Page tree
Skip to end of metadata
Go to start of metadata

The Log Security Alert node adds security events in database. When a security engine detects an attack, an event is created and added to the attribute table http.request.security.events (internal attribute) then at the execution of the node, all informations about detected events are extracted and sent to the database.

One event generate one log, so one HTTP request can generate as many logs as events.

Note that events accepted by the Security Exception Management node will not be logged (like false positive or others requests matching exceptions).

Logs can be viewed through the Security Logs panel.

In DenyAll WAF 6.3, the Log Security Alert node logs events of all engines except ICX engine. Use the Log Alert node instead. ICX will use the event system in the next product versions.

Node parameters

 

  • Display name: name of the node displayed in the Workflow. Replace the default name "Log Security Alert".

Provided attributes

No attribute is provided.

Use Case

Basic Log Alert

  1. The first node "Normalization Engine" is used to normalized the request.
  2. The "Blacklist Engine" analyzes the request for attacks.
    -If an attack is detected, an event is created and added in the http.request.security.events table attribute. The blacklist.request.blocked attribute is set to "true".
  3. A condition on the blacklist.request.blocked attribute decides if the request must be blocked or not:
    -If equals to "true" (an attack is detected), the "Log Security Alert" node will send events from the http.request.security.events table in the database. Then the request will be blocked by a HTTP code 403.
    -If equals to "false" (no attack detected), the request will be sent to the backend server.

Advanced Log Alert

  1. The first node "Normalization Engine" is used to normalized the request.
  2. The "Blacklist Engine" analyzes the request for attacks. If an attack is detected, an event is created and added in the table http.request.security.events.
  3. The "Security Exception Management" node runs exception rules on detected events:
    -If an event is accepted by rules, it will be removed from the http.request.security.events table and added to the security.exception.events table.
  4. A condition on the security.exception.blocked attribute decides if the request must be blocked or not:
    -If equals to "true" (an attack is detected), the "Log Security Alert" node will sent events still present in the http.request.security.events table in the database. Then the request will be blocked by a HTTP code 403.
    -If equals to "false" (no attack detected), the request will be sent to the backend server.

 

Backup: Log security alert.backup