diff --git a/el9/templates/httpd-configmap.yaml b/el9/templates/httpd-configmap.yaml
index a18ed3cd8fcb84a24ac34c494025e6f1438eee45..481808d16891e5468cf77c7a425680e2040109f6 100644
--- a/el9/templates/httpd-configmap.yaml
+++ b/el9/templates/httpd-configmap.yaml
@@ -175,6 +175,17 @@ data:
 
     # WAF mode
     SecRuleEngine {{ .Values.containers.httpd.webApplicationFirewall.secRuleEngine }}
+
+    # configure anomaly score thresholds, see https://coreruleset.org/docs/concepts/anomaly_scoring/#anomaly-score-thresholds
+    SecAction \
+    "id:900110,\
+    phase:1,\
+    nolog,\
+    pass,\
+    t:none,\
+    setvar:tx.inbound_anomaly_score_threshold={{ .Values.containers.httpd.webApplicationFirewall.inboundAnomalyScoreThreshold }},\
+    setvar:tx.outbound_anomaly_score_threshold={{ .Values.containers.httpd.webApplicationFirewall.outboundAnomalyScoreThreshold }}"
+
     {{ end }}
 
 
diff --git a/el9/values.yaml b/el9/values.yaml
index 9da70a36b712e1cf9ed7378f3567233fc95afac4..d396b54d91f1fcb8a899cbe1d98fa6a5862cd6c3 100644
--- a/el9/values.yaml
+++ b/el9/values.yaml
@@ -169,6 +169,9 @@ containers:
     webApplicationFirewall:
       enabled: false
       secRuleEngine: "DetectionOnly"
+      # anomaly score thresholds, see https://coreruleset.org/docs/concepts/anomaly_scoring/#anomaly-score-thresholds
+      inboundAnomalyScoreThreshold: 5
+      outboundAnomalyScoreThreshold: 4
 
   phpFpm:
     poolConfig: