Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
We cannot comment whether a request is false-positive or malicious without looking at the actual request packet and your application logs.
You have to tune your WAF to your environment, use case and application's expected traffic.
Should you feel that a rule is blocking legitimate request, you can
- Disable the Rule : See Tuning of Managed rule sets
- or Create Exclusions : https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-waf-configuration?tabs=portal
- or Create a custom rule : Custom rules for Web Application Firewall
to overcome this.
For Official OWASP Rule definition, refer
- REQUEST-941-APPLICATION-ATTACK-XSS.conf : https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf
- REQUEST-942-APPLICATION-ATTACK-SQLI.conf : https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/master/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
Cheers,
Kapil
Depending on your application and traffic, you have to configure the above.
Cheers,
Kapil