Motivation

1 Is it possible to add default parameters to rules? Which by default do not have severity:'CRITICAL',
2 And also in these failures in msg output information which rules increased the counter and for what reason. This would simplify the work and there would be no need to look for these reasons in the debug logs.

Proposed solution

1
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE “@ge %{tx.inbound_anomaly_score_threshold}” \ {
"id:949111,
phase:1,
deny,
t:none,
severity:'CRITICAL',
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX. BLOCKING_INBOUND_ANOMALY_SCORE})',
tag:'anomaly-evaluation',
tag:'OWASP_CRS',
ver:'OWASP_CRS/4.14.0',
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"

always check threshold in phase 2

SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}" \ {
"id:949110,
phase:2,
deny,
t:none,
severity:'CRITICAL',
msg:'Inbound Anomaly Score Exceeded (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE})',
tag:'anomaly-evaluation',
tag:'OWASP_CRS',
ver:'OWASP_CRS/4.14.0'"

Additional context

2
SecRule TX:BLOCKING_INBOUND_ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}"
"id:949111,
phase:1,
deny,
t:none,
severity:'CRITICAL',
msg:'Inbound Anomaly Score Exceeded in phase 1 (Total Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE}). Triggered rules: %{matched_var_names}',
tag:'anomaly-evaluation',
tag:'OWASP_CRS',
ver:'OWASP_CRS/4.14.0',
chain"
SecRule TX:EARLY_BLOCKING "@eq 1"

msg:'Inbound Anomaly Score Exceeded (Score: %{TX.BLOCKING_INBOUND_ANOMALY_SCORE}). Rules triggered: %{tx.anomaly_score_pl1}'
%{tx.anomaly_score_pl1} lists the rules that increased the score in phase 1.