Merge pull request #271654 from vhorne/waf-sensitive-data

v-dirichards · web-flow · commit d2d748cb7b6d · 2024-05-06T16:16:10.000-05:00
updates for afds sensitive data protection
diff --git a/articles/web-application-firewall/afds/waf-sensitive-data-protection-configure-frontdoor.md b/articles/web-application-firewall/afds/waf-sensitive-data-protection-configure-frontdoor.md
@@ -0,0 +1,65 @@
+---
+title: How to mask sensitive data on Azure Web Application Firewall on Azure Front Door (preview)
+description: Learn how to mask sensitive data on Azure Web Application Firewall on Azure Front Door.
+author: vhorne
+ms.author: victorh
+ms.service: web-application-firewall
+ms.topic: how-to
+ms.date: 04/09/2024
+---
+
+# How to mask sensitive data on Azure Web Application Firewall on Azure Front Door (preview)
+
+> [!IMPORTANT]
+> Web Application Firewall on Azure Front Door Sensitive Data Protection is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+The Web Application Firewall's (WAF) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive data. Once identified, the tool scrubs that information from your logs and replaces it with _*******_.
+
+> [!NOTE]
+> When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.
+
+The following table shows examples of log scrubbing rules that can be used to protect your sensitive data:
+
+| Match Variable | Operator | Selector | What gets scrubbed |
+| --- | --- | --- | --- |
+| Request Header Names | Equals | keytoblock | {"matchVariableName":"HeaderValue:keytoblock","matchVariableValue":"****"} |
+| Request Cookie Names | Equals | cookietoblock | {"matchVariableName":"CookieValue:cookietoblock","matchVariableValue":"****"} |
+| Request Post Arg Names | Equals | var | {"matchVariableName":"PostParamValue:var","matchVariableValue":"****"} |
+| Request Body JSON Arg Names | Equals | JsonValue | {"matchVariableName":"JsonValue:key","matchVariableValue":"****"} |
+| Query String Arg Names | Equals | foo | {"matchVariableName":"QueryParamValue:foo","matchVariableValue":"****"} |
+| Request IP Address* | Equals Any | NULL | {"matchVariableName":"ClientIP","matchVariableValue":"****"} |
+| Request URI | Equals Any | NULL | {"matchVariableName":"URI","matchVariableValue":"****"} |
+
+\* Request IP Address and Request URI rules only support the *equals any* operator and scrubs all instances of the requestor's IP address that appears in the WAF logs.
+
+For more information, see [What is Azure Web Application Firewall on Azure Front Door Sensitive Data Protection?](waf-sensitive-data-protection-frontdoor.md)
+
+## Enable Sensitive Data Protection
+
+Use the following information to enable and configure Sensitive Data Protection.
+
+### Portal
+
+To enable Sensitive Data Protection:
+
+1. Open an existing Front Door WAF policy.
+1. Under **Settings**, select **Sensitive data**.
+1. On the **Sensitive data** page, select **Enable log scrubbing**.
+
+To configure Log Scrubbing rules for Sensitive Data Protection:
+
+1. Under **Log scrubbing rules**, select a **Match variable**.
+1. Select an **Operator** (if applicable).
+1. Type a **Selector** (if applicable).
+1. Select **Save**.
+
+Repeat to add more rules.
+
+## Verify Sensitive Data Protection
+
+To verify your Sensitive Data Protection rules, open the Front Door firewall log and search for _******_ in place of the sensitive fields.
+
+## Next steps
+
+- [Use Log Analytics to examine Application Gateway Web Application Firewall (WAF) logs](../ag/log-analytics.md)
diff --git a/articles/web-application-firewall/afds/waf-sensitive-data-protection-frontdoor.md b/articles/web-application-firewall/afds/waf-sensitive-data-protection-frontdoor.md
@@ -0,0 +1,40 @@
+---
+title: Azure Web Application Firewall on Azure Front Door Sensitive Data Protection (preview)
+description: Learn about Azure Web Application Firewall Azure Front Door Sensitive Data Protection.
+author: vhorne
+ms.author: victorh
+ms.service: web-application-firewall
+ms.topic: conceptual
+ms.date: 04/09/2024
+---
+
+# What is Azure Web Application Firewall on Azure Front Door Sensitive Data Protection (preview)?
+
+> [!IMPORTANT]
+> Web Application Firewall on Azure Front Door Sensitive Data Protection is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+The Web Application Firewall's (WAF) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with _*******_.
+
+> [!NOTE]
+> When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.
+
+## Default log behavior
+
+Normally, when a WAF rule is triggered, the WAF logs the details of the request in clear text. If the portion of the request triggering the WAF rule contains sensitive data (such as customer passwords or IP addresses), that sensitive data is viewable by anyone with access to the WAF logs. To protect customer data, you can set up Log Scrubbing rules targeting this sensitive data for protection.
+
+## Fields
+
+The following fields can be scrubbed from the logs:
+
+-   Request Header Names
+-   Request Cookie Names
+-   Request Body Post Arg Names
+-   Request Body Json Arg Names
+-   Query String Arg Names
+-   Request URI
+-   Request IP Address
+
+## Next steps
+
+- [How to mask sensitive data on Azure Web Application Firewall on Azure Front Door (preview)](waf-sensitive-data-protection-configure-frontdoor.md)
diff --git a/articles/web-application-firewall/ag/waf-sensitive-data-protection-configure.md b/articles/web-application-firewall/ag/waf-sensitive-data-protection-configure.md
@@ -12,6 +12,9 @@ ms.date: 09/05/2023
 
 The Web Application Firewall's (WAF's) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive data. Once identified, the tool scrubs that information from your logs and replaces it with _*******_.
 
+> [!NOTE]
+> When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.
+
 The following table shows examples of log scrubbing rules that can be used to protect your sensitive data:
 
 | Match Variable | Operator | Selector | What gets scrubbed |
diff --git a/articles/web-application-firewall/ag/waf-sensitive-data-protection.md b/articles/web-application-firewall/ag/waf-sensitive-data-protection.md
@@ -5,12 +5,15 @@ author: vhorne
 ms.author: victorh
 ms.service: web-application-firewall
 ms.topic: conceptual
-ms.date: 09/05/2023
+ms.date: 04/10/2024
 ---
 
 # What is Azure Web Application Firewall Sensitive Data Protection?
 
-The Web Application Firewall's (WAF's) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with _*******_.
+The Web Application Firewall's (WAF) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive information. Once identified, the tool scrubs that information from your logs and replaces it with _*******_.
+
+> [!NOTE]
+> When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.
 
 
 ## Default log behavior
diff --git a/articles/web-application-firewall/toc.yml b/articles/web-application-firewall/toc.yml
@@ -80,6 +80,8 @@
       href: ./afds/waf-front-door-exclusion.md
     - name: Policy settings
       href: ./afds/waf-front-door-policy-settings.md
+    - name: Sensitive Data Protection
+      href: ./afds/waf-sensitive-data-protection-frontdoor.md
     - name: Rate limiting
       href: ./afds/waf-front-door-rate-limit.md
     - name: Geo-filtering
@@ -154,6 +156,8 @@
       href: ./afds/waf-front-door-configure-custom-response-code.md
     - name: Configure IP restrictions
       href: ./afds/waf-front-door-configure-ip-restriction.md
+    - name: Mask sensitive data
+      href: ./afds/waf-sensitive-data-protection-configure-frontdoor.md
     - name: Configure rate limit
       href: ./afds/waf-front-door-rate-limit-configure.md
     - name: Configure a geo-filtering WAF policy
