Frontdoor - DRS Changelog: 1.1 → 2.0¶
Generated: 05 July 2026 | Base: 1.1 | Target: 2.0
Summary: 44 added · 0 removed · 126 changed
Added Rules¶
| Rule ID | Rule Group Name | Description | Action | State |
|---|---|---|---|---|
| 200002 | General | Failed to parse request body. | AnomalyScoring | Enabled |
| 200003 | General | Multipart request body failed strict validation | AnomalyScoring | Enabled |
| 911100 | METHOD-ENFORCEMENT | Method is not allowed by policy | AnomalyScoring | Enabled |
| 920100 | PROTOCOL-ENFORCEMENT | Invalid HTTP Request Line | AnomalyScoring | Enabled |
| 920120 | PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled |
| 920121 | PROTOCOL-ENFORCEMENT | Attempted multipart/form-data bypass | AnomalyScoring | Enabled |
| 920160 | PROTOCOL-ENFORCEMENT | Content-Length HTTP header is not numeric. | AnomalyScoring | Enabled |
| 920170 | PROTOCOL-ENFORCEMENT | GET or HEAD Request with Body Content. | AnomalyScoring | Enabled |
| 920171 | PROTOCOL-ENFORCEMENT | GET or HEAD Request with Transfer-Encoding. | AnomalyScoring | Enabled |
| 920180 | PROTOCOL-ENFORCEMENT | POST without Content-Length or Transfer-Encoding headers. | AnomalyScoring | Enabled |
| 920190 | PROTOCOL-ENFORCEMENT | Range: Invalid Last Byte Value. | AnomalyScoring | Enabled |
| 920200 | PROTOCOL-ENFORCEMENT | Range: Too many fields (6 or more) | AnomalyScoring | Enabled |
| 920201 | PROTOCOL-ENFORCEMENT | Range: Too many fields for pdf request (63 or more) | AnomalyScoring | Enabled |
| 920210 | PROTOCOL-ENFORCEMENT | Multiple/Conflicting Connection Header Data Found. | AnomalyScoring | Enabled |
| 920220 | PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled |
| 920230 | PROTOCOL-ENFORCEMENT | Multiple URL Encoding Detected | AnomalyScoring | Enabled |
| 920240 | PROTOCOL-ENFORCEMENT | URL Encoding Abuse Attack Attempt | AnomalyScoring | Enabled |
| 920260 | PROTOCOL-ENFORCEMENT | Unicode Full/Half Width Abuse Attack Attempt | AnomalyScoring | Enabled |
| 920270 | PROTOCOL-ENFORCEMENT | Invalid character in request (null character) | AnomalyScoring | Enabled |
| 920271 | PROTOCOL-ENFORCEMENT | Invalid character in request (non printable characters) | AnomalyScoring | Enabled |
| 920280 | PROTOCOL-ENFORCEMENT | Request Missing a Host Header | AnomalyScoring | Enabled |
| 920290 | PROTOCOL-ENFORCEMENT | Empty Host Header | AnomalyScoring | Enabled |
| 920300 | PROTOCOL-ENFORCEMENT | Request Missing an Accept Header | AnomalyScoring | Enabled |
| 920310 | PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled |
| 920311 | PROTOCOL-ENFORCEMENT | Request Has an Empty Accept Header | AnomalyScoring | Enabled |
| 920320 | PROTOCOL-ENFORCEMENT | Missing User Agent Header | AnomalyScoring | Enabled |
| 920330 | PROTOCOL-ENFORCEMENT | Empty User Agent Header | AnomalyScoring | Enabled |
| 920340 | PROTOCOL-ENFORCEMENT | Request Containing Content, but Missing Content-Type header | AnomalyScoring | Enabled |
| 920341 | PROTOCOL-ENFORCEMENT | Request Containing Content Requires Content-Type header | AnomalyScoring | Enabled |
| 920350 | PROTOCOL-ENFORCEMENT | Host header is a numeric IP address | AnomalyScoring | Enabled |
| 920420 | PROTOCOL-ENFORCEMENT | Request content type is not allowed by policy | AnomalyScoring | Enabled |
| 920430 | PROTOCOL-ENFORCEMENT | HTTP protocol version is not allowed by policy | AnomalyScoring | Enabled |
| 920440 | PROTOCOL-ENFORCEMENT | URL file extension is restricted by policy | AnomalyScoring | Enabled |
| 920450 | PROTOCOL-ENFORCEMENT | HTTP header is restricted by policy | AnomalyScoring | Enabled |
| 920470 | PROTOCOL-ENFORCEMENT | Illegal Content-Type header | AnomalyScoring | Enabled |
| 920480 | PROTOCOL-ENFORCEMENT | Request content type charset is not allowed by policy | AnomalyScoring | Enabled |
| 933200 | PHP | PHP Injection Attack: Wrapper scheme detected | AnomalyScoring | Enabled |
| 933210 | PHP | PHP Injection Attack: Variable Function Call Found | AnomalyScoring | Enabled |
| 934100 | NODEJS | Node.js Injection Attack | AnomalyScoring | Enabled |
| 941360 | XSS | JSFuck / Hieroglyphy obfuscation detected | AnomalyScoring | Enabled |
| 941370 | XSS | JavaScript global variable found | AnomalyScoring | Enabled |
| 941380 | XSS | AngularJS client side template injection detected | AnomalyScoring | Enabled |
| 942500 | SQLI | MySQL in-line comment detected. | AnomalyScoring | Enabled |
| 942510 | SQLI | SQLi bypass attempt by ticks or backticks detected. | AnomalyScoring | Enabled |
Removed Rules¶
No rules removed.
Changed Rules¶
| Rule ID | Rule Group | Field | Before | After |
|---|---|---|---|---|
| 921110 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921120 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921130 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921140 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921150 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921151 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 921160 | PROTOCOL-ATTACK | Action | Block | AnomalyScoring |
| 930100 | LFI | Action | Block | AnomalyScoring |
| 930110 | LFI | Action | Block | AnomalyScoring |
| 930120 | LFI | Action | Block | AnomalyScoring |
| 930130 | LFI | Action | Block | AnomalyScoring |
| 931100 | RFI | Action | Block | AnomalyScoring |
| 931110 | RFI | Action | Block | AnomalyScoring |
| 931120 | RFI | Action | Block | AnomalyScoring |
| 931130 | RFI | Description | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link (replaced by rule #99032002) | Possible Remote File Inclusion (RFI) Attack: Off-Domain Reference/Link |
| 931130 | RFI | Action | Block | AnomalyScoring |
| 932100 | RCE | Action | Block | AnomalyScoring |
| 932105 | RCE | Action | Block | AnomalyScoring |
| 932110 | RCE | Action | Block | AnomalyScoring |
| 932115 | RCE | Action | Block | AnomalyScoring |
| 932120 | RCE | Action | Block | AnomalyScoring |
| 932130 | RCE | Action | Block | AnomalyScoring |
| 932140 | RCE | Action | Block | AnomalyScoring |
| 932150 | RCE | Action | Block | AnomalyScoring |
| 932160 | RCE | Action | Block | AnomalyScoring |
| 932170 | RCE | Action | Block | AnomalyScoring |
| 932171 | RCE | Action | Block | AnomalyScoring |
| 932180 | RCE | Action | Block | AnomalyScoring |
| 933100 | PHP | Action | Block | AnomalyScoring |
| 933110 | PHP | Action | Block | AnomalyScoring |
| 933120 | PHP | Action | Block | AnomalyScoring |
| 933130 | PHP | Action | Block | AnomalyScoring |
| 933140 | PHP | Action | Block | AnomalyScoring |
| 933150 | PHP | Action | Block | AnomalyScoring |
| 933151 | PHP | Action | Block | AnomalyScoring |
| 933160 | PHP | Action | Block | AnomalyScoring |
| 933170 | PHP | Action | Block | AnomalyScoring |
| 933180 | PHP | Action | Block | AnomalyScoring |
| 941100 | XSS | Action | Block | AnomalyScoring |
| 941101 | XSS | Action | Block | AnomalyScoring |
| 941110 | XSS | Action | Block | AnomalyScoring |
| 941120 | XSS | Action | Block | AnomalyScoring |
| 941130 | XSS | Action | Block | AnomalyScoring |
| 941140 | XSS | Action | Block | AnomalyScoring |
| 941150 | XSS | Action | Block | AnomalyScoring |
| 941160 | XSS | Action | Block | AnomalyScoring |
| 941170 | XSS | Action | Block | AnomalyScoring |
| 941180 | XSS | Action | Block | AnomalyScoring |
| 941190 | XSS | Action | Block | AnomalyScoring |
| 941200 | XSS | Action | Block | AnomalyScoring |
| 941210 | XSS | Action | Block | AnomalyScoring |
| 941220 | XSS | Action | Block | AnomalyScoring |
| 941230 | XSS | Action | Block | AnomalyScoring |
| 941240 | XSS | Action | Block | AnomalyScoring |
| 941250 | XSS | Action | Block | AnomalyScoring |
| 941260 | XSS | Action | Block | AnomalyScoring |
| 941270 | XSS | Action | Block | AnomalyScoring |
| 941280 | XSS | Action | Block | AnomalyScoring |
| 941290 | XSS | Action | Block | AnomalyScoring |
| 941300 | XSS | Action | Block | AnomalyScoring |
| 941310 | XSS | Action | Block | AnomalyScoring |
| 941320 | XSS | Action | Block | AnomalyScoring |
| 941330 | XSS | Action | Block | AnomalyScoring |
| 941340 | XSS | Action | Block | AnomalyScoring |
| 941350 | XSS | Action | Block | AnomalyScoring |
| 942100 | SQLI | Action | Block | AnomalyScoring |
| 942110 | SQLI | Action | Block | AnomalyScoring |
| 942120 | SQLI | Action | Block | AnomalyScoring |
| 942140 | SQLI | Action | Block | AnomalyScoring |
| 942150 | SQLI | Description | SQL Injection Attack | SQL Injection Attack (replaced by rule #99031003) |
| 942150 | SQLI | Action | Block | AnomalyScoring |
| 942160 | SQLI | Action | Block | AnomalyScoring |
| 942170 | SQLI | Action | Block | AnomalyScoring |
| 942180 | SQLI | Action | Block | AnomalyScoring |
| 942190 | SQLI | Action | Block | AnomalyScoring |
| 942200 | SQLI | Action | Block | AnomalyScoring |
| 942210 | SQLI | Action | Block | AnomalyScoring |
| 942220 | SQLI | Action | Block | AnomalyScoring |
| 942230 | SQLI | Action | Block | AnomalyScoring |
| 942240 | SQLI | Action | Block | AnomalyScoring |
| 942250 | SQLI | Action | Block | AnomalyScoring |
| 942260 | SQLI | Description | Detects basic SQL authentication bypass attempts ⅔ | Detects basic SQL authentication bypass attempts ⅔ (replaced by rule #99031004) |
| 942260 | SQLI | Action | Block | AnomalyScoring |
| 942270 | SQLI | Action | Block | AnomalyScoring |
| 942280 | SQLI | Action | Block | AnomalyScoring |
| 942290 | SQLI | Action | Block | AnomalyScoring |
| 942300 | SQLI | Action | Block | AnomalyScoring |
| 942310 | SQLI | Action | Block | AnomalyScoring |
| 942320 | SQLI | Action | Block | AnomalyScoring |
| 942330 | SQLI | Action | Block | AnomalyScoring |
| 942340 | SQLI | Description | Detects basic SQL authentication bypass attempts 3/3 | Detects basic SQL authentication bypass attempts 3/3 (replaced by rule #99031006) |
| 942340 | SQLI | Action | Block | AnomalyScoring |
| 942350 | SQLI | Action | Block | AnomalyScoring |
| 942360 | SQLI | Action | Block | AnomalyScoring |
| 942361 | SQLI | Action | Block | AnomalyScoring |
| 942370 | SQLI | Action | Block | AnomalyScoring |
| 942380 | SQLI | Action | Block | AnomalyScoring |
| 942390 | SQLI | Action | Block | AnomalyScoring |
| 942400 | SQLI | Action | Block | AnomalyScoring |
| 942410 | SQLI | Action | Block | AnomalyScoring |
| 942430 | SQLI | Description | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) | Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12) (replaced by rule #99031005) |
| 942430 | SQLI | Action | Block | AnomalyScoring |
| 942440 | SQLI | Description | SQL Comment Sequence Detected. | SQL Comment Sequence Detected (replaced by rule #99031002). |
| 942440 | SQLI | Action | Block | AnomalyScoring |
| 942450 | SQLI | Action | Block | AnomalyScoring |
| 942470 | SQLI | Action | Block | AnomalyScoring |
| 942480 | SQLI | Action | Block | AnomalyScoring |
| 943100 | FIX | Action | Block | AnomalyScoring |
| 943110 | FIX | Action | Block | AnomalyScoring |
| 943120 | FIX | Action | Block | AnomalyScoring |
| 944100 | JAVA | Action | Block | AnomalyScoring |
| 944110 | JAVA | Action | Block | AnomalyScoring |
| 944120 | JAVA | Action | Block | AnomalyScoring |
| 944130 | JAVA | Action | Block | AnomalyScoring |
| 944200 | JAVA | Action | Block | AnomalyScoring |
| 944210 | JAVA | Action | Block | AnomalyScoring |
| 944240 | JAVA | Action | Block | AnomalyScoring |
| 944250 | JAVA | Action | Block | AnomalyScoring |
| 99001001 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99001014 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99001015 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99001016 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99001017 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99001018 | MS-ThreatIntel-CVEs | Action | Block | AnomalyScoring |
| 99005002 | MS-ThreatIntel-WebShells | Action | Block | AnomalyScoring |
| 99005003 | MS-ThreatIntel-WebShells | Action | Block | AnomalyScoring |
| 99005004 | MS-ThreatIntel-WebShells | Action | Block | AnomalyScoring |
| 99005006 | MS-ThreatIntel-WebShells | Action | Block | AnomalyScoring |
| 99030001 | MS-ThreatIntel-AppSec | Action | Block | AnomalyScoring |
| 99030002 | MS-ThreatIntel-AppSec | Action | Block | AnomalyScoring |
| 99031001 | MS-ThreatIntel-SQLI | Action | Block | AnomalyScoring |
| 99031002 | MS-ThreatIntel-SQLI | Action | Block | AnomalyScoring |