Follow

WAF Violation Summary - Version 2 Overview

Description

  • How to view WAF Violations in the new Summary Dashboard.
  • How to Filter WAF Violations and interact with the Data
  • How to create submit a WAF Violation Assessment

For video demo, see WAF Violation Summary - Version 2 Video

 

Environment

  • Silverline Web Application Firewall
  • Silverline Portal
    • WAF Violation Summary v2
    • WAF Assessments
  • WAF Policy Lifecycle with SOC

 

Procedure

The new WAF Violation Summary version 2 dashboard will replace the previous Violation summary table. However, both options will be available to customers for ease of use during the transition.

The new Summary page will cover an overview of the new summary page elements, as well as detail the steps needed to create a WAF Violation Assessment using the new interface.

WAF Violation Summary: How to View, Filter, and Download

  1. In the Portal navigation, go to Monitor & Analyze > WAF Violation Summary v2.
  2. View the summary page, which has 4 sections (click to view more details):
    1. Violation of Rating graph
    2. Violation by Action graph
    3. Requests - Top 10 table
    4. Events table
  3. Filter the entire page by selecting Filter in the upper-left
    1. Note: Currently there are no Default filters (however Filters can be saved for ease of future use).
      • mceclip0.png
    2. Fill in the following:
      • Field - which field you want to filter on
      • Operator - whether you want to include ("is) or exclude ("is not") the text written in the text box
      • Text box - what specifically you want filtering in or out
        • Click in the text box to see possible values in the drop-down.
    3. Click Add
    4. Filters save on the page until you either clear individually or Clear all.
      • Example:
        • mceclip1.png
        • mceclip2.png
        • mceclip3.png
  4. Alternatively, filter on individual graphs by clicking on the name in the legend of what you want to filter to and selecting the blue filter icon.
    • Screen_Shot_2020-10-19_at_6.33.10_PM.png
  5. Save the Filter(s)
    1. After defining the desired filter(s), click on the Save Filters button
    2. Save_Filters.png
    3. Click the Save Filters button:
    4. Save_Filter_Button.png
    5. Define a Filter Name, Description (optional), and select the Time Filter toggle to choose if you want to include the Time Filter or not.
    6. Saved_Filter_Name.png
    7. Enabling the Time Filter toggle is helpful, if you want to come back to the exact incident you're investigating.  Leaving the Time Filter toggle to OFF is typically used when you want to pull results that match the Saved Filters on a recurring basis, E.g. Daily, Weekly, Monthly, and then either:
      1. Downloading WAF Violations
      2. Creating a PDF from the existing page View
    8. Click the Save Filters icon to bring up a list of previously saved Filters for quick access to common searches.
  6. Set the time range for the entire page's data by using the date selector in the upper-right

 

 

Descriptions of WAF Violation Summary v2 Sections

Click to jump to section:

 

Violation by Violation Rating

Silverline provides a number for every WAF Violation event, that ranks the transaction from 1 to 5, where 5 indicates the highest probability of a real attack with high severity.

For more information see the article: What is WAF Violation Rating?

This table explains how to interpret the violation ratings:

Rating Description
5 Request is most likely a threat
4 Request looks like a threat, so consider reviewing the violation
3 Request needs further examination.
2 Request looks like either a low impact threat or a false positive, but requires examination.
1 Request is either a low impact threat or a false positive - Read Q&A: False Positives: Definition, Examples, What to Do

The graph shows all WAF Violations in the select time period as a count by Violation Rating.

The Default view shows a Timeline Graph, with an option to switch to a Pie chart view.

mceclip4.png

Graph features

  • View as Pie chart or Stacked area graph by clicking pie or line diagram in upper-right of the graph.
    • Screen_Shot_2020-11-12_at_4.04.36_PM.png
  • Hover on stacked area chart to show (a) quantity of requests and (b) as a percentage of all traffic for that endpoint
    • mceclip6.png
    •  
  • Filter on individual graphs by clicking on the name in the legend and selecting either the blue funnel icon, to Filter Data In, or the red funnel icon, to Filter Data Out
    • mceclip8.png

 

Violation by Actions

Action (Alerted, Blocked, Passed) that was taken on any traffic the was detected as a WAF Violation from one of your active WAF Policies.

  • WAF Policies that are still in Transparent mode will typically result in the Alerted action.
  • WAF Policies that are in Blocking mode will typically result in a Blocked action.
  • Passed Actions are where a challenge has been issue by the WAF engine, but the Client device successfully completed the challenge and the traffic was allowed to pass.

mceclip5.png

Graph features

  • View as Pie chart or Stacked area graph by clicking pie or line diagram in upper-right of the graph.
    • Screen_Shot_2020-11-12_at_4.04.36_PM.png
  • Hover on stacked area chart to show (a) quantity of requests and (b) as a percentage of all traffic for that endpoint
    • mceclip7.png
  • Filter on individual graphs by clicking on the name in the legend and selecting either the blue funnel icon, to Filter Data In, or the red funnel icon, to Filter Data Out
    • mceclip9.png

 

Requests - Top 10

Top 10 requests to Application protected by a Silverline WAF profile, as ranked by the selected feature in the upper-right.

A broad range of select criteria is available to help analyse data for further insight.

Change the selection by clicking the drop-down menu By _______

 

Example 1: Top 10 Countries where requests originated from

mceclip10.png

 

Example 2: Top 10 Violation Type by request count (with action taken)

mceclip11.png

 

 

Events

  • Each time a WAF Violation is triggered all relevant data is recorded in the Event Panel.
  • Event Panel columns
    • Column Name Description

      Timestamp

      Date and time of event
      Support ID The individual Support ID of the event that can be correlated with the SOC
      Action Either Alerted, Blocked, or Passed
      Policy Name The name of the WAF Profile triggering the Event
      Method

      The HTTP Method relating to the event

      Response Code The HTTP Response code
      Host The App Proxy, FQDN or IP address of your protected website, App or Service
      Path Endpoint path where inbound traffic was headed
      User Agent Exact user-agent (browser) string
      Client IP Originating Source IP of incoming traffic
      XFF X-Forwarded-For IP of the client
      Connecting IP Source IP of the last hop connecting device, such as a CDN
      Country Originating country of incoming traffic 
      Referer Referring URL
      Signature Name

      If the WAF violation Event was triggered by a specific Attack signature, the Signature name will be shown

      Signature ID The matching Signature ID will also be shown where applicable

Creating a WAF Violation Assessment

  1. After applying the required Filters to the WAF Violation Data, including Timeline, you can submit the collected Events to the SOC as an Assessment in order to help fine tune the WAF policy.
  2. From the Top right panel, you can select to either Download the entries, or click on the Submit Assessment button: Timespan.png
  3. Select the Submit Assessment button to package each of the required Violations into an assessment
    • mceclip13.png
  4. Ensure to Name the Assessment with a suitable Title
  5. Along with a short Description that summarises the Assessment, or the outcome you are trying to achieve through the assessment.
  6. Select Create

After creation, an Assessment can be viewed under the Monitor & Analyze > WAF Assessments page.

This page shows the status of the WAF Violation Assessment

 

Downloading WAF Violations

  1. Download WAF Violation Events in CSV format by clicking the blue Download button in the upper-right
    • If you filter the results on the page before clicking the download button, the downloaded file will contain only the filtered results.
  2. Timespan.png

Creating a PDF from the existing page View

  1. You can create a PDF file that you can download by selecting the Download PDF button.  The resulting PDF will be representative of the filters that are applied to the screen, and will show which Top 10 table is presently selected.
  2. Timespan.png

Related Content

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request