Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Get Started with WAAP Security Incidents

Janibasha
F5 Employee
F5 Employee

‎07-Aug-2023 05:00 - edited ‎07-Aug-2023 21:55

Introduction: 

F5 Distributed Cloud (F5 XC) Web Application and API Protection (WAAP) provides a rich set of security configurations to safeguard applications. Each application configuration differs, so configuring appropriate controls and security measures is needed to prevent applications from data breaches. 

Even though your application is currently protected, it doesn’t necessarily mean it’s steel proof for future intrusions. We should keep monitoring application event data for new types of attacks that may surface. If new exploits are found, we must accordingly update the existing configurations. 

Identifying the security attacks and taking a necessary action at the right moment is pivotal in protecting applications. Each minute of delay may result in severe consequences to businesses as well as application data. Security Analytics --> “Events” tab populates a large collection of requests data. So, inspecting each event and then coming up with security measures is not a recommended way as it’s inefficient and time consuming. 

WAAP Security Incidents is a new feature which focusses on solving this concern by continuously pushing application events to internal AI/ML engines. The "Incidents” tab simplifies the investigation of attacks by grouping thousands of events into few incidents based on context and common characteristics. These can guide customers to quickly examine these issues without getting lost in a flood of security events. These incidents give valuable insights efficiently, thereby providing sufficient time for application owners to research and configure the preventive solutions before getting exploited. 
 

Demo Work-flow: 

Prerequisites: 

  • Access to F5 XC account - check here for trial 
  • Namespaces, Origin Pools and Load balancers (LB) already created – check references section for more information 

Steps: 

  1. Login to F5 XC console and navigate to "Distributed Apps” menu 
  2. Under "Load Balancers” section, click on “HTTP Load Balancers” page 
  3. Click on “Security Monitoring” link under your load balancer name 
  4. Navigate to “Security Analytics” tab and finally to “Incidents" tab as below 
    Fig 1 : Image showing Incidents navigation pathFig 1 : Image showing Incidents navigation path
  5. We can expand each incident for more details as below 
    Fig 2: Image showing Incident in expanded viewFig 2: Image showing Incident in expanded view
  6. If needed you can filter & sort incidents by different available UI fields like LastSeen, LastStatus, Description, Events, etc.  
  7. We can also fetch incidents by different time intervals as below  Fig 3: Image showing Incidents tab filter and sort optionsFig 3: Image showing Incidents tab filter and sort options
  8. Application owners can go through these incidents and take necessary security actions like denylisting IP’s, configuring rate limiting, updating Firewall, API rules, Bot and DDoS Protection, etc.  
  9. After configuring appropriate suggestions, next time if intruders try to generate these attacks once again they will be blocked, thereby safeguarding the applications. 
     

Synopsis: 

This article delves into basics of WAAP security incidents: what it is, how it works and also enlightens this feature importance in identifying security attacks at the critical time.  
 

For more details refer below links: 

  1. Overview of WAAP 
  2. WAAP Incidents docs 
  3. Load balancer creation steps 
  4. Get started with Distributed Cloud 
Labels:
Version history
Last update:
‎07-Aug-2023 21:55
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC