Get Started with WAAP Security Incidents

Introduction: 

F5 Distributed Cloud (F5 XC) Web Application and API Protection (WAAP) provides a rich set of security configurations to safeguard applications. Each application configuration differs, so configuring appropriate controls and security measures is needed to prevent applications from data breaches. 

Even though your application is currently protected, it doesn’t necessarily mean it’s steel proof for future intrusions. We should keep monitoring application event data for new types of attacks that may surface. If new exploits are found, we must accordingly update the existing configurations. 

Identifying the security attacks and taking a necessary action at the right moment is pivotal in protecting applications. Each minute of delay may result in severe consequences to businesses as well as application data. Security Analytics --> “Events” tab populates a large collection of requests data. So, inspecting each event and then coming up with security measures is not a recommended way as it’s inefficient and time consuming. 

WAAP Security Incidents is a new feature which focusses on solving this concern by continuously pushing application events to internal AI/ML engines. The "Incidents” tab simplifies the investigation of attacks by grouping thousands of events into few incidents based on context and common characteristics. These can guide customers to quickly examine these issues without getting lost in a flood of security events. These incidents give valuable insights efficiently, thereby providing sufficient time for application owners to research and configure the preventive solutions before getting exploited. 
 

Demo Work-flow: 

Prerequisites: 

• Access to F5 XC account - check here for trial 
• Namespaces, Origin Pools and Load balancers (LB) already created – check references section for more information 

Steps: 

1. Login to F5 XC console and navigate to "Distributed Apps” menu 
2. Under "Load Balancers” section, click on “HTTP Load Balancers” page 
3. Click on “Security Monitoring” link under your load balancer name 
4. Navigate to “Security Analytics” tab and finally to “Incidents" tab as below 
   Fig 1 : Image showing Incidents navigation path
   
5. We can expand each incident for more details as below 
   Fig 2: Image showing Incident in expanded view
   
6. If needed you can filter & sort incidents by different available UI fields like LastSeen, LastStatus, Description, Events, etc.  
7. We can also fetch incidents by different time intervals as below  Fig 3: Image showing Incidents tab filter and sort options
8. Application owners can go through these incidents and take necessary security actions like denylisting IP’s, configuring rate limiting, updating Firewall, API rules, Bot and DDoS Protection, etc.  
9. After configuring appropriate suggestions, next time if intruders try to generate these attacks once again they will be blocked, thereby safeguarding the applications. 
    

Synopsis: 

This article delves into basics of WAAP security incidents: what it is, how it works and also enlightens this feature importance in identifying security attacks at the critical time.  
 

For more details refer below links: 

1. Overview of WAAP 
2. WAAP Incidents docs 
3. Load balancer creation steps 
4. Get started with Distributed Cloud