![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
Azure Web Application Firewall
An Azure service that provides protection for web apps.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 48%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
Hello @Amritpal Brar,
Hope you are doing well.
Thanks for reaching out to Microsoft Q&A.
When new rules are added to a managed rule set, their behavior depends on the WAF’s configured mode either Detection or Prevention.
By default, Azure WAF with CRS 3.2 or DRS 2.1 uses anomaly scoring, where each triggered rule adds severity points.
- In Detection mode, new rules are logged but do not block traffic.
- In Prevention mode, if the total anomaly score from triggered rules (including new ones) reaches 5 or higher, the request is blocked.
New rules follow the current WAF mode and are not automatically set to “log-only.” To minimize risk, it’s recommended to test new rules in Detection mode first before enabling blocking.
Process for Adding New Rules: Microsoft typically introduces most new detection rules in new OWASP CRS versions (such as moving from 3.2 to 3.3), Occasionally, critical security updates or fixes for false positives are applied to an existing CRS version. These updates may involve:
- Modifying current rule logic.
- Adjusting detection thresholds.
- In rare instances, adding new rules to an existing version.
The stability of a specific CRS version, although a CRS version like 3.2 is generally stable, it is not entirely fixed. Microsoft may continue to update rules within the same version to respond to new threats or enhance accuracy.
Are updates possible without changing the version, yes, updates can be applied to your current CRS version without needing a manual upgrade to a newer version. This enables Microsoft to quickly protect customers against newly identified threats.
Default Enforcement of New Rules, New rules added to a managed set are usually enforced right away, rather than starting in log-only mode.
If you'd like to test them first, you can set up a custom override to put those rules in Detection (log) mode before turning on enforcement.
Effect on exclusions, Exclusions that you set up will only affect the specific rules you select.
Any newly added rule won't inherit these exclusions automatically, which means there's a possibility that new rules could block legitimate traffic until they are properly reviewed and tested.
Ways to avoid unexpected blocking
- Keep track of Microsoft’s WAF managed rules and release notes in the below link
CRS and DRS rule groups and rules - Azure Web Application Firewall | Microsoft Learn
- Turn on WAF logging to Log Analytics or your SIEM to analyze traffic patterns after rule updates.
- Whenever possible, test changes in a staging or non-production WAF policy.
- Set new rules to Detection mode temporarily before enforcing them in production.
- After each update, review and adjust exclusions to ensure legitimate traffic isn’t blocked.
CRS versions tend to be stable, but updates can occur that add new rules without changing the version number. These new rules are usually applied right away, so it’s important to keep an eye on logs and check exclusions after updates to make sure legitimate traffic isn’t blocked.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.