I'm used to seeing event logs classified as "Illegal" or "Blocked" but in Splunk I see events that are listed as "passed" under request_status. There are obvious violations within the requests like XSS (<script) and file types that are on the no-no list. These events are occurring on the URL level and I'm set to check for attack signatures on URLs. The signatures are associated with the policies in question (no overrides) and are enforced as well as the file type in the request.
For local logging, I'm only logging "Illegal" Requests so I'm not seeing the "passed" status but the remote logging profile to Splunk, I'm logging "Illegal requests, and requests that include staged attack signatures or staged threat campaigns or Likely False Positive signatures."
My question is - since there are violations I'm set to "Learn" and "Alarm" on in the requests, why isn't ASM logging these as "Illegal" or "Blocked". Fortunately, these requests are coming from our Qualys scanners but if they were actual attacks, they would sail right through my policies. Also, what does "passed" actually mean?
The option request_status knows three different values: blocked, alerted and passed.
Maybe another setting in your security policy is missing and therefore these request are not categorized as violations? Did you apply the required Attack Signatures with the correct settings?
Is the Qualys maybe on the IP address exception list?