WAF Imperva - Alerts and Monitoring - 26122017

Alerts and Monitoring
© 2015 Imperva, Inc. All rights reserved.

Lesson Objectives
 Use the Monitor > Dashboard view.

 Using the Monitor > Alerts view.
 Understand alert aggregation.
 Apply basic, quick, and advanced filters to alert data.
 Use tuning buttons inside alert details pane.
 Use filtering and sorting in the violations view.
 Monitor changes to gateway status, configuration, and
user permissions.
 Determine if blocked sources represent a threat, or
alternatively decide it is valid traffic and unblock it.

Key Terms
 Dashboard
• Snapshot views of gateways, server groups, system’s load, connections
per second.
 Alerts
• Aggregated information on groups of violation events.
 Violations
• Un-grouped chronological list of violation events.
 System Events
• Internal SecureSphere change and health history.
 Blocked Sources
• Source of communications that have been quarantined for violating a
security policy.
• Result of “Block” followed action.

Dashboard

Monitor – Dashboard View
 Go to Main > Monitor > Dashboard

ThreatRadar CPU Load / Hits p sec Conns/ Throughput Alerts Graph
SOM Status
Latest Alerts
Gateways
Server Groups Latest System Events

Dashboard Components: Line Graphs
 Main > Monitor > Dashboard.

 Select down arrow.
 Alternate views between CPU Load and Hits/sec.

 Alternate views between Connections/sec and Throughput.

Dashboard Components: CPU Load
 Go to Main > Monitor > Dashboard.
 Typical performance should not be above 60 or 70% for

the various values.
Dashboard Components: Gateways Pane
 Go Main > Monitor > Dashboard.
 Different Colors for Gateways.
 Select each Gateway line to see Server
Group details.
 Go to Main > Setup > Gateways.

 Verify status.

Dashboard Components: Server Groups
 Look for symbols.
 Running
 Warning

Dashboard Components: Latest Alerts and
System Events
 View Latest Alerts list.
 Default displays alerts in the Alerts
table for the past 3 days.
 Latest System Events list.

Dashboard Components: Latest Alerts

 Changing Latest Alerts view will change Alerts Graph.

Viewing Alerts and Violations

Alerts and Violations
 Violation: a security related event.

 Alert: an aggregated group of violations of the same type.
• One alert may contain multiple violations.
• One attack could be more than 1 violation.
• Generally, an alert contains information about an attack and
includes individual violations.
Alert 1
Alert 2
Violation 1 Violation 2 Violation 3 Violation 4

One Packet, Multiple Attacks – Multiple
Violations
 Good  Bad
GET / HTTP/1.1 GOGET /_vti-bin/admin.asp HTTP/1.22
Violation
 A single attack can hit multiple targets.

 A single packet can violate multiple policies or match
multiple signatures.
 A single attacking packet can generate several violations
under different alerts.

Viewing Alerts
 Go to Main > Monitor > Alerts.

 Hide Filter & Details hanging tabs to provide more viewing area.
 When MX restarted alert # jumps to next increment of 1000.

Modifying the Alerts List View

 With additional columns, more information and sorting
options.

Modifying the Alerts List View
 Main > Monitor > Alerts

 Click Action > Select Columns

Interpreting Alert Icons

Key Alert Information in the Alert Details
Pane
 Go to Main > Monitor >
Alerts.
 Immediate and Followed
Actions.
 Click policy hyperlink to
view Policy Details.
• Review how the policy was
defined.

Simulated Block and Active Block Alerts
 Block in Simulation Mode displayed in black text

• Alert details action shows Immediate Block (Simulation Mode)
 Block in Active Mode displayed in red text

• Alert details action shows Immediate Block

Geographic Alert Map
 Go to Main > Monitor > Alerts > Geographic Alert Map.

 Requires Geo IP license.

Geographic Alert Map

Aggregated vs. Non Aggregated Alerts

 Each row in the list pane will represent an aggregated or non-
aggregated alert.
 Aggregated Alerts will have a number higher than 1 in the # column
of the list pane.

Viewing a Non Aggregated Alert
 Go to Main > Monitor > Alerts

 Displays 1 in # column and unique event number

Alert Aggregation
 Provides an overview of violation events.

 Aggregation works on per policy basis using Violation Violation Violation
aggregation keys. 1 2 3
 Alerts are aggregated when:
• Violations of same policy.
• 2 or more violations have specific key fields in Aggregation
common.
 Examples:
• XSS violations with same session ID, source IP,
user, destination application, URL, and Parameter.
• Excessive attempts of db login with same source IP, Alert
OS username, destination server group, and
destination IP.

Alert Aggregation Process
Simple alert
Violating
VIOLATION created for each
Event
policy violation
?
Alert
a te Aggregation
Cre
monitoring
1 hr
Yes
No since last
Related to existing
Alert? New Alert update
END
No Aggregation
Yes Update 12 hrs
Yes
Alert since
Aggregate with start
existing alert
No

Example of Aggregated Alert
 Go to Main > Monitor >  Timeline graph in details.

Alerts.  Aggregation values.
 More than 1 event in #  Multiple violations.
column.

Understanding the Timeline Graph
 Go to Main > Monitor >  Click magnifying glass for

Alerts. aggregation rule description.
 Graphical Timeline
• 30 minute slices
• 12 hrs max
• Start / end time

Aggregation Details

 View displays how events were aggregated.
• Distinct Values of key fields.
 Statistical Information.
 Detailed information of security events which violated the policy.

Alert: Violation Details

Alerts.
 Violation details are
collected on first 30
aggregated events.
 Expand (+) to see details
• Event Time.
• Raw data of event.
• Highlighted violation.
• Source and destination.

Distributed vs. Multiple in Alert Description
 Multiple Alert - contains more than one security event of

the same kind
 Distributed Alert - contains a range of values for any of
the fields that are not part of the aggregation key
• For example, you might see that a violation originated from
multiple IP addresses when the IP address is not part of the
policy’s aggregation keys
• Commonly generated when security events come from multiple
sources
 Different Source IPs
 Different sessions

Example of Alert containing “Multiple” in
Description

Example of Alert containing “Distributed” in
Description

Alert Filtering

Basic Filter Options

 Many options allow you to refine
your list of alerts
• Expand (+) the filter category
• Select filter criteria
• Apply.
 The filter icon next category
indicates filter applied
• Use Clear button at the bottom to
remove any basic filtering applied
2 Criteria Selected in Basic Filter between
Categories
 Basic Filters use:
• ‘AND’ between categories
• ‘OR’ within categories
AND

Alert Filtering: Quick Filter

 Quick Filter allows you to search fields for relevant data.
 Click on ? Tips to see help options for using Quick Filter.
 Tuning tip:
• Distributed in an aggregation = more likely false positive.
• Multiple in an aggregation = more likely attack.
• Isolated, single events are most suspicious

Alert Filtering: Advanced

 Click

Alert Filtering: Advanced

Alerts.
 Open Advanced Filter.
 Provides more
granular filtering
options.
• Last few days
• Time frame
• Look up Data Set
 Notice Last Few
Days applied by
default.

Saved Filters
 Go to Main > Monitor > Alerts (and other locations in GUI).

 Filters are available to everyone.
 Best practice:
• Team name – Filter name

Flagging Alerts
 Go to Main >
Monitor > Alerts.
 Unread = Bold.
 Read = Regular.
 Right click to Mark.
 Acknowledged =
check.
 Dismissed = x mark
 Important =
exclamation point.

Flagging Alerts

Alerts.
 Flagged Alerts can be
filtered.
 Alerts may also be deleted
using red X.

Violations

Violation View
 Go to Main > Monitor > Violations.

 Useful to view ALL violations from a specific source or in
a certain timeframe (violations of different types).
 Violation view offers:
• Customized grouping via Filter Pane.
• Chronological list of violations

Violation List View
 Go to Main > Monitor >  Easily sorted by any column.

Violations.
 Click IP link for

IP Forensics view.

Viewing Violations
 Main > Monitor > Violations.

 Violation = Details about individual security event.

Functionality Inside Violation Events
 Open knowledge
base.
 Directly view the
policy for event.
 Add this event as an
exception to the
policy.
 Add this profile
violation to “good”
profile behavior.

Violation Details Pane

 Provides violation overview.
 Why and what.

 Go to Main >
Monitor >
Violations.
 Open the
knowledge
base to
understand
why the event
is considered
a violation.


 When, where the violation occurred.
 Direction of connection.
 Filter violations further using filter icon


 View payload of event.
 In this example, HTTP request details are displayed.


 Parameters, cookies, enrichment data (if added)
displayed.
 Reason for violation highlighted in yellow.

Viewing Violations: Additional Violations

 Some Violations will have Additional Violations tab.

Viewing Violations: Response

 View server response.

Managing Blocked Sources

Blocked Sources
 IP Block, Session Block, and User Block Followed

Actions.
• List of sources blocked by a policy written to Main > Monitor >

Blocked Sources.
 Purpose
• Quarantine for violating security policy.
• Provides time to examine event to determine if it represents a
threat.
Identifying Blocked Sources in Alerts View

 Notice message “Policy includes block/monitor action IP
Block”.

Blocked Sources in Alerts View
(continued)
 Click IP Block hyperlink to view Violations.
 Blocked IP address highlighted in yellow.

 Analyze and determine if threat.
Review the Policy
 Go to Main >
Monitor >
Alerts.
 Select the
blocked Alert
from the Alert
list pane.
 Click the
Policy
hyperlink in
the Alerts
detail pane.

Blocked Sources
 Go to Main > Monitor > Blocked Sources.

 View all sources which are currently being
blocked by a “block followed action”.
 Select Source from Blocked Sources list.

 Click Actions button and select Release
Blocked Sources if not a threat.

Questions?

WAF Imperva - Alerts and Monitoring - 26122017

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAF Imperva - Alerts and Monitoring - 26122017

Uploaded by

Copyright:

Available Formats

Alerts and Monitoring

© 2015 Imperva, Inc. All rights reserved.

 Use the Monitor > Dashboard view.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Dashboard

Server Groups Latest System Events

© 2015 Imperva, Inc. All rights reserved.

 Main > Monitor > Dashboard.

 Alternate views between CPU Load and Hits/sec.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Dashboard.

 Typical performance should not be above 60 or 70% for

 Go to Main > Setup > Gateways.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Dashboard.

 Look for symbols.

© 2015 Imperva, Inc. All rights reserved.

 Latest System Events list.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Dashboard.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Violation: a security related event.

© 2015 Imperva, Inc. All rights reserved.

 A single attack can hit multiple targets.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts.

© 2015 Imperva, Inc. All rights reserved.

 Main > Monitor > Alerts

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Block in Simulation Mode displayed in black text

 Block in Active Mode displayed in red text

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts > Geographic Alert Map.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts

© 2015 Imperva, Inc. All rights reserved.

 Provides an overview of violation events.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor >  Timeline graph in details.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor >  Click magnifying glass for

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor >

© 2015 Imperva, Inc. All rights reserved.

 Multiple Alert - contains more than one security event of

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

© 2015 Imperva, Inc. All rights reserved.

 Go to Main > Monitor > Alerts.