Manual Chapter : Configuring How BIG-IQ FPS Processes Alerts

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

Before you start managing alerts

Before you can start using Fraud Protection Service (FPS) to manage alerts, you need to deploy a data collection device (DCD) cluster. This cluster includes the BIG-IQ® Centralized Management devices and Data Collection devices needed to manage and store the alert data generated from your BIG-IP® devices. Additionally, you need to configure your BIG-IP devices to send their FPS alerts to the DCD cluster. These tasks are detailed in the document Planning and Implementing an F5®BIG-IQ® Centralized Management Deployment.

Configure a web service

Before you can perform this task, you must be logged in as Admin and, if you plan to use a proxy for WebService traffic, you must have configured a proxy server that your data collection device cluster can access.

Important: To use a proxy, you must configure a proxy on each device (data collection devices and BIG-IQ® devices) in the cluster. Additionally, the proxy names you specify for each node in the cluster must match exactly.
You can add or remove a WebService configuration. You need a web service to download new alert transform rules from the SOC. You also need a web service so you can forward received alerts to the Security Operations Center (SOC) so that the SOC can inspect them.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration .
  3. Click WebService Configuration, and then select the web service you want to configure.
    • To configure an existing service, click the name of the service.
    • To configure a new service click Create.
    Note: If you create a web service with a particular set of SOC credentials, and then use that web service in forwarding rules or scheduled alert rule downloads and later delete and recreate it with a different name, then attempts to restore that snapshot will fail. To successfully restore snapshots, you must recreate the web service with the same name.
    Important: When you make changes to your web service configuration, allow up to 5 minutes for these changes to propagate to all of your managed FPS devices before you look for the impact of the configuration changes.
  4. For the WebService Name, type a name for the web service that you would like to forward alerts to.
    The Security Operations Center (SOC) is the only option.
  5. For Description, type a description of the account that you would like to send alerts to.
  6. For WebService URI, use the default value supplied by the BIG-IQ.
  7. For Remote Account ID, type the remote account ID provided by the SOC.
  8. For SOC User, type the user name provided by the SOC.
  9. For SOC Password, type the password provided by the SOC.
  10. If you want the alert traffic for this web service to route through a proxy, select Use Proxy, and then select the proxy you want to use.
  11. For Test SOC Connection, click the Test button to make sure the alert goes through.
    Important: A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  12. Click Save & Close
You have configured a web service that can down load alert rules from the SOC and forward alerts to the SOC.

Create an alert transform rule

Before you can perform this task, you must be logged in as Admin.

An alert transform rule is used to modify alerts matching a set of criteria. It might take a few minutes after alert transform rules are added before they take effect.

When you create an alert transform rule, you create a set of criteria that tells your system what to do with incoming alerts. An example of this would be if the system finds a particular string in the alert query when there is generic malware present. If the alert matches all of the criteria that you set up, then the system should change the alert severity, details, recommendation, and status. You can use alert transform rules to ignore a type of alert that is harmless, or you can use alert transform rules to change the alert severity to a high percentage and change the alert status to monitor.

  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration .
  3. Click Alert Transform Rules.
  4. To add an alert transform rule, click the Create button.
    The New Alert Transform Rule screen opens.
  5. Complete the New Alert Transform Rule screen:
    1. In Transform Rule Name, type a name for the alert rule.
    2. In Description, type a description of the alert rule.
    3. In Find, type the string that you would like to search for.
    4. For the Where setting, use the arrow key to move a location that you would like to search to the Selected column.
      The alerts you specify will be searched for instances of the Find string specified in the previous step.
    5. For the When setting, add an alert category to the Selected column.
    6. For the Accounts setting, retain the default, All Accounts, or clear that check box, and select a specific fraud protection account.
      The Alert Transform Rule then only acts on the alerts that the account is set to receive.
    7. For Alert Severity, add a severity number to the alert.
      By default, most alerts are given a severity number of 50.
    8. In Alert Details, type in details about the alert.
    9. In Alert Recommendation, type in an alert recommendations.
    10. For Alert Status, select a status for the alert.
    11. Select the Advanced check box if you want to extract the user name from the alert using regular expression.
  6. If you select the Use regex to obfuscate the user name from selected fields check box, there are two more settings to do.
    1. In the User Regular Expression field, type a regular expression.
      If the alert contains a string that matches the regular expression you specified, BIG-IQ replaces that string with username. This hides the information in the alert.
    2. In the Match User Regular Expression on setting, move the alert fields that you want to search and replace from the Available list to the Selected list.
      The system searches the selected fields for strings that match the specified regular expression and replaces them with username.
  7. Click Save & Close.

Creating a schedule to import transform rules

Before you can create a new download schedule, you must configure a web service.

You can set up a schedule to import transform rules from the Security Operations Center (SOC). You can start imports immediately, or repeat them on a daily, weekly, or monthly basis. You can only create one repeating schedule. However, you can create a new schedule that will run immediately.

  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration , and then click Transform Rule Import Schedule.
  3. Click the Create button.
    The New FPS Download Schedule screen opens.
  4. Type a Name and Description for the transform rule import schedule.
  5. From the WebService list, select the service you want to use.
  6. For Import Alert Rules Frequency, select how often you want the transform rules to import.
  7. For Start Date, specify the date and time that you want the import to start.
  8. For End Date, either select No End Date, or specify the date and time that you want the import to stop.
  9. Click Save & Close
You have now created an import schedule for alert transform rules.

Importing a CSV file with alert rules

Importing alert transform rules from a CSV file is helpful if you do not want to schedule a download of the alert transform rules from the Security Operations Center (SOC) over the Internet.

You can save alert rules (called signatures) from the SOC into a CSV file, then use the steps in this task to import the CSV file into FPS.

  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration , and then click Alert Transform Rules.
  3. Click the Import button.
    A popup screen opens.
  4. Click Choose File, and then choose a CVS file to import.
  5. Select a target account.
  6. Click Import.
    The imported alert transform rule is applied to the types of alerts the account is configured to receive.

Modify alert forwarding rules

Before you can perform this task, you must be logged in as Admin, and if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your Data Collection Device cluster can access.

You can add, clone, or remove alert forwarding rules. You can forward alerts to a web service, an email address, a sys-log, or to a custom WebService location.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration , and then click Alert Forwarding Rules.
  3. On the Alert Forwarding Rules screen. select an action as appropriate:
    • To view details for a forwarding rule, click an alert name.
    • To clone an alert forward rule, select the check box for an alert and click Clone.
    • To remove an alert forward rule, select the check box for an alert and click Delete.
    • To add an alert forwarding rule, click Create.
  4. On the New Alert Forwarding Rules screen, fill in the settings as needed:
    1. For Forwarding Rule Name, type a name for the alert rule.
    2. For Description, type a description of the alert rule.
    3. For Status, select the Enabled check box to forward alerts.
  5. On the left, click Alerts Matching, and fill in the settings as needed:
    1. For Alert Severity Equal OR Greater Than, select the alert severity level from the list.
    2. For Alert Categories, move an alert category from the Available list to the Selected list.
    3. For Alert Status, select a status for the alert, and move it from the Available list to the Selected list.
    4. To forward only alerts that include a user name, for Username, select Must be Present.
      Enabling this setting significantly reduces the volume of alerts that FPS forwards.
    5. For Accounts, use the default All Accounts, or select a specific fraud protection account and move it to the Selected column. The alert forwarding rule will then only act on the alerts that the account is set to receive.
    6. .
  6. On the left, click Notification Targets and fill in as appropriate:
    1. Select the Enabled check box for the destination to which you want to forward alerts.
      Note: Depending on which forwarding method you choose, you can use variables to define the content of the alerts that you forward.
      • Select WebService to send alert notifications to the F5 Security Operations Center (SOC) dashboard through the cloud web service.
        • You must configure WebService Config in Fraud Protection Service before you can select this option.
        • When you select Webservice, the screen opens the WebService area where you can specify additional options and variables.
        • For additional detail on how to use the fields in the WebService area, refer to WebService method forwarding detail.
      • Select Email to send notifications to an email address.
        • You must configure the DNS and SMTP server on your data collection devices to use this option.
        • When you select Email, the screen opens the Email area where you can specify additional fields and variables.
        • For additional detail on how to use the fields in the Email area, refer to Email forwarding method detail.
      • Select Syslog to send alert notifications to a sys-log server.
        • When you select Syslog, the screen opens the Syslog area where you can specify additional fields and variables.
        • For additional detail on how to use the fields in the Syslog area, refer to Syslog forwarding method detail.
      • Select Custom to send custom alert notifications to a third party web service.
        • When you select Custom, the screen opens the Custom area where you can specify additional fields and variables.
        • For additional detail on the Custom area, and how to use the fields in it, refer to Custom forwarding method detail.
  7. Click Save & Close.

WebService forwarding method detail

When you use the WebService forwarding method, you use the web service tab to define how the alert is sent.
  1. For WebService, select the web service to which you want the alert to be sent.
  2. Specify the variables that you want to have included in the alert by using the arrow button to move them from the Available list to the Selected list.
    For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  3. Click Save & Close.

Email forwarding method detail

When you use the Email forwarding method, you use the Email tab to define how the alert is sent.
  1. For Sender Name, the screen specifies the name of the email sender (F5 Fraud Protection Service).
  2. For Sender Email Address, type the email address from which you want the alert notifications forwarded.
  3. For Email Recipient(s), type the email address to which you want the alert notifications forwarded.
  4. To run a test of the email addresses you specified above, click Test.
    Important: A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  5. For Email Subject, you can either use the default parameters to specify the alert email subject, or create your own using the supported parameters.
    For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  6. For Mail Template, you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert.
  7. When you finish configuring the alert sending method, click Save & Close.

Syslog forwarding method detail

When you use the Syslog forwarding method, you use the Syslog tab to define how the alert is sent.
  1. For Syslog Facility, type the facility number to which you want the alert notifications to be forwarded.
  2. For Syslog Severity, select the severity level that you want to be appended to all forwarded alert notifications.
    The severity level you select here is added to all forwarded alerts. This level is unrelated to the severity level number assigned independently to each alert.
  3. For Syslog Server, type the IP address of the server to which you want the alerts to be forwarded.
  4. For Syslog Port, type the port number to which you want the alerts to be forwarded.
  5. For Syslog Protocol, select the protocol that the target syslog server uses to accept forwarded alerts.
  6. To run a test of the specified settings, click Test.
    Important: A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  7. For Syslog Template, you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  8. When you finish configuring the alert sending method, click Save & Close.

Custom forwarding method detail

Before you can perform this task, if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your data collection device cluster can access.
When you are configuring an alert forwarding rule and select the Custom method, you use the Custom tab to define the details of how the alert is sent. This alert type specifies a number of parameters that the alert receiving entity has specified as requirements of the service they use to listen for forwarded alerts. You specify the values for these parameters so that the forwarded alerts satisfy the requirements of the alert receiving entity.
  1. If the alert recipient uses a service that requires an alert token, select the check box for Uses Token.
    The screen displays additional settings.
    1. For WS Token Timeout, type the number of seconds that the alert recipient specifies for forwarded alert tokens.
    2. For WS Token URL, type the IP address that the alert recipient specifies for forwarded alert tokens.
    3. For WS Token Method, select the REST API method that the alert recipient specifies for forwarded alert tokens.
    4. For WS Token Headers, type the required request header information specified by the alert recipient for forwarded alert token headers.
    5. For WS Token Request, type the required request body information specified by the alert recipient for forwarded alert tokens.
    6. For WS Token Response, type the required request response information specified by the alert recipient for forwarded alert responses.
  2. If you want the alert traffic for this custom rule to route through a proxy, select Use Proxy, and then select the proxy you want to use.
  3. For WS Alert URL, type the IP address specified by the alert recipient for forwarded alert responses.
  4. For WS Alert Method, select the REST API method that the alert recipient specifies for forwarded alerts.
  5. To run a test of the specified settings, click Test.
    Important: A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  6. For WS Alert Headers, type the required alert header information specified by the alert recipient for forwarded alert headers.
  7. For WS Alert Request, type in the parameters that you want to be included in the forwarded alerts.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to Supported Forwarding Method variables.
  8. When you finish configuring the alert sending method, click Save & Close.

Supported forwarding method variables

There are a number of forwarding method variables that you can use when you create an alert rule.

Variable Name Alert Field
Account ID {accountid}
Account Name {account}
Alert Date (dd.mm.yyyy hh:mm) {date}
Alert Date (yyyy-mm-dd hh:mm:ss) {datefull}
Alert Date (Unix Timestamp) {unixdate}
Alert Domain {domain}
Alert Name {name}
Alert Severity {severity}
Alert Query {query}
Alert Recommendation {recommendation}
Alert Status (Numeric) {statusid}
Alert Status (Textual) {status}
Alert Type {type}
Alert URL {url}
Alert GUID {guid}
Alert Referer {referer}
Alert Details {details}
Application Cookies {session_data}
Authentication Token (For CustomWS Notifications) {token}
Client Host Name {hostname}
Client IP {ip}
Client Language {language}
Client Proxy Host Name {proxyname}
Client Proxy IP {proxy}
Client Username {user}
Client User Agent {agent}
Client Country {geoip_country}
Client City {geoip_city}
Client Device ID {device_id}
Client Device Parameters {device_params}
Full Alert HTML Data {ht_data}
MD5 of Full Alert HTML {ht}
MD5 of Minimal Alert HTML {min}
Minimal Alert HTML Data {min_data}

Add a fraud protection account

You create Fraud Protection accounts in order to receive alerts related to alert identifiers that have been configured on the BIG-IP® system. You can then assign BIG-IQ® users to limit their view of alerts and rules.

Accounts are used to filter alerts, and to transform rules and forwarding rules based on the alert ID configured on the BIG-IP system. Each FPS account has an account ID, and all alerts have an account ID field. You can view only the alerts whose account ID field matches an FPS account ID to which your user login has been assigned access.

The account name you give is displayed in place of the alert ID. If you configure an account, set the default view for each user that you assign to the account. Alert transform rules and forwarding rules that have an account are applied to alerts with the matching alert ID. If no accounts are assigned, then all alerts are considered.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service > Configuration , and then click WebService Configuration.
  3. Click Create.
    The New FPS WebService Configuration screen opens.
  4. Fill in as appropriate:
    Option Description
    WebService Name Type a name for the account that you would like to send alerts to (for example, MortgageDept).
    Description Type a description of the account that you would like to send alerts to.
    WebService URI This value is always filled in by default. The only reason to change this is if you want to forward to another legacy dashboard.
    Remote Account ID Type the remote account ID provided to you by the SOC.
    SOC User Type the user name provided to you by the SOC By default, the administrator is selected to look at the account.
    Note: To create a user, go to System Management > User Management > Users and click Add. Be sure to give the user a user role of Fraud Protection Manager or Fraud Protection View
    .
    SOC Password Type the password provided to you by the SOC.
    Proxy To route the alert traffic for this web service through a proxy, select Use Proxy, and then select the proxy you want to use.
    Test SOC Connection To test the SOC connection, click the Test button to confirm that your settings are correct.
    Important: A successful test confirms only that a test alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  5. Click Save & Close.
You now have a fraud protection account that can manage the alerts that you specify.