Highlight Application Gateway WAF rules in different risk levels
IMHO, Azure should provide some guidelines on WAF rule configurations.
At least highlight the most important rules which we must turn on, so we can feel a bit safe when we have to turn off some non-important rules.
Rule 1,2,3 -- High risk; must turn on; when violated, do #a/b/c on your app to get compliant;
Ruel 4,5,6 – Medium risk; recommend to turn on, do #e/f/g app to get compliant;
Rule 7,8,9 – low risk; can be turned off.
P.S. It is kind of heavy for us to study all the rules https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/v3.0/master/rules;
Glen Little commented
Also, rules that are flagged with a severity of "WARNING" in the specs are being completely blocked by the WAF.