Follow

What is WAF Violation Rating?

Description

  • Violation Rating appears on several WAF Violation related pages in Silverline portal:
    • WAF Violation Assessment
    • WAF Violation Log Details
    • WAF Violation Stats

Environment

  • Silverline WAF
  • WAF Policy / Policies
  • Silverline Portal
    • WAF Violation Assessment
    • WAF Violation Logs
    • WAF Violation Stats

Answer

  • The violation rating is a number pulled from F5 ASM and ranks the transaction from 1 to 5, where 5 indicates the highest probability of a real attack with high severity.
  • Silverline SOC does not rely solely on this violation rating to tune WAF Policies or WAF violations, but looks at variety of other fields in Violation Details.
  • This table explains how to interpret the violation ratings:
Rating Description
5 Request is most likely a threat
4 Request looks like a threat, so consider reviewing the violation
3 Request needs further examination.
2 Request looks like either a low impact threat or a false positive, but requires examination.
1 Request is either a low impact threat or a false positive - Read Q&A: False Positives: Definition, Examples, What to Do

Source: https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/33.html 

Note: The violation rating should be interpreted as a confidence score not a measure of severity thus a request with a rating of 1 could be more impacting than a request with a rating of 5 in a certain environment.

 

Next steps: Create a WAF Violation Assessment for any violations that you want the SOC to tune

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request