I have request to add new feature in AFM or improve it.
In our environment, we have enabled DOS protections for device and applications (Log profiles added to system and application DOS policies). Splunk is our remote log server, and we are creating a dashboard in the same to analysis the DOS syslog’s. (Use cases-For checking the attack counts, most attacked application, severity and IP status(malicious)). But when we are checking, all syslog’s severity that F5 sharing to Splunk shows as “4”. We have compared the attack id in F5 and Splunk (F5 its showing “2” , in Splunk its “4”)
Requested feature: - If F5 consider a traffic is a DOS, then change severity value to “1/2/3” is syslog’s. As now all the syslog severity is 4 and its not helped if we analysis the logs in a third-party tool.
2. What is the problem that would be resolved by adding this new feature?
We can monitor and analysis the DOS attacks from remote servers (SIEM tools). Also, it will help to create security incident with help of SOC.
3. What is the business impact to your site due to the lack of this?
We are not able monitor DOS logs properly. We are using transparent profile in application (So, we have to monitor the logs properly). Now we are not able to find high severity logs.
- Status changed:NewtoInvestigating
Hello,
This suggestions board is primarily for ideas related to the DevCentral website.
I will locate the proper resource to redirect your question to and reply back when I have more.
If you have support then your best option would be to create a support case at My.F5.com and it will be escalated through the proper channels effectively.
If you do not have F5 support let me know; maybe I can figure something out.
- Aswin_mkCumulonimbus
- Status changed:InvestigatingtoDeclined
Thanks - I will close this as declined. That status is not a comment on the quality or need of your request - rather how I prefer to handle the suggestions on this board that are unrelated to community.f5.com.
- Aswin_mkCumulonimbus
It's okey. Thanks for your reply