Policy - Audit legacy or deprecated WAF rulesets on Application Gateway and Front Door

Azure WAF/Policy - Azure Policy Definitions/Policy - Audit legacy or deprecated WAF rulesets on Application Gateway and Front Door/Audit legacy or deprecated WAF rulesets on Application Gateway and Front Door.json

@@ -0,0 +1,129 @@
+{
+  "properties": {
+    "displayName": "Audit legacy or deprecated WAF rulesets on Application Gateway and Front Door",
+    "policyType": "Custom",
+    "mode": "All",
+    "description": "Audits Web Application Firewall policies that use legacy or deprecated OWASP or DRS rulesets. OWASP CRS 3.0 and 2.2.9 are deprecated; OWASP 3.1 and 3.2 are legacy. DRS 1.1 and 1.0 are legacy. Also flags Front Door Standard WAF policies with no managed rules.",
+    "metadata": {
+      "category": "Network",
+      "version": "1.0.0"
+    },
+    "parameters": {
+      "effect": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Effect",
+          "description": "The effect determines what happens when the policy rule is evaluated to match"
+        },
+        "allowedValues": [
+          "Audit",
+          "Deny",
+          "Disabled"
+        ],
+        "defaultValue": "Audit"
+      }
+    },
+    "policyRule": {
+      "if": {
+        "anyOf": [
+          {
+            "allOf": [
+              {
+                "field": "type",
+                "equals": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
+              },
+              {
+                "count": {
+                  "field": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/managedRules.managedRuleSets[*]",
+                  "where": {
+                    "anyOf": [
+                      {
+                        "allOf": [
+                          {
+                            "field": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/managedRules.managedRuleSets[*].ruleSetType",
+                            "equals": "OWASP"
+                          },
+                          {
+                            "field": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/managedRules.managedRuleSets[*].ruleSetVersion",
+                            "in": [
+                              "3.2",
+                              "3.1",
+                              "3.0",
+                              "2.2.9"
+                            ]
+                          }
+                        ]
+                      }
+                    ]
+                  }
+                },
+                "greater": 0
+              }
+            ]
+          },
+          {
+            "allOf": [
+              {
+                "field": "type",
+                "equals": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies"
+              },
+              {
+                "anyOf": [
+                  {
+                    "allOf": [
+                      {
+                        "count": {
+                          "field": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies/managedRules.managedRuleSets[*]",
+                          "where": {
+                            "allOf": [
+                              {
+                                "field": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies/managedRules.managedRuleSets[*].ruleSetType",
+                                "in": [
+                                  "DefaultRuleSet",
+                                  "Microsoft_DefaultRuleSet"
+                                ]
+                              },
+                              {
+                                "field": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies/managedRules.managedRuleSets[*].ruleSetVersion",
+                                "in": [
+                                  "1.0",
+                                  "1.1"
+                                ]
+                              }
+                            ]
+                          }
+                        },
+                        "greater": 0
+                      }
+                    ]
+                  },
+                  {
+                    "allOf": [
+                      {
+                        "field": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies/managedRules.managedRuleSets[*]",
+                        "exists": "false"
+                      }
+                    ]
+                  },
+                  {
+                    "allOf": [
+                      {
+                        "count": {
+                          "field": "Microsoft.Network/frontdoorwebapplicationfirewallpolicies/managedRules.managedRuleSets[*]"
+                        },
+                        "equals": 0
+                      }
+                    ]
+                  }
+                ]
+              }
+            ]
+          }
+        ]
+      },
+      "then": {
+        "effect": "[parameters('effect')]"
+      }
+    }
+  }
+}

Azure WAF/Policy - Azure Policy Definitions/Policy - Audit legacy or deprecated WAF rulesets on Application Gateway and Front Door/README.md

@@ -0,0 +1,6 @@
+# Audit Legacy and Deprecated WAF Rulesets
+
+This Azure Policy definition audits Web Application Firewall policies that use legacy or deprecated OWASP Core Rule Set (CRS) or Microsoft Default Rule Set (DRS) rulesets across Application Gateway and Azure Front Door.
+
+It is important to use the latest rulesets instead of deprecated ones to benefit from improved security coverage and reduced false positives that come with newer rule versions.
+