How to mask sensitive data on Azure Web Application Firewall

The Web Application Firewall's (WAF's) Log Scrubbing tool helps you remove sensitive data from your WAF logs. It works by using a rules engine that allows you to build custom rules to identify specific portions of a request that contain sensitive data. Once identified, the tool scrubs that information from your logs and replaces it with *******.

Note

When you enable the log scrubbing feature, Microsoft still retains IP addresses in our internal logs to support critical security features.

The following table shows examples of log scrubbing rules that can be used to protect your sensitive data:

Match Variable Operator Selector What gets scrubbed
Request Header Names Equals X-Forwarded-For REQUEST_HEADERS:x-forwarded-for.","data":"******"
Request Cookie Names Equals cookie1 "Matched Data: ****** found within REQUEST_COOKIES:cookie1: ******"
Request Arg Names Equals arg1 "requestUri":"/?arg1=******"
Request Post Arg Names Equals Post1 "data":"Matched Data: ****** found within ARGS:post1: ******"
Request JSON Arg Names Equals Jsonarg "data":"Matched Data: ****** found within ARGS:jsonarg: ******"
Request IP Address* Equals Any NULL "clientIp":"******"

* Request IP Address rules only support the equals any operator and scrubs all instances of the requestor's IP address that appears in the WAF logs.

For more information, see What is Azure Web Application Firewall Sensitive Data Protection?

Enable Sensitive Data Protection

Use the following information to enable and configure Sensitive Data Protection.

To enable Sensitive Data Protection:

  1. Open an existing Application Gateway WAF policy.
  2. Under Settings, select Sensitive data.
  3. On the Sensitive data page, select Enable log scrubbing.

To configure Log Scrubbing rules for Sensitive Data Protection:

  1. Under Log scrubbing rules, select a Match variable.
  2. Select an Operator (if applicable).
  3. Type a Selector (if applicable).
  4. Select Save.

Repeat to add more rules.

Verify Sensitive Data Protection

To verify your Sensitive Data Protection rules, open the Application Gateway firewall log and search for ****** in place of the sensitive fields.

Next steps