Follow

How to Create WAF Violation Assessments

Description

  • This article outlines the workflow to create a refined query field that allows both the customer and the SOC to begin focusing on violations that match very specific criteria.
    • WAF Violation Assessment is a grouping of violations that have been filtered applied by users submitting the assessment for evaluation for the SOC to determine false-positive violations to tune/resolve.
      • For example, if violations occur from a source IP address that you find acceptable, you can exclude it from the query
    • The exact details of the query you provide during the refinement process are saved and sent with your assessment request to our SOC analysts to evaluate

 

Environment

  • Silverline WAF
  • Proxy/Proxies
  • Silverline Portal
  • WAF Policy/Policies
  • WAF Violation(s)
  • WAF Assessment

 

Procedure

There are 2 ways to create WAF assessments:

Request WAF Assessment from SOC

1. Copy the following template 

Requesting a Violation assessment for:

- The WAF policy name:

- The date range for the violation data:

- The desired phase of blocking for the violation data:

2. Paste the template into a new ticket with the SOC.

3. Fill in template with the needed information

  • The WAF policy name
  • The date range for the violation data
  • The desired phase of blocking for the violation data -- see WAF Setup: Blocking Phases

 

Create a WAF Assessment in Portal

1. Now, navigate to the WAF Assessments page at Monitor & Analyze > WAF Assessments.

Monitor_WAF-Assessments.png

2. On the WAF Assessments page, click Create Assessment (upper-right) to build a new filter.

WAF-Assessment_Create-Assessment.png

3. The assessment process has the following controls:

3_-_Title_and_Description.png

  • A - Use this drop-down to set the number of violations to show on-screen at any one time.
  • B - Violations which exceed the maximum number that can be displayed at any one time are paginated. Use the controls to move to a different page of violations.
  • C - Use this panel to enter a title and a description for the violations you wish to have the SOC evaluate.

4. Next, a date range and filter need to be constructed.

WAF-Assessment_Refine-Query-Annotated.png

  • A - Select Date Range: Select the date range to evaluate.
  • B - Refine Query: Using logical operations, choose how to filter the list of violations. Field options include:
    • Client IP
    • Attack Type
    • Destination IP address
  • Alternative to filtering: add notes in the "Description" field on what you're trying to search for and the SOC will filter for you.

Filter WAF Violations By Proxy

To filter to a list of violations on a single proxy, you can add a Proxy's Front End IP as the "Destination IP." For detailed steps on how to filter by proxy, see How to Filter WAF Violations by Proxy IP in WAF Violations Assessment Note (as of 4/2019): There is planned functionality to permit searching by the Proxy Name as well. 

5. You can now hit Refresh Results to refresh the list of violations with the selected filters. Continue to refine the query as desired, and click Refresh Results to see updated query results.

WAF-Assessment_Refresh-button.png

6. When ready, submit the WAF Violation Assessment to the SOC by clicking the Request Assessment button.  Upon submission, this opens a support ticket with Silverline Support on your behalf. Throughout the process, the assessment is also tracked directly within our portal for details related to the violations. 

  • The query itself remains read-only so it cannot be modified after creation, therefore providing a common violation view for analysts for review.
  • Notes and comments can be placed on an assessment by both the SOC Analysts and the customer.

Related Content

 

 

 

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request