I have request to add new feature in AFM or improve it.
In our environment, we have enabled DOS protections for device and applications (Log profiles added to system and application DOS policies). Splunk is our remote log server, and we are creating a dashboard in the same to analysis the DOS syslog’s. (Use cases-For checking the attack counts, most attacked application, severity and IP status(malicious)). But when we are checking, all syslog’s severity that F5 sharing to Splunk shows as “4”. We have compared the attack id in F5 and Splunk (F5 its showing “2” , in Splunk its “4”)
Requested feature: - If F5 consider a traffic is a DOS, then change severity value to “1/2/3” is syslog’s. As now all the syslog severity is 4 and its not helped if we analysis the logs in a third-party tool.
2. What is the problem that would be resolved by adding this new feature?
We can monitor and analysis the DOS attacks from remote servers (SIEM tools). Also, it will help to create security incident with help of SOC.
3. What is the business impact to your site due to the lack of this?
We are not able monitor DOS logs properly. We are using transparent profile in application (So, we have to monitor the logs properly). Now we are not able to find high severity logs.