Insights of F5 Distributed Cloud WAAP Events Export, New Operators and Trends features

As part of release cycle management F5 Distributed Cloud (F5 XC) keeps on releasing new features. July[1] upgrade has released 3 new features in Web Application and Api Protection (WAAP) and Security dashboards.  

Let’s dive into them one by one. 

WAAP Events Export: 

Security dashboards capture different types of logging metrics and sometimes users may need these logs to analyze them offline. WAAP Exports feature addresses this problem by exporting the latest 500 security related logs in csv format. Users can export logs from events, incidents and requests tabs of security dashboard.

Feature can be checked by following below step: 

1. Login to F5 XC console and navigate to "Distributed Apps” menu
2. Under "Load Balancers” section, click on “HTTP Load Balancers” page
3. Click on “Security Monitoring” link under your load balancer name
4. Navigate to “Security Analytics” tab
5. Filter your needed logs and then click on “Download” button as below
   Fig 1: Image showing navigation path
   
6. Logs can also be downloaded from “Incidents” and “Requests” tabs as below
   Fig 2: Image showing export feature in Incidents tab
   Fig 3: Image showing export feature in Requests tab

WAAP Trends: 

Production security dashboards show plenty of logging information to understand the security posture of their Apps and API’s currently for the ongoing traffic. Owners can go through them to analyze the traffic and come to decisions if ongoing data is malicious and has any threats. This process is a little time-consuming and needs human expertise in traffic analysis. Users are looking for a top-level overview of how many attacks are seen in a specific period compared to the last period. 

WAAP Trends feature in security dashboards of HTTP load balancer enables users to view the change in metrics (up or down) compared with previous period. Incoming traffic is analyzed using internal tools to decide the sentiment (positive, negative or neutral) and is displayed in UI thereby saving lot of time. Users can instantly check the sentiment and if needed can update the existing configurations to safeguard the applications. 

As I was writing this article, I keep remembering this famous generic quote “Trend is your Friend” which conveys the importance of identifying the current trend in safeguarding your applications. 

Feature can be checked by following below step: 

1. Login to F5 XC console and navigate to "Distributed Apps” menu
2. Under "Load Balancers” section, click on “HTTP Load Balancers” page
3. Click on “Security Monitoring” link under your load balancer name
4. Trend is available for different features like API Security, Bot Defense, WAF, Security policy, etc. Check the current trend in each widget fields as shown below - 
   
    
   Fig 4: Image showing trends in security dashboard
   
5. Trend feature is also available in bot defense dashboard for different fields like Human & Malicious traffic, Good bots, etc. as displayed below -
   Fig 5: Image showing Bot Defense Trends
   

New Operators in Security Analytics Page: 

Two operators (Present and Not Present) are newly added for filters in Security Analytics page. These operators help users to easily search and filter through security events and incidents to identify specific violations, event types, and/or application attributes.  

Present operator helps users to identify and segregate the events/incidents with the provided key. Users should provide a key according to their need from the available list of keys and Distributed Cloud (XC) internally validates all the requests if the provided key is Present and filter them. The filtered data will be displayed on dashboard to users and other requests will be ignored. This granular filtering can accelerate investigation time and improves users' ability to respond quickly. 

Similarly, Not Present operator identifies and displays the events/incidents in which the mentioned attribute/key is not available. 

Here is a basic example which explains the usage of operators: 

1. Login to F5 XC console and navigate to "Distributed Apps” menu. 
2. Under "Load Balancers” section, click on “HTTP Load Balancers” page. 
3. Click on “Security Monitoring” link under your load balancer name. 
4. Navigate to “Security Analytics” tab. 
5. In the Events tab, we can view multiple triggered events. Fig 6: Image shows all the triggered events.
6. Add a filter with “bot_classification” and operator as Present. 
7. This will filter out and provide the events which have “bot_classification” key in it. In the below image, we can see that XC displayed only 9 items which have bot_classification key and ignored other requests which do not have it.  Fig 7: Image shows filtered events in which bot_classification attribute is present. 
8. Now let us change the filter to “signatures.attack_type” and operator as Not Present. 
9. This will filter out and provides only the events which do not have “signatures.attack_type” key in it. In the below image we can observe that XC filtered and provided 20 items. Fig 8: Image shows filtered events in which signatures.attack_type attribute is not present.

In this manner, ease of filtering can be achieved using operators in XC console. 

I hope this article has provided a summary of newly implemented features of WAAP events export, trends and new operators which focus on logging and security dashboards.

Stay tuned for more feature article. For more details refer below links: 

1. Overview of WAAP
2. Load balancer creation steps
3. Monitoring load balancer