Description
- Violation Rating appears on several WAF Violation related pages in Silverline portal:
- WAF Violation Assessment
- WAF Violation Log Details
- WAF Violation Stats
Environment
- Silverline WAF
- WAF Policy / Policies
- Silverline Portal
- WAF Violation Assessment
- WAF Violation Logs
- WAF Violation Stats
Answer
- The violation rating is a number pulled from F5 ASM and ranks the transaction from 1 to 5, where 5 indicates the highest probability of a real attack with high severity.
- Silverline SOC does not rely solely on this violation rating to tune WAF Policies or WAF violations, but looks at variety of other fields in Violation Details.
- This table explains how to interpret the violation ratings:
| Rating | Description |
|---|---|
| 5 | Request is most likely a threat |
| 4 | Request looks like a threat, so consider reviewing the violation |
| 3 | Request needs further examination. |
| 2 | Request looks like either a low impact threat or a false positive, but requires examination. |
| 1 | Request is either a low impact threat or a false positive - Read Q&A: False Positives: Definition, Examples, What to Do |
Note: The violation rating should be interpreted as a confidence score not a measure of severity thus a request with a rating of 1 could be more impacting than a request with a rating of 5 in a certain environment.
Next steps: Create a WAF Violation Assessment for any violations that you want the SOC to tune
- On the WAF Violation Assessments page in Silverline Portal, you can filter by Violation Rating:
- Q&A: What is "Tuning" a WAF Policy? What is SOC vs. my responsibilities in this process?
