion events by examining the associated user identity and the context of the deletion, as described in the overview.
Detection coverage 2
Azure Front Door WAF Policy Deleted
lowDetects the deletion of an Azure Front Door Web Application Firewall (WAF) policy.
Azure Front Door WAF Policy Deletion Attempt Failed
infoDetects failed attempts to delete an Azure Front Door Web Application Firewall (WAF) policy, which could indicate unauthorized access attempts or misconfigurations.
Detection queries are available on the platform. Get full rules →