Azure/Azure-Network-Security

Sentinel Playbook - Block IP: Multiple WAF Policies Not Respected in PUT

JAK-Insight opened this issue · 2 comments

Describe the bug
Logic app is assembling all rules from all WAF policies in to a single WAF policy. Any differences between WAF policies are combined together. Different policies may have conflicting priority metrics for different custom rules, even if combining the custom rules from all WAF policies to a single policy is a desired behavior.

Reproduce
Steps to reproduce the behavior:

  1. Create multiple WAF policies with differing block/allow rules.
  2. Trigger incident in Sentinel with IP as an entity.
  3. Run playbook from incident.
  4. Inspect PUT request at the end of the Logic App.

Expected behavior
Each WAF policy custom rule set should exist only in the policy in which it belongs.

Additional context
Works fine in environments with a single WAF policy.

Thank you for the feedback @JAK-Insight. We are currently looking into this and we will provide feedback shortly

Closing this issue. Logic app for cascaded WAF policies is currently a roadmap item