Hello @WinTechie ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know if there is any Azure WAF managed ruleset from OWASP 3.2 which can detect brute force attack.
There is no separate ruleset specifically designed for brute force attack. However, there is a managed bot protection ruleset that you can enable to block or logs requests from known malicious IP addresses. The IP addresses are sourced from the Microsoft Threat Intelligence feed. Intelligent Security Graph powers Microsoft threat intelligence and is used by multiple services including Microsoft Defender for Cloud.
Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/ag/bot-protection-overview
You can use the Bot Protection ruleset alongside any of the OWASP rulesets with the Application Gateway WAF v2 SKU. Only one OWASP ruleset can be used at any given time.
Azure WAF also provides a rate limiting option but it is only available with Azure Front Door WAF. You can set a rate limit rule for Azure Front Door using WAF rate limit rule that controls the number of requests allowed from clients to a web application. Please be aware that rate limits are applied for each client IP address. If you have multiple clients accessing your Front Door from different IP addresses, they will have their own rate limits applied.
Refer : https://video2.skills-academy.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.