Have configured an AWAF policy to mask out a few sensitive parameters for incoming requests and that appears to be working as expected (log entries show data as masked)
However we also have Bot-Defense profiles attached and those same parameters are not masked in its log entries.
Does anyone have a solution for masking parameters across the board?
Better open a case as I think there was a bug but I couldn't find it. Also see if playing with the log publishers and what you can filter if you can hide the data or the HTTP body:
