Manual Chapter : Managing BIG-IQ Fraud Protection Service

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

Fraud Protection Service overview

BIG-IQ® Fraud Protection Service (FPS) sends alerts to users whenever they are victims of malware or phishing attacks. BIG-IQ filters all alerts into different types and displays them for you to monitor. FPS has the ability to create rules to modify alerts, rules for forwarding alerts, or download rules from the Security Operations Center (SOC). Types of alerts include:

Uninspected Alerts

This list contains all alert types that have a status of new.

Monitored Alerts
This list contains all monitored alert types.
Note: If you have configured fraud protection accounts, then you can view only the alerts that have been specified for your account to view.
Phishing Alerts
Phishing alerts include phishing user, copied pages, and user defined phishing. These alerts are created when a phishing victim enters user credentials onto a phishing web site, or when a phishing site has been detected by JavaScript. The user name that appears in the alert is the user name that is entered into the phishing site.
Malware Alerts
Malware alerts are separated into generic malware, targeted malware, external scripts, page modification, and user defined malware. The Malware Detection component thus enables the organization to take the necessary steps to mitigate the risks of the attack in real time. This component helps the organization to keep track of its affected users and reveal malicious money transaction attempts.
Suspicious Transactions
Suspicious Transactions include browser automation, remote access tools, transaction modification, and user defined. Suspicious transactions prevent automatic requests to the application's server by confirming that the request was made by a human and not issued automatically. Automatic requests can be issued by a Trojan horse attack injecting a malicious JavaScript code to the user's browser in order to perform an automatic money transfer to the attacker's account, or by random bots attempting to automatically scrape data from the application automation.
Suspicious Logins
Suspicious logins include stolen credentials and user inspection. These alerts provide protection against Trojan horse attacks, providing an encryption for the information at the application layer on the client side. This ensures that the information that is exposed to the Trojan horse attack will be encrypted. The encryption is conducted on the client side, using a public key generated by the web server and provided uniquely per session. When the encrypted information is received by the web server, it is decrypted using a private key that is kept on the server side.
Mobile
Mobile alerts integrate with the applications of financial service providers, improving protection against the aforementioned threats and provides alerts received on possible attacks. Mobile alerts neutralizes local threats found on customers’ mobile devices, without altering the user experience. These alerts are created when the system detects an infected mobile device. Alert types that are included in this category are Mobile Malware, Mobile Man-in-the-middle (MITM), Mobile Security, and User Defined. Prevents phishing, Trojan horse attacks, and pharming attacks on mobile devices in real time, through detection, prevention, and application-level encryption.
Validation Errors
Validation error alerts are created when the expected cookie is missing or corrupted. Validation errors include transaction errors, encryption errors, missing components, and mobile errors.
Unfiltered Alerts
Unfiltered alerts are unfiltered views of all alerts except those that have the status of Ignore.
Saved Filters
Saved filters is a list of custom filters that you create and save. These are unique to each user. Saved filters are helpful if you would like to create your own view of alerts. If you are trying to track down a specific type of attack, you can save a unique filter to repeatedly check on a specific type of alert. The BIG-IQ® Fraud Protection Service provides a rich set of querying features which allow you to quickly and efficiently locate alerts that you are interested in.

FPS Alerts overview

There are a number of things you can do to specify the response to different kinds of alert types.

Each alert type has its own user interface, but the controls used to edit the rules that govern the response to these alerts are very similar.

Most alert types are organized into groups. On any list screen, you can click the little black triangle to expand the list.

  • To access the Filter Alerts screen, click the Filter button at the top left of the screen. On the Filter Alerts screen you can view the existing query that defines the current alert rule. You can specify additional detail to further refine the query or create a new custom query.
  • To refresh the list of alerts on the screen, click Refresh.
  • To create a rule based on an alert, select the check box of the alert you want to use as the basis for the rule, and click Create Rule.
  • To filter the list of alerts so that only alerts generated during one session are displayed, select the check box of the alert you are interested in, and click Filter Related.
  • To export one or more alerts files to a CSV file that you can edit or inspect, click More, and then select Export.
  • To change the status for an alert, select the check box for that alert, click More, and then select Change Status.
    Note: If all the check boxes are selected in a list, you can choose to either change the status for all of the alerts that are in view, or change the status for all of the alerts that match the query.
  • To remove an alert, select the check box for that alert, click More, and then select Delete.
    Note: If all the check boxes are selected in a list, you can choose to either remove all of the alerts that are in view, or remove all of the alerts that match the query.
When you select a single alert, two changes take place:
  • A Filter Related button becomes active. Click this button to view only alerts that have the same session global unique identifier (GUID) as the selected alert.
  • A preview pane opens to show you details about the selected alert.
To use the Filter field in the right corner:
  1. From the Filter control, select the type of match (Contains, or Exact) that you want to use.
  2. In the Filter field, type the filter criteria you want to use, and press Enter.
  3. A Filtered by field displays the alert criteria you applied, and the screen displays only alerts that match that criteria.
  4. To see the rest of the alerts again, click the X to clear your filtered by alert criteria.

To display additional information about a specific alert, select the check box that corresponds to it. A preview pane opens.

When you select a single alert, a preview pane opens to show you details about the selected alert. The tabs that display depend on what data is available for the selected alert.

Details This tab displays details about the URL that triggered the alert.
  • Alert URL: The URL of the site that was in use when the alert was sent.
  • Alert Status: The current status of the alert.
  • Alert Severity: The severity of the alert. By default, new alerts have a 50% severity, unless the alert matches an existing rule.
  • Referrer: The URL of the site that was visited just before the Alert URL was visited.
  • User Agent: User browser type and operating system.
  • Language: User browser and operating system language.
  • Domain: The name of the domain that triggered the alert.
  • User: The name of the dashboard user who performed an action that triggered the alert.
  • Alert Details: The display varies depending on the type of alert.
  • Device ID: The ID of the device that triggered the alert.
  • Matched URL: The portion of the URL that matched and triggered the alert.
HTML This tab is visible only if the alert includes these details. It shows you the raw HTML that was included in the alert.
Data

This tab is visible only if the alert includes these details. It shows you the raw HTML and other data that was extracted for further diagnosis of the alert condition.

If the alert type is External Sources or Trojan Validator, this tab displays the malware detection alerts.

If the alert type is External Sources, the alert type is 6 and the alert component is 5 and the value contains the forbidden added HTML element and its contents in escaped base64 format.

If the alert type is Trojan Validator, the alert type is 6 and the alert component is 3. The value contains the bait signatures in escaped base64 format.
About This tab gives a brief summary of details about the alert type.
Advanced This tab displays the exact query that was sent in the alert. This information can be used to debug alerts and understand the cause of the alert. It is helpful for the Security Operations Center (SOC).

Add an advanced query filter

Before you can perform this task, you must be logged in as Admin.

BIG-IQ® Fraud Protection Service provides a rich set of querying features that allow you to quickly and efficiently locate the alerts that you are interested in.

When you select the Filter button from an alerts screen, or when you select add/edit from the Saved Filters screen, you see a dialog box that allows you to specify what alerts you want to filter for.

The screen provides the most common filters in list and text boxes, but you can specify additional filters. The filters that display initially depend on the type of alert you are configuring.

  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service , and then click Alerts.
  3. On the left, select the type of alert for which you want to specify advanced filter alerts.
    The Filter Alerts screen opens.
  4. To add filter details, click the Filter button.
    The Filter Alerts popup screen opens.
  5. Complete the Filter Alerts screen:
    1. For Filter Name, if you want to save this query for future use, type a name for this set of query details.
    2. For Category, select one or more categories to specify the type of alert.
    3. For Date, you can specify last 2 weeks, last month, last three months, last six months, or select a custom date range. If you only specify a start date, BIG-IQ selects all alerts from the start date to the current date.
    4. For Alert Severity, type the minimum and maximum severity of the alerts that you want to match.
      If the maximum is not entered, the default is 100.
    5. For Status, if you choose one of the options, only alerts of that status are shown.
      If multiple status are needed, then specify them in the Additional Query Parameter field (near the bottom of the screen).
    6. For Location, select the geographic location on which you want to filter.
    7. For User, type the name of the user that triggered the alert.
      You can use a wildcard *. For example p* matches all users whose name starts with the letter P.
    8. For Domain, type the domain of the site that was in use when the alert was sent.
      You can use a wildcard *. For example p* matches all host domains whose name starts with the letter P.
      You can also type the domain of the phishing site or the host of the site that was detected.
    9. For Client IP, type the IP address of the victim of the alert in which you are interested.
    10. For Alert URL, type the source URL that caused the alert.
    11. For Guid, type the unique identifier for the set of alerts that make up one session.
      To find the guid, select the alert, and then click the Advanced tab. Under Query Parameters, look for fpm_guid.
    12. For Additional Query Parameters, if what you want cannot be specified with the quick selections, you can use the query language.
      The format for these query parameters is: key1: value1 key2: value2 (key3:value3 OR key4). OR is implied if it is not supplied.
      Important: The query string syntax is parsed into a series of terms and operators. A term can be a single word  or a phrase. Note that phrases must be surrounded by double quotes. In general the query string syntax observes the Lucene query  syntax. The following characters are reserved and cannot be used in a query:
       + - = && || > < ! ( ) { } [ ] ^ " ~ * ? : \ /
      For example: (alertType:6 OR alertType:8) language:*us
      For a list of advanced query parameters refer to Advanced Query Parameter Syntax.
  6. Click Save.

Additional Query Parameters

If what you want can not be specified with the quick selections, you can use the query language. Available query parameters are listed here.

Parameter Name What it means
category The type of alert. Select one or more categories. If none are selected, the search will apply to all categories.
alertUrl Type the source URL that caused the alert.
alertType A specific type of alert within a category.
device A specific variation within a type of alert.
component A specific variation within a type of alert.
domain Type the domain of the site that was in use when the alert was sent. You can also type the domain of the phishing site, or the host of the site that was detected.
clientIp Type the IP address of the victim of the alert that you are interested in.
details This parameter can contain many different values depending on the type of alert.
device The device ID of the machine generating the alert (typically a mobile device).
alertId A unique ID configured on the BIG-IP® device for each virtual IP address.
severity Specifies the ID of the customer in the dashboard. When configuring a mobile security anti-fraud profile, you must ensure that the value you assign here for Alert Identifier is the same value used for VMobile's customer parameter in the init iOS method and Android constructor.
status The status assigned by the SOC.
userAgent The user browser type and operating system.
continent The continent code.
country The country code.
region The region code.
language User browser and OS language.
referer The URL of the site that was visited just before the alert URL was visited.
uri The URI to which the client requested to go.
user Type the name of the user that triggered the alert.
guid Type the unique identifier for the set of alerts that make up one session.
rule As set by the user in the rule.
alertDetails As set by the user in the rule.
recommendation As set by the user in the rule.
date You can specify last 2 weeks, last month, last three months, last six months or select a custom date range. If you only specify a start date, BIG-IQ® selects all alerts from the start date to the current date.
cookie Cookie information associated with this alert.
dateType Type the number of days back from which to start the query.

Create and save a custom filter

Before you can perform this task, you must be logged in as Admin.

You can create and save custom filters. This process is very similar to creating an advanced query filter, except you start with no default set of filters.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service , and then click Alerts.
  3. Click Saved Filters.
    The Saved Filters screen opens.
  4. Click Create to create a new filter.
    The New Saved Filter screen opens.
  5. In the Filter Name field, type a name for the alert filter.
  6. For Category, select the type of alert from the list.
  7. For the Date, select from the options in the list.
    The options are, Last 2 weeks, Last month, Last three months, Last six months, or a Custom date range. If you only specify a start date, the system selects all alerts from the start date to the current date.
  8. For Alert Severity, select the severity level of the alert. The From and To fields include numbers ranging from 1 to 100.
  9. For Status, select the status from the list. You can pick one of the options, and only alerts of that status are shown. If you need more than one status, you can specify that in the Additional Query parameter field.
  10. For Location, select the location from the list.
  11. For User, type the user name.
  12. In the Domain field, type the domain.
    The system only matches on exact match, and is case sensitive.
  13. In the Client IP field, type the client IP address.
  14. In the Alert URL field, type the alert URL.
  15. In the Guid field, type the unique identifier.
  16. If what you want can’t be specified with the quick selections, you can use the query language in the Additional Query Parameter setting. or example:
    This is the format: key1: value1 key2: value2 (key3:value3 OR key4). For example:
    (alertType:6 OR alertType:8) 
                                    after Feb 02 2015 07:56:26 before Feb 10 2015 23:56:26 
                                    host:versafe.com alertId:ddd 
                                    severityGE:2 severityLE:94 
                                    status:new rule:rule1
  17. Click Save & Close
You have now created and saved alert filters.

Change an alert status

Before you can perform this task, you must be logged in as Admin.
You can change the status of alerts in Fraud Protection Service. An alert status change is performed by an admin, security manager, or FPS manager to indicate that an alert has been inspected, and what the status of the alert is.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service , and then click Alerts.
  3. Click Unfiltered Alerts.
  4. Select the check box of the alert type for which you want to change the status.
  5. Click the More button, and then select Change Status.
  6. Under Select the new status to set on alerts, select the new status from the list.
    Option Description
    New The SOC team has not yet handled this item.
    Open The SOC team is currently handling this item.
    Handle The SOC team has finished handling this item.
    Monitor The SOC team has monitored this item.
    Close The SOC team has closed this item.
    Ignore The SOC team is familiar with the alert and has decided that it is not malicious (the alert is a false positive). Ignored alerts can be seen only when using filters.
    Official The SOC team has determined that this specific URL is legitimate.
  7. Click Change Selected.
    Changing alert statuses displays while your request is processes.
  8. Click Close when the alert status change completes.

Remove an alert

Before you can perform this task, you must be logged in as Admin.

You can delete the alerts that you have created in FPS.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service , and then click Alerts.
  3. On the left, select the alert type that you want to delete.
  4. Select the specific alert you want to delete, then click the More button, and select Remove.
    Note: If the header check box is selected, when you click Remove you are prompted to select whether you want to remove all of the alerts that are currently selected (only 50 to 75 at a time are selected at a time due to memory constraints), or all the alerts that match the query.
The specified alerts are deleted.

Export an alert

Before you can perform this task, you must be logged in as Admin.

You can export the alerts that you have created in FPS.
  1. At the top of the screen, click Monitoring.
  2. On the left, expand EVENTS > Fraud Protection Service , and then click Alerts.
  3. On the left, select the alert type that you want to export.
  4. Select the alert you wish to export, then click the More button, and select Export.
The specified alerts are exported to a .csv file in your Downloads folder.