Control: 7.15 Ensure bot protection is enabled in Azure Web Application Firewall policy on Azure Application Gateway
Description
Enable bot protection on the Web Application Firewall to block or log requests from known malicious IP addresses identified through the Microsoft Threat Intelligence feed.
Internet traffic from bots can scrape, scan, and search for application vulnerabilities. Enabling bot protection stops requests from known malicious IP addresses and enhances the overall security of your application by reducing exposure to automated attacks.
Remediation
Remediate from Azure Portal
- Go to
Application gateways. - Click the name of an application gateway.
- Under
Settings, clickWeb application firewall. - Under
Associated web application firewall policy, click the policy name. - Under
Settings, click Managed rules. - Click
Assign. - Under
Bot Management ruleset, click to display the drop-down menu. - Select a
Microsoft_BotManagerRuleSet. - Click
Save. - Click X to close the panel.
- Repeat steps 1-10 for each application gateway and firewall policy requiring remediation
Remediate from Azure CLI
For each firewall policy requiring remediation, run the following command to enable bot protection:
az network application-gateway waf-policy managed-rule rule-set add --resource-group <resource-group> --policy-name <firewall-policy> --type Microsoft_BotManagerRuleSet --version <0.1|1.0|1.1>
Default Value
Bot protection is disabled by default on Azure Application Gateways with Web Application Firewall.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cis_v500_7_15Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cis_v500_7_15 --shareSQL
This control uses a named query:
select ag.id as resource, case when managed_rules -> 'managedRuleSets' @> '[{"ruleSetType": "Microsoft_BotManagerRuleSet"}]'::jsonb and not exists ( select 1 from jsonb_array_elements((managed_rules -> 'managedRuleSets')::jsonb) as mrs, jsonb_array_elements(coalesce(mrs -> 'ruleGroupOverrides', '[]'::jsonb)) as rgo, jsonb_array_elements(coalesce(rgo -> 'rules', '[]'::jsonb)) as rule where mrs ->> 'ruleSetType' = 'Microsoft_BotManagerRuleSet' and lower(rule ->> 'state') = 'disabled' ) then 'ok' when managed_rules -> 'managedRuleSets' @> '[{"ruleSetType": "Microsoft_BotManagerRuleSet"}]'::jsonb then 'alarm' else 'alarm' end as status,case when managed_rules -> 'managedRuleSets' @> '[{"ruleSetType": "Microsoft_BotManagerRuleSet"}]'::jsonb and not exists ( select 1 from jsonb_array_elements((managed_rules -> 'managedRuleSets')::jsonb) as mrs, jsonb_array_elements(coalesce(mrs -> 'ruleGroupOverrides', '[]'::jsonb)) as rgo, jsonb_array_elements(coalesce(rgo -> 'rules', '[]'::jsonb)) as rule where mrs ->> 'ruleSetType' = 'Microsoft_BotManagerRuleSet' and lower(rule ->> 'state') = 'disabled' ) then ag.name || ' bot protection (Microsoft_BotManagerRuleSet) is enabled.' when managed_rules -> 'managedRuleSets' @> '[{"ruleSetType": "Microsoft_BotManagerRuleSet"}]'::jsonb then ag.name || ' bot protection rule set found but one or more rules are disabled.' else ag.name || ' does not have Microsoft_BotManagerRuleSet configured.' end as reason , ag.resource_group as resource_group , sub.display_name as subscriptionfrom azure_web_application_firewall_policy ag left join azure_subscription sub on sub.subscription_id = ag.subscription_id;