Applies To:

Show Versions Show Versions

Manual Chapter: Displaying Reports and Monitoring ASM
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
You can use several reporting tools in Application Security Manager (ASM) to analyze incoming requests, track trends in violations, generate security reports, and evaluate possible attacks. The statistics and monitoring reporting tools are described here:
Application security overview
Displays a summary of all configured security policies showing the active security policies, attacks that have occurred, anomaly statistics, and networking and traffic statistics. You can save the information or send it as an email attachment. See Displaying an application security overview, for details.
Requests summary
Summarizes the requested URLs for security policies. See Reviewing details about requests, for more information.
Event Correlation
Displays a list of incidents (suspected attacks on the web application). Requests become incidents when at least two illegal requests are sent to the web application within 15 minutes, and the system groups them according to criteria. The criteria concern illegal requests for a specific URL, a specific parameter, or a specific source IP address.
Charts
Displays graphical reports about security policy violations and provides tools that let you view the data by different criteria, drill down for more data, create customized reports, and send or export reports. See Viewing charts, for more information.
Charts Scheduler
Allows you to periodically generate specific reports and distribute them using email.
DoS Attacks report
Displays graphic charts about DoS attacks, viewed by selected category, and includes the attack start and end times. See Viewing L7 DoS Attacks reports, more information.
Brute Force Attacks report
Displays graphic charts about brute-force attacks, viewed by selected category, and includes the attack start and end times. See Viewing Brute Force Attack reports, for more information.
Web Scraping Statistics
Displays graphic charts about web scraping attacks, viewed by selected category, and includes the attack start and end times.
Session Tracking Status
Displays the users, sessions, and IP addresses that the system is currently tracking, and for which the system is taking action as a result of having triggered one of the violation detection thresholds.
PCI Compliance report
Displays a printable Payment Card Industry (PCI) compliance report for each security policy showing each security measure required for PCI-DSS 1.2, and compliance details.
CPU Utilization report
Displays the amount of the available CPU that the Application Security Manager uses over a period of time.
You can display an overview where you can quickly see what is happening on the Application Security Manager. The overview is configurable and can include:
1.
On the Main tab, expand Security, point to Overview, and then click Application.
The Overview Traffic screen opens and summarizes ASM system activity at a glance.
2.
To change the default time frame for all widgets, select a time period from the Override time range to list.
3.
From the Security Policy list, select a security policy to narrow down the statistics. By default, statistics for all active security policies are shown.
4.
Tip: See the online help for details about the tables and graphs.
5.
Optionally, click Add Widget to create a new area of information customized to your specifications.
6.
Optionally, for each widget, you can adjust the time range, data measurements, and format of data to display from the Time Period list (Last Hour, Last Day, Last Week, Last Month, or Last Year) or the configuration gear settings. You can also delete any widget if you do not need the information on the screen.
7.
To save the summary as a PDF file, click the Export link. In the popup screen, click Export to save the file on your computer.
Note: To send email, you need to configure an SMTP server. If one is not configured, on the Main tab, expand System, and navigate to Configuration > Device > SMTP, and click Create.
a)
Click Send the report file via E-Mail as an attachment.
b)
In the Target E-Mail Address(es) field, type the one or more email addresses (separated by commas or semi-colons).
d)
Click Export.
You can display a security policy summary including a list of action items. The Suggested Action Items list provides outstanding tasks that the system recommends that you complete. The screen includes status of security policies running the Policy Builder and quick links to other commonly used security policy screens.
1.
On the Main tab, expand Security, point to Overview then click Application.
2.
3.
4.
5.
In the Policy Builder in Progress area, review the progress of the Policy Builder for each security policy on which it is enabled.
6.
To see another summary, from the Quick Links list, click Policies Summary (or go to Security > Application Security > Security Policies > Policies Summary).
The Policies Summary screen shows a list of active security policies (with the Real Traffic Policy Builder® enabled or disabled), Policy Builder progress (if running), and recommended tasks.
7.
Optionally, on the Policies Summary screen, click the tasks column next to a policy to see quick links to additional tasks that you can perform as needed.
For each web application, the Application Security Manager logs requests according to the logging profile (Security> Event Logs > Logging Profiles). If you use local logging, you can review those requests on the Requests screen (Security> Event Logs > Application). For more information about configuring logging profiles, refer to Logging web application data.
The Requests List provides information about a request such as: the request category, the time of the request, its severity, the source IP address of the request, the server response code, and the requested URL itself. Icons on each request line provide additional status information such as whether the request is legal or illegal, blocked, truncated, or has a response. The request legend describes these icons.
You can view additional details about a request, including viewing the full request itself, and any violations associated with it. You can also drill down to view detailed descriptions of the violations and potential attacks, including violations found for staged entities.
When viewing details about an illegal request, if you decide that the request is trusted and you want to allow it, you can accept the violations shown for this specific request.
You can use a filter to view only those requests and events that are of interest to you. The filter list has several built-in options that you can use to display all requests, legal requests, illegal requests, or requests that occurred within a certain time range. You can also create a custom filter and view requests by violation, attack type, source IP address, HTTP method used, and many other options.
Note: If you want an aggregated, transaction-based view of your requests to drill further down into the individual transaction, you can do so as described in Viewing event correlation.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Requests.
The Requests screen opens, where you can review a list of requests for all security policies.
Tip: You can specify what information to display on the Requests screen, and the order that it is displayed on the Preferences screen (Security > Options > Application Security > Preferences).
2.
In the Requests List, click a request to view information about the request and any violations associated with it.
Click elsewhere on the line to display details on the same screen, below the Requests List. If later you want to hide the details, click the heading line.
Either place, you see any violations associated with the request if any and other details, such as the security policy it relates to, the support ID, severity, and potential attacks that it could cause. To view more details about a violation:
Click the violation name to view details about this specific violation such as the file type, the expected and actual length of the query, or similar relevant information.
3.
For violations that you want to allow (false positives), click the Learn button.
If there are learning suggestions, the violations learning screen opens where you can accept the suggestions one at a time.
a)
For Username or Session ID, click Show Session Tracking details.
b)
To specify an action to take place for future interaction with this user or session, select Enabled next to the action you want to occur.
5.
Review the Geolocation information. To stop future requests from this location, click Disallow this Geolocation.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Requests.
The Requests screen opens.
2.
If you want to export specific requests, select those requests from the list. You can export up to 100 entries in PDF format.
3.
Beneath the Requests List, click Export.
The Select Export Method popup screen provides options.
To export selected requests into a document, click Export selected requests in PDF format.
You can choose to open or save the file created.
To export requests to a document and send it by e-mail, click Send selected requests in PDF format to your E-mail address, and type your e-mail address.
Note: To use this option, first enable the SMTP mail server as described in Configuring an SMTP mail server.
To export all requests currently displayed to a tar file, click Binary export of all requests defined by filter.
The system creates a *.tar.gz file of the requests, and saves it where you specify.
If you have reviewed and dealt with requests, you may want to clear them from the Requests List. This is an optional task.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Requests.
The Requests screen opens.
The systems prompts you to confirm the deletion, then removes the requests from the Requests List without changing the security policy.
If you want to view aggregated events (incidents, based on correlation rules or criteria), rather than just individual transactions, you can do so by viewing a list of incidents (Event Logs> Application > Event Correlation).
An incident is a suspected attack on the web application. Requests become incidents when at least two illegal requests are sent to the web application within 15 minutes, and the system correlates (groups) them according to criteria. The criteria can be illegal requests for a specific URL, illegal requests for a specific parameter, or illegal requests from a specific source IP address.
You can drill down into individual transactions, and a transaction can be aggregated into more than one aggregated incident simultaneously as a result of overlapping event correlation criteria. All event correlation takes place within a time window, defined as some period of time between transactions. This would indicate that further violations are actually a continuation of the same ongoing event.
Note: Transactions that are not yet correlated into an aggregated incident are shown as an individual incident. When a transaction is aggregated into one or more incidents (2 or more transactions per incident), the list shows the aggregated incidents with the correlation criteria.
The aggregated events provide information such as: first and last request time, attack types, violations, severity, HTTP session counts, request count and the user/IP count.
Table 10.1 describes two types of event correlation criteria:
If a single user causes multiple violations over time in an ongoing attack, this transaction is correlated into a single aggregated event:
If an event exists whose last violation is within the time window from the same client IP address, correlation occurs with the existing event.
Multiple transactions with application similarities (even from different IP addresses)
If many transactions are occurring in the same part of the application, either a distributed attack or a false positive has occurred.
If an event exists whose last violation is within the time window for the same URL+parameter combination, correlation occurs with the existing event.
You can view a list of incidents or correlated events. You can export selected incidents in PDF format for troubleshooting purposes. The maximum number of events that you can export is 100.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Event Correlation.
The Event Correlation screen opens, where you can review a list of aggregated events related to your security policies.
2.
In the Incidents list, click anywhere on an event to view information about the aggregated event or transactions for each event.
The Details and Requests List tabs display below the Incidents list.
Tip: Incidents in a bold typeface have not been reviewed.
3.
Click the Requests List tab, and then click anywhere on a request to view information about the request and any violations associated with it.
4.
Click the link in the Requested URL column to display details in a separate popup screen.
If later you want to hide the details, click Close.
5.
In the View Full Request Information popup screen, click the icon to the left of a violation to display a general description of that type of violation.
Click the violation name to view details about this specific violation, such as the file type, the expected and actual length of the query, or similar relevant information.
6.
For violations that you want to allow (false positives), click the Learn button.
If there are learning suggestions, the violations learning screen opens where you can accept the suggestions one at a time.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Event Correlation.
3.
Click Export. and specify whether you want to open or save the file.
1.
On the Main tab, expand Security, point to Event Logs, Application, and click Event Correlation.
The Event Correlation screen opens, where you can review a list of aggregated events for your security policy.
2.
From View Incidents for, select the security policy for which you want to examine suspected attacks (or use the value All Security Policies).
4.
Click the Show Filter Details link.
5.
From the Correlation Criteria list, select one of the options to determine whether the system displays all incidents, or only those that match a specific correlation criteria:
All: Specifies all incidents, which is the default.
Parameter: Specifies incidents correlated by URLs.
Source IP: Specifies incidents correlated by source IP addresses.
URL: Specifies incidents correlated by URLs.
N/A: Specifies incidents where no criteria were met.
6.
From the ID list, select whether the system displays all incidents (leave field blank), or only those that match a specific incident ID or support ID (select the type of ID and type the ID number).
7.
From the Severity list, select whether the system displays all incidents (All), those that match a minimum severity level and all those above it (At least severity), or only those that match a specific severity (Only),
8.
From the Request Count list, select whether the system displays all incidents (All), the minimum number of transactions needed (2 or greater) for the system to display them (At least number), or up to a maximum number of transactions per incident (At most number).
9.
From the Incident Status list, select whether the system displays all incidents (All), or only those that match a specific incident state (Ongoing, Ended, or Started).
11.
Click Reset to clear the filter information and start over, if needed.
You can clear incidents from the Incidents page, however, clearing them does not delete the requests. You can also clear requests from the Requests screen (Security > Event Logs > Application > Requests).
1.
On the Main tab, expand Security, point to Event Logs, Application, then click Event Correlation.
The Event Correlation screen opens.
Note: You cannot clear incidents that are in the Ongoing state.
You can display numerous graphical charts that illustrate the distribution of security alerts. You can filter the data by security policy and time period, and you can view illegal requests based on different criteria such as security policy, attack type, violation, URL, IP address, country, severity, response code, request type, protocol, user name, and more.
The system provides several predefined filters that produce charts focused on areas of interest including the top alerted applications, top violations, top viruses, top attacks, and top attackers. You can also create a customized advanced filter. You can use these charts as executive reports that summarize your overall system security.
The easiest way to learn about the graphical reports is to display a report, then change the view by criteria, and drill down into the report to display details about particular aspects you are interested in. The different steps you take are shown in the Chart Path oat the top of the screen.
1.
On the Main tab, expand Security, point to Reporting, Application, and click Charts.
The Charts screen opens, where you can view graphical reports.
2.
From the filter lists, select a predefined filter or decide the viewing perspective in the View By list, and select a time period.
The Reports screen displays a graphical report of illegal requests by the selected criteria. For example, if you selected view by Violations, the report shows each type of violation in a pie chart, followed by a details table, and a line chart, which displays the violations that occurred over time.
3.
Click any slice in the pie chart or detail in the details table to display more information about that specific item.
The graphical report shows more details, and the view by choices are relevant only to the selection you made. For example, if viewing by Attack Type, you can click any attack type to view how many attacks of this type occurred for each security policy.
Click Reset All to remove all drilldown settings for the report but keep the view by criteria.
Click View Requests to view the requests that relate to the current report.
5.
To create a version of the report that you can save or print (including charts based on your drill downs), at the bottom of the screen, click Export.
The system asks if you want to open or save the file and asks the format to use.
You can monitor graphical charts to determine how well your security policies are protecting your web applications. By viewing specific charts, you can check for false positives and adjust security policies accordingly. The contents of the charts can help you to determine why the system flagged certain requests as illegal.
For example, if you notice that many attacks are emanating from one IP address, you have identified a possible attacker. You can check the validity of that IP address. You may want to enable session-based enforcement to block those requests producing too many violations and coming from a single IP address.
If you see that the same type of attack is coming from many different IP addresses, this may indicate a false positive, and you may need to adjust your security policy. As an example, if you see many illegal URL violations and find that they are coming from many different IP addresses, you should consider adding this URL to the security policy.
By viewing graphical reports periodically and investigating the illegal requests using different criteria, you can evaluate system vulnerabilities. As you get more familiar with the report details, you can use the information that you get to further secure your application traffic.
You can configure the Charts Scheduler to send predefined and customized charts to specific email addresses periodically. Create a schedule for each chart that you want to send.
Note: You must configure SMTP before you can send email notifications. If SMTP is not configured, an alert appears on the screen that links to SMTP configuration (System > Configuration > Device > SMTP). Also, make sure the SMTP server is on the DNS lookup server list, and configure the DNS server that you want the system to use (System > Configuration > Device > DNS).
1.
On the Main tab, expand Security, point to Reporting, Application, and click Charts Scheduler.
The Charts Scheduler screen opens.
3.
Click the Create button.
The Add Chart Schedule screen opens.
4.
For Schedule Title, type a name for this schedule.
The schedule title becomes the subject line of the outbound email.
5.
In the Send To (E-Mails) field, type each email address where you want the system to send a copy of the chart, then click Add.
6.
From the SMTP Configuration list, select the SMTP server used by the BIG-IP system to mail the report. If no configuration is found, you can also click Create to configure an SMTP server.
7.
For the Chart setting, specify the data to chart and include in the email. Select one option:
Click Predefined filter to select a predefined chart from the list.
Click Multi-leveled report and select the Time Period, select how much data to display (in the Show Details list), and for Chart Path, select the viewing criteria for the chart.
8.
For Send Every, select how often to send the charts, and the time and date to begin sending the charts.
9.
Click Create to save the schedule.
The Chart Scheduler screen shows the schedule you added.
The DoS Attacks report displays information about Layer 7 denial of service (DoS) attacks, including the associated application and the start and end times of an attack. For details on configuring DoS attack detection, see Preventing DoS attacks for Layer 7 traffic.
1.
On the Main tab, expand Security, point to Reporting, DoS, and click Application.
The reporting DoS Application screen opens.
3.
To specify how far back you want to view the DoS attacks, after Time Period, click Last Hour, Last Day, Last Week, Last Month, Last Year, or Custom.
4.
To view statistical details about a DoS attack, click the View button in the Details column.
The system displays details it has collected about the attack, such as latency history and end time, dropped connections per attack ID and URL, mitigation, IP addresses of the attackers, virtual servers, and attacked URLs.
6.
To save the summary as a file, click the Export link. In the popup screen, specify how you want to save the data-- PDF, CSV (Time Series, CSV (Details Table), and click Export to save the file on your computer.
Note: To send email, you need to configure an SMTP server. If one is not configured, on the Main tab, navigate to System > Configuration > Device > SMTP, and click Create.
a)
Click Send the report file via E-Mail as an attachment.
b)
In the Target E-Mail Address(es) field, type the one or more email addresses (separated by commas or semi-colons).
d)
Click Export.
The Brute Force Attack report displays information about brute force attacks, including the application, login URL, and start and end times of an attack. For details on configuring brute force attack detection, see Mitigating brute force attacks.
1.
On the Main tab, expand Security, point to Reporting, Application, and click Brute Force Attacks.
The Brute Force Attacks screen opens.
2.
To specify how far back you want to view the statistics, after Time Period, click Last Hour, Last Day, Last Week, Last Month, Last Year, or Custom.
3.
To save the summary as a file, click the Export link. In the popup screen, specify how you want to save the data-- PDF, CSV (Time Series, CSV (Details Table), and click Export to save the file on your computer.
Note: To send email, you need to configure an SMTP server. If one is not configured, on the Main tab, expand System, and navigate to Configuration > Device > SMTP, and click Create.
a)
Click Send the report file via E-Mail as an attachment.
b)
In the Target E-Mail Address(es) field, type the one or more email addresses (separated by commas or semi-colons).
d)
Click Export.
The Web Scraping Statistics report displays information about web scraping attacks that the system detected and logged. The statistics include information about how many times the system detected a web scraping attack, and includes the attack start and end time. For details about configuration web scraping detection, see Detecting and preventing web scraping.
1.
On the Main tab, expand Security, point to Reporting, Application, and then click Web Scraping Statistics.
The Web Scraping Statistics screen opens.
2.
To specify how far back you want to view the statistics, after Time Period, click Last Hour, Last Day, Last Week, Last Month, Last Year, or Custom.
3.
To save the summary as a file, click the Export link. In the popup screen, specify how you want to save the data-- PDF, CSV (Time Series, CSV (Details Table), and click Export to save the file on your computer.
Note: To send email, you need to configure an SMTP server. If one is not configured, on the Main tab, expand System, and navigate to Configuration > Device > SMTP, and click Create.
a)
Click Send the report file via E-Mail as an attachment.
b)
In the Target E-Mail Address(es) field, type the one or more email addresses (separated by commas or semi-colons).
d)
Click Export.
You can use the session tracking reporting tools in Application Security Manager to monitor user and session details, especially when you need to investigate suspicious activity. You can view and manage the users, sessions, and IP addresses that the system is currently tracking, and for which the system is taking action.
To monitor user and session information, you first need to set up session tracking for the security policy. Refer to the BIG-IP® Application Security Manager: Implementations guide for details on how to set up session tracking using either login pages or by integrating with Access Policy Manager®.
1.
On the Main tab, expand Security, point to Reporting, Application, and then click Session Tracking Status.
The Session Tracking screen opens and shows the session tracking configuration, including threshold values.
Session Awareness must be Enabled in Security > Application Security > Sessions and Logins > Session Tracking for you to view session tracking status.
3.
On the Main tab, expand Security, point to Reporting, Application, then click Session Tracking Status.
The Session Tracking Status screen opens, and lists the items the system is tracking.
4.
Set the filter values to display the items you are interested in.
For example, for Action, select Block All to display the items where the system blocks requests after the configured threshold has been reached.
5.
For any item in the Session Tracking Status list, click View Requests to see if any requests are associated with this tracking entry.
You can drill down into the requests to find out more about them.
6.
To track additional users, sessions, or IP addresses, click Add and specify action, scope (user name, session, IP address) and value of scope, and click Add.
The system creates the entry and immediately begins enforcing it.
7.
To remove an entry, select it and click Release.
The system removes the entry from the list, and stops enforcing it.
Tip: You can configure the system to log, block, or delay blocking requests from a specific user name, session, or source IP address via General Details tab in Request on Event Logs: Application: Requests.
The PCI Compliance report displays details on how closely the security policy of a web application meets Payment Card Industry (PCI) security standards, PCI-DSS 1.2. The report indicates which requirements Application Security Manager can help enforce, and allows you to view details about what to configure differently to meet compliance standards.
You can create printable versions of PCI compliance reports for each web application to assure auditors that the BIG-IP system and your web applications are secure.
1.
On the Main tab, expand Security, point to Reporting, Application, and then click PCI Compliance.
The PCI Compliance screen opens showing a compliance report for the current security policy.
2.
To learn more about items that are PCI compliant (items with a green check mark), those which are partially compliant, or those which are not PCI compliant (items with a red X), click the item link in the Requirement column.
The screen shows information about how to make an item PCI-compliant.
3.
Optionally, in the Details list, you can click a hyperlink (blue text) to go directly to the screen where you can adjust the non-compliant settings.
5.
To display a PCI compliance report for a different security policy, in the PCI Compliance Report area, from the Security Policy list, select a different policy name.
A PCI compliance report for the selected policy opens.
You can examine the amount of CPU resources that the Application Security Manager is using, and also check overall BIG-IP system CPU usage.
1.
On the Main tab, expand Security, point to Reporting, Application, and click CPU Utilization.
The CPU Utilization screen opens and displays CPU usage over the past three hours.
3.
For Auto Refresh, select how often to refresh the graph, leave Disabled not to refresh, or click Refresh to update immediately.
1.
On the Main tab, expand Security, point to Reporting, Application, and click CPU Utilization.
2.
Click the Clear Performance Data button.
On the Main tab, expand Statistics, then click Performance.
The Performance screen opens, and you can view system CPU usage.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)