Merge pull request #209438 from MicrosoftDocs/main

Publish to live, Sunday 4 PM PT, 8/28

Author: LJSpiller

articles/cognitive-services/personalizer/concepts-exploration.md

@@ -1,22 +1,22 @@
 ---
 title: Exploration - Personalizer
 titleSuffix: Azure Cognitive Services
-description: With exploration, Personalizer is able to continue delivering good results, even as user behavior changes. Choosing an exploration setting is a business decision about the proportion of user interactions to explore with, in order to improve the model.
+description: With exploration, Personalizer is able to continuously deliver good results, even as user behavior changes. Choosing an exploration setting is a business decision about the proportion of user interactions to explore with, in order to improve the model.
 author: jcodella
 ms.author: jacodel
 ms.manager: nitinme
 ms.service: cognitive-services
 ms.subservice: personalizer
 ms.topic: conceptual
-ms.date: 10/23/2019
+ms.date: 08/28/2022
 ---
 
-# Exploration and exploitation
+# Exploration and Known
 
-With exploration, Personalizer is able to continue delivering good results, even as user behavior changes.
+With exploration, Personalizer is able to continuously deliver good results, even as user behavior changes.
 
 When Personalizer receives a Rank call, it returns a RewardActionID that either:
-* Uses exploitation to match the most probable user behavior based on the current machine learning model.
+* Uses known relevance to match the most probable user behavior based on the current machine learning model.
 * Uses exploration, which does not match the action that has the highest probability in the rank.
 
 Personalizer currently uses an algorithm called *epsilon greedy* to explore. 
@@ -25,7 +25,7 @@ Personalizer currently uses an algorithm called *epsilon greedy* to explore.
 
 You configure the percentage of traffic to use for exploration in the Azure portal's **Configuration** page for Personalizer. This setting determines the percentage of Rank calls that perform exploration. 
 
-Personalizer determines whether to explore or exploit with this probability on each rank call. This is different than the behavior in some A/B frameworks that lock a treatment on specific user IDs.
+Personalizer determines whether to explore or use the model's learned best action with this probability on each rank call. This is different than the behavior in some A/B frameworks that lock a treatment on specific user IDs.
 
 ## Best practices for choosing an exploration setting
 
@@ -35,8 +35,8 @@ A setting of zero will negate many of the benefits of Personalizer. With this se
 
 A setting that is too high will negate the benefits of learning from user behavior. Setting it to 100% implies a constant randomization, and any learned behavior from users would not influence the outcome.
 
-It is important not to change the application behavior based on whether you see if Personalizer is exploring or exploiting. This would lead to learning biases that ultimately would decrease the potential performance.
+It is important not to change the application behavior based on whether you see if Personalizer is exploring or using the learned best action. This would lead to learning biases that ultimately would decrease the potential performance.
 
 ## Next steps
 
-[Reinforcement learning](concepts-reinforcement-learning.md) 
+[Reinforcement learning](concepts-reinforcement-learning.md) 

articles/mysql/flexible-server/quickstart-create-terraform.md

@@ -7,7 +7,7 @@ ms.topic: quickstart
 author: shreyaaithal
 ms.author: shaithal
 ms.custom: devx-track-terraform
-ms.date: 8/23/2022
+ms.date: 8/28/2022
 ---
 
 # Quickstart: Use Terraform to create an Azure Database for MySQL - Flexible Server
@@ -16,8 +16,8 @@ ms.date: 8/23/2022
 
 Article tested with the following Terraform and Terraform provider versions:
 
-- [Terraform v1.2.1](https://releases.hashicorp.com/terraform/)
-- [AzureRM Provider v.2.99.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
+- [Terraform v1.2.7](https://releases.hashicorp.com/terraform/)
+- [AzureRM Provider v.3.20.0](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs)
 
 [!INCLUDE [About Azure Database for MySQL - Flexible Server](../includes/azure-database-for-mysql-flexible-server-abstract.md)]
 

articles/web-application-firewall/afds/resource-manager-template-samples.md

@@ -0,0 +1,36 @@
+---
+title: Azure Resource Manager templates for Azure Front Door and Web Application Firewall
+description: Azure Resource Manager templates for Azure Front Door Web Application Firewall
+services: web-application-firewall
+author: johndowns
+ms.service: web-application-firewall
+ms.topic: sample
+ms.date: 08/16/2022
+ms.author: jodowns
+zone_pivot_groups: front-door-tiers
+---
+# Azure Resource Manager templates for Azure Front Door and Web Application Firewall
+
+The following table includes links to Azure Resource Manager templates for Azure Front Door and Web Application Firewall.
+
+::: zone pivot="front-door-standard-premium"
+
+| Template | Description |
+| -------- | ----------- |
+| [Front Door with Web Application Firewall and managed rule set](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-premium-waf-managed/) | Creates a Front Door profile and WAF with managed rule set.  |
+| [Front Door with Web Application Firewall and custom rule](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-waf-custom/) | Creates a Front Door profile and WAF with custom rule.  |
+| [Front Door with Web Application Firewall and rate limit](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-rate-limit/) | Creates a Front Door profile and WAF with a custom rule to perform rate limiting.  |
+| [Front Door with Web Application Firewall and geo-filtering](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.cdn/front-door-standard-premium-geo-filtering/) | Creates a Front Door profile and WAF with a custom rule to perform geo-filtering.  |
+
+::: zone-end
+
+::: zone pivot="front-door-classic"
+
+| Template | Description |
+| ---| ---|
+| [Create Front Door with geo filtering](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-geo-filtering)| Create a Front Door that allows/blocks traffic from certain countries/regions. |
+| [Configure Front Door for client IP allowlisting or blocklisting](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-waf-clientip)| Configures a Front Door to restrict traffic certain client IPs using custom  access control using client IPs. |
+| [Configure Front Door to take action with specific http parameters](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-waf-http-params)| Configures a Front Door to allow or block certain traffic based on the http parameters in the incoming request by using custom rules for access control using http parameters. |
+| [Configure Front Door rate limiting](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.network/front-door-rate-limiting)| Configures a Front Door to rate limit incoming traffic for a given frontend host. |
+
+::: zone-end

articles/web-application-firewall/afds/waf-front-door-drs.md

@@ -5,17 +5,16 @@ ms.service: web-application-firewall
 author: vhorne
 ms.author: victorh
 ms.topic: conceptual
-ms.date: 06/15/2022
+ms.date: 08/28/2022
 ---
 
 # Web Application Firewall DRS rule groups and rules
 
 Azure Front Door web application firewall (WAF) protects web applications from common vulnerabilities and exploits. Azure-managed rule sets provide an easy way to deploy protection against a common set of security threats. Since such rule sets are managed by Azure, the rules are updated as needed to protect against new attack signatures. Default rule set also includes the Microsoft Threat Intelligence Collection rules that are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
 
-
 ## Default rule sets
 
-Azure-managed Default Rule Set includes rules against the following threat categories:
+The Azure-managed Default Rule Set (DRS) includes rules against the following threat categories:
 
 - Cross-site scripting
 - Java attacks
@@ -27,40 +26,42 @@ Azure-managed Default Rule Set includes rules against the following threat categ
 - SQL injection protection
 - Protocol attackers
 
-The version number of the Default Rule Set increments when new attack signatures are added to the rule set.
-Default Rule Set is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions (ALLOW/BLOCK/REDIRECT/LOG) per rule.
+The version number of the DRS increments when new attack signatures are added to the rule set.
+
+DRS is enabled by default in Detection mode in your WAF policies. You can disable or enable individual rules within the Default Rule Set to meet your application requirements. You can also set specific actions per rule. The available actions are: [Allow, Block, Log, and Redirect](afds-overview.md#waf-actions).
 
-Sometimes you may need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You may configure an exclusion list for a managed rule, rule group, or for the entire rule set.  
+Sometimes you might need to omit certain request attributes from a WAF evaluation. A common example is Active Directory-inserted tokens that are used for authentication. You may configure an exclusion list for a managed rule, rule group, or for the entire rule set. For more information, see [Web Application Firewall (WAF) with Front Door exclusion lists](./waf-front-door-exclusion.md).
 
-The Default action is to BLOCK. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.
+By default, DRS blocks requests that trigger the rules. Additionally, custom rules can be configured in the same WAF policy if you wish to bypass any of the pre-configured rules in the Default Rule Set.
 
 Custom rules are always applied before rules in the Default Rule Set are evaluated. If a request matches a custom rule, the corresponding rule action is applied. The request is either blocked or passed through to the back-end. No other custom rules or the rules in the Default Rule Set are processed. You can also remove the Default Rule Set from your WAF policies.
 
 ### Microsoft Threat Intelligence Collection rules
 
-The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
+The Microsoft Threat Intelligence Collection rules are written in partnership with the Microsoft Threat Intelligence team to provide increased coverage, patches for specific vulnerabilities, and better false positive reduction.
 
-### Anomaly Scoring mode
+### <a name="anomaly-scoring-mode"></a>Anomaly scoring
 
-OWASP has two modes for deciding whether to block traffic: Traditional mode and Anomaly Scoring mode.
+When you use DRS 2.0 or later, your WAF uses *anomaly scoring*. Traffic that matches any rule isn't immediately blocked, even when your WAF is in prevention mode. Instead, the OWASP rule sets define a severity for each rule: *Critical*, *Error*, *Warning*, or *Notice*. The severity affects a numeric value for the request, which is called the *anomaly score*:
 
-In Traditional mode, traffic that matches any rule is considered independently of any other rule matches. This mode is easy to understand. But the lack of information about how many rules match a specific request is a limitation. So, Anomaly Scoring mode was introduced. It's the default for OWASP 3.*x*.
+| Rule severity | Values contributes to anomaly score |
+|-|-|
+| Critical | 5 |
+| Error | 4 |
+| Warning | 3 |
+| Notice | 2 |
 
-In Anomaly Scoring mode, traffic that matches any rule isn't immediately blocked when the firewall is in Prevention mode. Rules have a certain severity: *Critical*, *Error*, *Warning*, or *Notice*. That severity affects a numeric value for the request, which is called the Anomaly Score. For example, one *Warning* rule match contributes 3 to the score. One *Critical* rule match contributes 5.
+If the anomaly score is 5 or greater, WAF blocks the request.
 
-|Severity  |Value  |
-|---------|---------|
-|Critical     |5|
-|Error        |4|
-|Warning      |3|
-|Notice       |2|
+For example, a single *Critical* rule match is enough for the WAF to block a request, because the overall anomaly score is 5. However, one *Warning* rule match only increases the anomaly score by 3, which isn't enough by itself to block the traffic.
 
-There's a threshold of 5 for the Anomaly Score to block traffic. So, a single *Critical* rule match is enough for the WAF to block a request, even in Prevention mode. But one *Warning* rule match only increases the Anomaly Score by 3, which isn't enough by itself to block the traffic. For more information, see [What content types does WAF support?](waf-faq.yml#what-content-types-does-waf-support-) in the FAQ to learn what content types are supported for body inspection with different DRS versions.
+When your WAF uses older version of the default rule set (before DRS 2.0), your WAF runs in the traditional mode. Traffic that matches any rule is considered independently of any other rule matches. In traditional mode, you don't have visiblity into the complete set of rules that a specific request matched.
 
+The version of the DRS that you use also determines which content types are supported for request body inspection. For more information, see [What content types does WAF support?](waf-faq.yml#what-content-types-does-waf-support-) in the FAQ.
 
 ### DRS 2.0
 
-DRS 2.0 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, which can be disabled.
+DRS 2.0 includes 17 rule groups, as shown in the following table. Each group contains multiple rules, and you can disable individual rules as well as entire rule groups.
 
 > [!NOTE]
 > DRS 2.0 is only available on Azure Front Door Premium.
@@ -118,9 +119,6 @@ DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con
 |**[MS-ThreatIntel-WebShells](#drs9905-10)**|Protect against Web shell attacks|
 |**[MS-ThreatIntel-CVEs](#drs99001-10)**|Protect against CVE attacks|
 
-
-
-
 ### Bot rules
 
 |Rule group|Description|
@@ -129,10 +127,7 @@ DRS 2.0 includes 17 rule groups, as shown in the following table. Each group con
 |**[GoodBots](#bot200)**|Identify good bots|
 |**[UnknownBots](#bot300)**|Identify unknown bots|
 
-
-
-The following rule groups and rules are available when using Web Application Firewall on Azure 
-Front Door.
+The following rule groups and rules are available when using Web Application Firewall on Azure Front Door.
 
 # [DRS 2.0](#tab/drs20)
 
@@ -289,7 +284,6 @@ Front Door.
 >[!NOTE]
 > This article contains references to the term *blacklist*, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.
 
-
 ### <a name="drs942-20"></a> SQLI - SQL Injection
 |RuleId|Description|
 |---|---|
@@ -335,7 +329,6 @@ Front Door.
 |942500|MySQL in-line comment detected.|
 |942510|SQLi bypass attempt by ticks or backticks detected.|
 
-
 ### <a name="drs943-20"></a> SESSION-FIXATION
 |RuleId|Description|
 |---|---|
@@ -383,6 +376,13 @@ Front Door.
 |99001015|Attempted Spring Framework unsafe class object exploitation [CVE-2022-22965](https://www.cve.org/CVERecord?id=CVE-2022-22965)|
 |99001016|Attempted Spring Cloud Gateway Actuator injection [CVE-2022-22947](https://www.cve.org/CVERecord?id=CVE-2022-22947)
 
+> [!NOTE]
+> When reviewing your WAF's logs, you might see rule ID 949110. The description of the rule might include *Inbound Anomaly Score Exceeded*.
+>
+> This rule indicates that the total anomaly score for the request exceeded the maximum allowable score. For more information, see [Anomaly scoring](#anomaly-scoring-mode).
+> 
+> When you tune your WAF policies, you need to investigate the other rules that were triggered by the request so that you can adjust your WAF's configuration. For more information, see [Tuning Web Application Firewall (WAF) for Azure Front Door](waf-front-door-tuning.md).
+
 # [DRS 1.1](#tab/drs11)
 
 ## <a name="drs11"></a> 1.1 rule sets

articles/web-application-firewall/afds/waf-front-door-exclusion.md

@@ -9,7 +9,7 @@ ms.author: victorh
 ms.topic: conceptual
 ---
 
-# Web Application Firewall (WAF) with Front Door Service exclusion lists 
+# Web Application Firewall (WAF) with Front Door exclusion lists
 
 Sometimes Web Application Firewall (WAF) might block a request that you want to allow for your application. WAF exclusion lists allow you to omit certain request attributes from a WAF evaluation. The rest of the request is evaluated as normal.
 

articles/web-application-firewall/afds/waf-front-door-tuning.md

@@ -5,7 +5,7 @@ services: web-application-firewall
 author: mohitkusecurity
 ms.service: web-application-firewall
 ms.topic: conceptual
-ms.date: 12/11/2020
+ms.date: 08/21/2022
 ms.author: mohitku
 ms.reviewer: victorh 
 ms.custom: devx-track-azurepowershell
@@ -275,6 +275,12 @@ Another way to view request and response headers is to look inside the developer
 
 If the request contains cookies, the Cookies tab can be selected to view them in Fiddler. Cookie information can also be used to create exclusions or custom rules in WAF.
 
+## Anomaly scoring rule
+
+If you see rule ID 949110 during the process of tuning your WAF, this indicates that the request was blocked by the [anomaly scoring](waf-front-door-drs.md#anomaly-scoring-mode) process.
+
+Review the other WAF log entries for the same request, by searching for the log entries with the same tracking reference. Look at each of the rules that were triggered, and tune each rule by following the guidance throughout this article.
+
 ## Next steps
 
 - Learn about [Azure web application firewall](../overview.md).