Nimbostratus
CumulonimbusHi,
I think we can do it differently and much more simply. without basing it on Awareness part, you can use it for all your requests.
So you can check if you have an APM cookie exist (MRHsessions) in a wanted request then retrieve user:
something like that:
when HTTP_REQUEST {
set apm_cookie [HTTP::cookie value MRHSession]
set username "empty"
if { !($apm_cookie == "") && [ ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } {
set username [ACCESS::session data get sid $apm_cookie session.logon.last.username]
}
}
when ASM_REQUEST_DONE {
if { [ASM::status] equals "blocked" } {
log local0. "Violation count: [ASM::violation count] - $username"
log local0. "Violation names: [ASM::violation names] - $username"
log local0. "Violation attack types: [ASM::violation attack_types] - $username"
log local0. "Violation details: [ASM::violation details] - $username"
}
}