Level up your F5 Distributed Cloud WAAP Ops

Extending F5 Distributed Cloud WAAP monitoring with Global Log Receiver and Splunk

The F5 Distributed Cloud Console offers out-of-the-box Web App and API Protection (WAAP) monitoring components such as dashboards and regular reporting capabilities, which provides a good overview of where and how F5 Distributed Cloud WAAP protects organizations’ applications.

F5 Distributed Cloud also supports streaming of access and security event logs to external log collection systems via the Global Log Receiver.

Note: A full list of attributes in the access logs and security events published by the Global Log Receiver can be found in the Access Logs Reference and Security Events Reference pages.

Benefits of doing so include:

  • Storing events for periods beyond what F5 Distributed Cloud offers (7 days for access logs and 30 days for security events by default)
  • Centralized monitoring of all other systems/platforms beyond F5 Distributed Cloud
  • Aggregating traffic/attack patterns across the entire F5 Distributed Cloud tenant or multiple namespaces.

In this article, I will showcase some Splunk charts built with the data streamed from F5 Distributed Cloud (via Global Log Receiver) to help you get started with getting more out of the data you have access to. 

 

1. Cross-namespace/tenant-wide view

For those managing a large fleet of applications across multiple namespaces on F5 Distributed Cloud, a tenant-wide dashboard spanning those namespaces may be more effective in communicating the state of application security and business value that F5 Distributed Cloud provides. While this is not available natively in the F5 Distributed Cloud Console today, we can create dashboards on Splunk with the streamed data, as seen below:

Attack types detected by the WAF across all namespaces

index=f5xc req_id="*" sec_event_type="*" 
| stats count by attack_types{}.name

 

Malicious bot types across all namespaces

index=f5xc req_id="*" sec_event_type="*" bot_info.classification="malicious" 
| stats count by bot_info.name, bot_info.classification 
| sort - count

These charts collectively provide a tenant-wide view of the threats F5 Distributed Cloud is actively protecting your applications against.

Beyond aggregating security events, the tenant-wide data stream also gives you visibility into who is making those requests across all your applications:

User-Agent strings across all namespaces

Ignoring the ones with the Mozilla prefix to rule out common browsers

index=f5xc req_id="*" sec_event_type="*" NOT user_agent="Mozilla*"  
| stats count by user_agent | sort - count

Explore the data structure and charts when building the dashboard, and you may find interesting details about traffic hitting your websites. In the example below, a customer discovered injection attacks being carried out via the User-Agent header, when sorting the User-Agent strings by frequencies.

Matching User-Agent strings against well-known AI crawlers

Aligning with the trend, we can pick out how much of the traffic originates from AI crawlers based on the advertised User-Agent:

index=f5xc req_id="*" sec_event_type="*" 
| eval is_ai_crawler=if(match(user_agent, "(?i)(gptbot|claudebot|oai-searchbot|perplexitybot|google-extended|googlebot-ai|bard)"), "AI_Crawler", "Regular_Traffic") 
| stats count by is_ai_crawler 
| eventstats sum(count) as total_requests 
| eval percentage=round((count/total_requests)*100, 2) 
| table is_ai_crawler, count, percentage

 

2. Detailed application performance monitoring

With F5 Distributed Cloud WAAP providing security in-line of traffic, platform administrators are often the first point of contact whenever applications experience issues. To improve triage time and quickly rule out platform issues, it is helpful to have a view on platform health on-demand. One example being:

An HTTP success/failure rate view based on response codes over time

index=f5xc req_id="*" NOT sec_event_type="*" 
| eval response_group=if(match(rsp_code, "^[23]"), "Success", "Error") 
| timechart span=1h count by response_group 
| addtotals 
| eval "Success Ratio %" = round((Success / Total) * 100, 2) 
| fields _time, "Success Ratio %"

This can be tracked across all applications, or drilled down to certain groups with the use of filters in the Splunk query.

For those managing a large number of Load Balancers, a relatively stable trend typically rules out issues with the platform, allowing the team to focus the triage efforts elsewhere. Monitoring the performance graphs over time (6 months or longer) will also assist application teams with planning for capacity growth.

 

3. Uncover obscure attack patterns

Having access to historical data also enables the security team to:

  • Track recurring attack patterns and identify seasonal or cyclical threats
  • Monitor how attack techniques evolve over weeks and months
  • Identify persistent threat actors who may be conducting long-term campaigns against the organization

F5 Distributed Cloud offers security capabilities that identify and block malicious actors based on client behaviors over time (e.g. Malicious User Detection and Bot Defense), and we can bolster this further with additional monitoring on the SIEM:

 

Percentage of requests flagged as security events over time

index=f5xc req_id="*" 
| eval log_type = if(isnull(sec_event_type) OR sec_event_type="", "request", "sec_event") 
| bucket _time span=1h 
| stats count(eval(log_type="sec_event")) as sec_event_count, count(eval(log_type="request")) as request_count by _time 
| eval sec_event_to_request_ratio = round(sec_event_count / request_count, 4) 
| timechart span=1h values(sec_event_to_request_ratio) as "Sec Event to Request Ratio"

Comparing attack frequencies between sites

The deviation column provides insight into whether certain sites see a higher percentage of attack traffic than others, measured relative to the actual requests each site sees.

index=f5xc req_id="*" 
| eval is_sec_event = if((isnull(sec_event_type) OR sec_event_type=""), "no", "yes") 
| stats count(eval(is_sec_event="no")) as "requests", count(eval(is_sec_event="yes")) as "sec_events" by domain 
| sort - "sec_events" 
| head 10 
| eval ratio = round(('sec_events' / 'requests'), 3) 
| eventstats avg(eval(if('sec_events' > 0, ratio, null()))) as avg_ratio 
| eval deviation = round((ratio - avg_ratio), 3) 
| table domain, "requests", "sec_events", ratio, deviation

 

Top clients triggering security events across the tenant

Below came from a real data source where an F5 Distributed Cloud user identified regular spikes in security events from one IP address. The IP address rotates every week or two, which prompted SOC analysts to investigate the attack source.

index=f5xc req_id="*" sec_event_type="*" 
| timechart useother=f span=1h count by src_ip limit=10

Sudden changes in trends should be investigated, and correlated with signals generated by other systems (perhaps on the same SIEM dashboard) to get an end-to-end view of the events. 

 

Summary

Having gone through this with a customer has helped them in:

  • Learning more about what F5 Distributed Cloud does for them under the hood
  • Discovering attack patterns previously unknown to the organization
  • Better understanding business applications based on traffic patterns

I hope the examples above have given you some ideas to get more value out of F5 Distributed Cloud and inspire you to try building monitoring capabilities that fit your business objectives.

Published Mar 16, 2026
Version 1.0
devops
security
No CommentsBe the first to comment