Generally Available: Default Ruleset 2.2 in WAF for Azure Application Gateway

Announcing the general availability of Default Rule Set (DRS) 2.2 for Web Application Firewall on Azure Application Gateway. The Azure-managed DRS provides active protection against common web vulnerabilities and exploits. It also includes Microsoft Threat Intelligence collection rules, authored in collaboration with our intelligence teams, to deliver broader coverage, targeted vulnerability mitigations, and continual improvements in false-positive reduction. DRS 2.2 is based on OWASP Core Rule Set 3.3.4, bringing refinements to existing detections and new protections, including rules that detect content types declared outside the actual content-type header and enhanced remote code execution (RCE) detections. An additional eight Microsoft Threat Intelligence rules expand coverage across SQL injection, XSS, and application-security attack patterns. To significantly reduce legitimate traffic being blocked, DRS 2.2 ships at Paranoia Level (PL) 1 by default. PL1 includes high-signal, lower-noise rules that rarely trigger false positives. PL2 rules are disabled by default because they are more aggressive and typically require fine-tuning. You can keep PL2 disabled or selectively enable individual PL2 rules where warranted. [Learn more](https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs22%2Cowasp32#default-rule-set-22).