Manual Chapter : Configuring How BIG-IQ FPS Processes Alerts

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

Before you start managing alerts

Before you can start using Fraud Protection Service (FPS) to manage alerts, you need to deploy a data collection device (DCD) cluster. This cluster includes the BIG-IQ® Centralized Management devices and Data Collection devices needed to manage and store the alert data generated from your BIG-IP® devices. Additionally, you need to configure your BIG-IP devices to send their FPS alerts to the DCD cluster. These tasks are detailed in the document Planning and Implementing an F5®BIG-IQ® Centralized Management Deployment.

Configure a web service

Before you can perform this task, you must be logged in as Admin and, if you plan to use a proxy for WebService traffic, you must have configured a proxy server that your data collection device cluster can access.

Important: To use a proxy, you must configure a proxy on each device (data collection devices and BIG-IQ® devices) in the cluster. Additionally, the proxy names you specify for each node in the cluster must match exactly.
You can add or remove a WebService configuration. You need a web service to download new alert transform rules from the SOC. You also need a web service so you can forward received alerts to the Security Operations Center (SOC) so that the SOC can inspect them.
  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration .
  3. Click WebService Configuration, and then select the web service you want to configure.
    • To configure an existing service, click the name of the service.
    • To configure a new service click Create.
    Note: If you create a web service with a particular set of SOC credentials, and then use that web service in forwarding rules or scheduled alert rule downloads and later delete and recreate it with a different name, then attempts to restore that snapshot will fail. To successfully restore snapshots, you must recreate the web service with the same name.
    Important: When you make changes to your web service configuration, allow up to 5 minutes for these changes to propagate to all of your managed FPS devices before you look for the impact of the configuration changes.
  4. For the WebService Name, type a name for the web service that you would like to forward alerts to.
    The Security Operations Center (SOC) is the only option.
  5. For Description, type a description of the account that you would like to send alerts to.
  6. For WebService URI, use the default value supplied by the BIG-IQ.
  7. For Remote Account ID, type the remote account ID provided by the SOC.
  8. For SOC User, type the user name provided by the SOC.
  9. For SOC Password, type the password provided by the SOC.
  10. If you want the alert traffic for this web service to route through a proxy, select Use Proxy, and then select the proxy you want to use.
  11. For Test SOC Connection, click the Test button to make sure the alert goes through.
    Important: A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  12. Click Save & Close
You have configured a web service that can down load alert rules from the SOC and forward alerts to the SOC.

Create an alert transform rule

Before you can perform this task, you must be logged in as Admin.

An alert transform rule is used to modify alerts matching a set of criteria. It might take a few minutes after alert transform rules are created before they take effect.

When you create an alert transform rule, you create a set of criteria that tells your system what to do with incoming alerts. An example of this would be if the system finds a particular string in the alert query when there is generic malware present. If the alert matches all of the criteria that you set up, then the system changes the alert severity, details, recommendation, and status. You can use alert transform rules to ignore a type of alert that is harmless, or you can use alert transform rules to give an alert a higher severity and change the alert status to Monitor.

  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration .
  3. Click Alert Transform Rules.
  4. To add an alert transform rule, click the Create button.
    The New Alert Transform Rule screen opens.
  5. In Transform Rule Name, type a name for the rule.
  6. In Status, select the Enabled check box if you want the transform rule to be enabled immediately after creating it.
    If the Enabled check box is not selected, the transform rule is inactive until this setting is changed.
    Note: Enabling a rule does not apply it on alerts. To apply the rule, you must enable it and then click Apply.
  7. In Description, type a description of the alert rule.
  8. In Find, type the text that you want the BIG-IQ® to search for in the alert data.
    The BIG-IQ searches for this text in the areas you specify in the Where field, and the alert transform rule can be applied on alerts where this text is found.
  9. For the Where setting, select which parts of the alert should be searched.
    The BIG-IQ searches for the text you specify in the Find field in the parts of the alert you specify here.
  10. For the When setting, select which types of alerts should be searched.
  11. For the Accounts setting, retain the default, All Accounts, or clear the check box and specify on which accounts the rule should be applied.
  12. For Alert Severity, select a severity number for the rule.
    By default, most rules are given a severity number of 50.
  13. In Alert Details, type additional information to display in the rule.
  14. In Alert Recommendation, type a recommendation to display in the rule.
  15. For Alert Status, select a status that will be assigned to matching alerts.
  16. Select the check box next to Use regex to obfuscate the user name from selected fields if you want the rule to hide the user name in selected alert fields.
    If you select this check box, the properties User Regular Expression and Match User Regular Expression on appear.
    1. For User Regular Expression, type a regular expression for identifying a user name in an alert.
      If the BIG-IQ finds this regular expression, the actual user name is replaced with username. For example, if you specify the regex: username=([a-zA-Z]*) and the alert URL is https://myusername.com?username=johndoe, after the regex is matched and applied, the alert URLrenders it as https://djohndoe.com?username=USERNAME.
    2. For Match User Regular Expression on, select the parts of the alert that you want the BIG-IQ to search to determine if they contain the regular expression.
  17. Click Save & Close.

Creating a schedule to download alert transform rules from the SOC

Before you can create a new download schedule, you must configure a web service.
You can set up a schedule to download alert transform rules from the Security Operations Center (SOC). You can start downloads immediately, or repeat them on a daily, weekly, or monthly basis. You can only create one repeating schedule. However, you can create a new schedule that will run immediately.
Note: Transform rules are downloaded only for the account configured in the SOC WebService.
  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration , and then click Transform Rule Import Schedule.
  3. Click the Create button.
    The New FPS Download Schedule screen opens.
  4. Type a Name and Description for the schedule.
  5. From the WebService list, select the service you want to use.
  6. For Import Alert Rules Frequency, select the frequency for downloading the transform rules .
  7. For Start Date, specify the date and time that you want the first download to start.
  8. For End Date, either select No End Date, or specify the date and time that you want downloads to stop.
  9. Select Should Apply if you want the downloaded alert transform rules to be immediately applied on alerts in the BIG-IQ.
  10. Select Should Forward if you want to forward notifications about alerts that were modified by the transform rule to a third party, according to the forwarding rules configured in the BIG-IQ.
  11. Click Save & Close.
    The FPS Download Schedules screen opens and the schedule that you created is listed.
After a successful download occurs, you can check the download results in the FPS Download Schedules screen, including the following information:
  • Total Rules: The total number of transform rules that were received in the download.
  • Total Rules Ignored: The total number of rules that were ignored for either of the following reasons:
    1. The rule is not associated with the account that performed the download.
    2. Validation of the rule failed.
  • Total Rules Updated: The total number of rules that were received in a previous download and were updated in the latest download.

Importing a CSV file with alert rules

Importing alert transform rules from a CSV file is helpful if you do not want to schedule a download of the alert transform rules from the Security Operations Center (SOC) over the Internet.

You can save alert rules (called signatures) from the SOC into a CSV file, then use the steps in this task to import the CSV file into FPS.

  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration , and then click Alert Transform Rules.
  3. Click the Import button.
    A popup screen opens.
  4. Click Choose File, and then choose a CVS file to import.
  5. Select a target account.
  6. Click Import.
    The imported alert transform rule is applied to the types of alerts the account is configured to receive.

Modifying alert forwarding rules

Before you can perform this task, you must be logged in as Admin, and if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your Data Collection Device cluster can access.

You can add, clone, or remove alert forwarding rules. You can forward alerts to a web service, an email address, a sys-log, or to a custom WebService location.
  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration , and then click Alert Forwarding Rules.
  3. On the Alert Forwarding Rules screen, select an action as appropriate:
    • To view details for an alert forwarding rule, click the rule name.
    • To create an alert forwarding rule, click Create.
    • To clone an alert forwarding rule, select the check box by the rule and click Clone.
    • To delete an alert forwarding rule, select the check box by the rule and click Delete.
    • To enable an alert forwarding rule, select the check box by the rule and click Enable.
    • To disable an alert forwarding rule, select the check box by the rule and click Disable.
  4. On the New Alert Forwarding Rules screen, fill in the settings as needed:
    1. For Forwarding Rule Name, type a name for the alert rule.
    2. For Description, type a description of the alert rule.
    3. For Status, select the Enabled check box to forward alerts.
  5. On the left, click Alerts Matching, and fill in the settings as needed:
    1. For Alert Severity Equal OR Greater Than, select the alert severity level from the list.
    2. For Alert Categories, move an alert category from the Available list to the Selected list.
    3. For Alert Status, select a status for the alert, and move it from the Available list to the Selected list.
    4. To forward only alerts that include a user name, for Username, select Must be Present.
      Enabling this setting significantly reduces the volume of alerts that FPS forwards.
    5. For Accounts, use the default All Accounts, or select a specific fraud protection account and move it to the Selected column. The alert forwarding rule will then only act on the alerts that the account is set to receive.
  6. On the left, click Notification Targets and select one or more means for forwarding alerts.
    1. Enable WebService to send alert notifications to the F5 Security Operations Center (SOC) dashboard through the cloud WebService.
      For additional details on how to use the fields in the WebService area, refer to WebService method forwarding detail.
      Note: You must configure WebService Config in Fraud Protection Service before you can select this option.
    2. Enable Email to send notifications to an email address.
      For additional details on how to use the fields in the Email area, refer to Email forwarding method detail.
      Note: You must configure the DNS and SMTP server on your data collection devices to use this option.
    3. Enable Syslog to send alert notifications to a Syslog server.
      For additional details on how to use the fields in the Syslog area, refer to Syslog forwarding method detail.
    4. Enable Custom to send custom alert notifications to a third party web service.
      For additional details on the Custom area, and how to use the fields in it, refer to Custom forwarding method detail.
  7. Click Save & Close.

WebService forwarding method detail

When you use the WebService forwarding method, you use the web service tab to define how the alert is sent.
  1. For WebService, select the web service to which you want the alert to be sent.
  2. Specify the variables that you want to have included in the alert by using the arrow button to move them from the Available list to the Selected list.
    For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  3. Click Save & Close.

Email forwarding method detail

When you use the Email forwarding method, you use the Email tab to define how the alert is sent.
  1. For Sender Name, the screen specifies the name of the email sender (F5 Fraud Protection Service).
  2. For Sender Email Address, type the email address from which you want the alert notifications forwarded.
  3. For Email Recipient(s), type the email address to which you want the alert notifications forwarded.
  4. To run a test of the email addresses you specified above, click Test.
    Important: A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  5. For Email Subject, you can either use the default parameters to specify the alert email subject, or create your own using the supported parameters.
    For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  6. For Mail Template, you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert.
  7. When you finish configuring the alert sending method, click Save & Close.

Syslog forwarding method detail

When you use the Syslog forwarding method, you use the Syslog tab to define how the alert is sent.
  1. For Syslog Facility, type the facility number to which you want the alert notifications to be forwarded.
  2. For Syslog Severity, select the severity level that you want to be appended to all forwarded alert notifications.
    The severity level you select here is added to all forwarded alerts. This level is unrelated to the severity level number assigned independently to each alert.
  3. For Syslog Server, type the IP address of the server to which you want the alerts to be forwarded.
  4. For Syslog Port, type the port number to which you want the alerts to be forwarded.
  5. For Syslog Protocol, select the protocol that the target syslog server uses to accept forwarded alerts.
  6. To run a test of the specified settings, click Test.
    Important: A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  7. For Syslog Template, you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  8. When you finish configuring the alert sending method, click Save & Close.

Custom forwarding method detail

Before you can perform this task, if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your data collection device cluster can access.
When you are configuring an alert forwarding rule and select the Custom method, you use the Custom tab to define the details of how the alert is sent. This alert type specifies a number of parameters that the alert receiving entity has specified as requirements of the service they use to listen for forwarded alerts. You specify the values for these parameters so that the forwarded alerts satisfy the requirements of the alert receiving entity.
  1. If the alert recipient uses a service that requires an alert token, select the check box for Uses Token.
    The screen displays additional settings.
    1. For WS Token Timeout, type the number of seconds that the alert recipient specifies for forwarded alert tokens.
    2. For WS Token URL, type the IP address that the alert recipient specifies for forwarded alert tokens.
    3. For WS Token Method, select the REST API method that the alert recipient specifies for forwarded alert tokens.
    4. For WS Token Headers, type the required request header information specified by the alert recipient for forwarded alert token headers.
    5. For WS Token Request, type the required request body information specified by the alert recipient for forwarded alert tokens.
    6. For WS Token Response, type the required request response information specified by the alert recipient for forwarded alert responses.
  2. If you want the alert traffic for this custom rule to route through a proxy, select Use Proxy, and then select the proxy you want to use.
  3. For WS Alert URL, type the IP address specified by the alert recipient for forwarded alert responses.
  4. For WS Alert Method, select the REST API method that the alert recipient specifies for forwarded alerts.
  5. To run a test of the specified settings, click Test.
    Important: A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  6. For WS Alert Headers, type the required alert header information specified by the alert recipient for forwarded alert headers.
  7. For WS Alert Request, type in the parameters that you want to be included in the forwarded alerts.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  8. When you finish configuring the alert sending method, click Save & Close.

Supported forwarding method variables

There are a number of forwarding method variables that you can use when you create an alert rule.

Variable Name Alert Field
Account ID {accountid}
Account Name {account}
Alert Date (dd.mm.yyyy hh:mm) {date}
Alert Date (yyyy-mm-dd hh:mm:ss) {datefull}
Alert Date (Unix Timestamp) {unixdate}
Alert Domain {domain}
Alert Name {name}
Alert Severity {severity}
Alert Query {query}
Alert Recommendation {recommendation}
Alert Status (Numeric) {statusid}
Alert Status (Textual) {status}
Alert Type {type}
Alert URL {url}
Alert GUID {guid}
Alert Referer {referer}
Alert Details {details}
Application Cookies {session_data}
Authentication Token (For CustomWS Notifications) {token}
Client Host Name {hostname}
Client IP {ip}
Client Language {language}
Client Proxy Host Name {proxyname}
Client Proxy IP {proxy}
Client Username {user}
Client User Agent {agent}
Client Country {geoip_country}
Client City {geoip_city}
Client Device ID {device_id}
Client Device Parameters {device_params}
Full Alert HTML Data {ht_data}
MD5 of Full Alert HTML {ht}
MD5 of Minimal Alert HTML {min}
Minimal Alert HTML Data {min_data}

Add a fraud protection account

You create Fraud Protection accounts in order to receive alerts related to alert identifiers that have been configured on the BIG-IP® system. You can then assign BIG-IQ® users to limit their view of alerts and rules.

Accounts are used to filter alerts, and to transform rules and forwarding rules based on the alert ID configured on the BIG-IP system. Each FPS account has an account ID, and all alerts have an account ID field. You can view only the alerts whose account ID field matches an FPS account ID to which your user login has been assigned access.

The account name you give is displayed in place of the alert ID. If you configure an account, set the default view for each user that you assign to the account. Alert transform rules and forwarding rules that have an account are applied to alerts with the matching alert ID. If no accounts are assigned, then all alerts are considered.
  1. At the top of the screen, click Monitoring.
  2. On the left, click EVENTS > Fraud Protection Service > Configuration , and then click WebService Configuration.
  3. Click Create.
    The New FPS WebService Configuration screen opens.
  4. Fill in as appropriate:
    Option Description
    WebService Name Type a name for the account that you would like to send alerts to (for example, MortgageDept).
    Description Type a description of the account that you would like to send alerts to.
    WebService URI This value is always filled in by default. The only reason to change this is if you want to forward to another legacy dashboard.
    Remote Account ID Type the remote account ID provided to you by the SOC.
    SOC User Type the user name provided to you by the SOC By default, the administrator is selected to look at the account.
    Note: To create a user, go to System Management > User Management > Users and click Add. Be sure to give the user a user role of Fraud Protection Manager or Fraud Protection View
    .
    SOC Password Type the password provided to you by the SOC.
    Proxy To route the alert traffic for this web service through a proxy, select Use Proxy, and then select the proxy you want to use.
    Test SOC Connection To test the SOC connection, click the Test button to confirm that your settings are correct.
    Important: A successful test confirms only that a test alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  5. Click Save & Close.
You now have a fraud protection account that can manage the alerts that you specify.