Page tree
Skip to end of metadata
Go to start of metadata

Tokens descriptions

From the point of view of the WAF, the "Security Tokens" can be seen as the formal definition of the "Security Events": the key constituents of the detection context (date, IP addresses ...). They are essential in the definition of "Security Exceptions".

As an example, a legitimate request may lead to the generation of a "Security Event", called "false positive". An user can avoid this generation by defining an exception on different tokens ("Exception Context"), stating, for example:

    I don't want to generate an security event if the alleged attack was discovered in the body part of the request (if the token "part" value is "Var_POST").

For more information about how to resolve security events, please refer to the section Resolving false positives.

Token list

The Security Tokens can be "general" to all engines (e.g. : the date, the engine name, the attack family, ...) or specific to certain engines (e.g. : the rule id from the blacklist engine, the fingerprint from the SQL Injection engine, etc.).

Following, the exhaustive list of tokens:

 

General Tokens

NameDescription
dateDate of the event. Timestamp since 00:00:00 UTC on January 1, 1970.
evenTypeType of the event. The value of the type is always "security" for security logs.
engineUidUid of the engine.
engineNameName of the engine.
severitySeverity of the event (0 to 7). The value of the severity is always "5" in 6.4 version.
riskLevelRisk level of the event (0 to 100). The value of the risk level is always "50" in 6.4 version.
attackFamily

Attack family of the event:

Command Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection, Other Injection, Path Traversal, File Inclusion, Parser Evasion, Buffer Overflow, Denial of Service, Security Misconfiguration, Open Redirect, Scanner or Other.

cweCommon Weakness Enumeration of the attack. See https://cwe.mitre.org/data for CWE descriptions.
part

Part of the request where the event has been detected:

Path, Query, Header, Cookie, Var_GET, Var_POST, Var_XML or URI.

Note: URI is an internal part used by Blacklist and Scoringlist engines only.

matchingParts

Describe the context of the part where the event has been detected with also the detection conditions.

This token can contain all tokens named part* (partKey, partValue, etc ...) and the attackFamily token.

part[Value|Key]Part key or part value where event has been detected (variable value, cookie value, header value, etc.).
part[Key|Value]OperatorOperator used to match the part key or the part value.
part[Key|Value]PatternPattern used to match the part key or the part value (regexp or string).
part[Key|Value]PatternUid

Unique identifier of the pattern used to match the part key or the part value.

Only available if the pattern used is a proprietary or a custom pattern declared in Pattern Categories.

part[Key|Value]PatternName

Name of the pattern used to match the part key or the part value.

Only available if the pattern used is a proprietary or a custom pattern declared in Pattern Categories.

part[Key|Value]PatternVersion

Version of the pattern used to match the part key or the part value.

Only available if the pattern used is a proprietary or a custom pattern declared in Pattern Categories.

part[Key|Value]MatchString detected in the part key or the part value by the pattern.
resolveType

Describe how to resolve the event:

  • No Resolve: event can not be resolved.
  • Default Resolve: event can be resolved (using the Resolve or Custom Resolve) by creating an exception in a Security Exception Configuration.
  • Legacy Resolve: use the legacy way to resolve an event (using the Custom Resolve). This value works only for ICX events. Resolving a log using this flag will suggest an exception to add in an ICX configuration.
securityExceptionConfigurationUidsList of Security Exception configurations that handled this event. Each time a detected event pass through the Security Exception Management node, the uid of the Security Exception configuration is added to the event. Uids are used for the automated resolve.
customMessageCustom message send by the Log Alert in custom mode.

ICX Engine Tokens

NameDescription
icxPolicyUidUnique identifier of the ICX policy that detect the event.
icxPolicyNameName of the ICX policy that detect the event.
icxRuleUidUnique identifier of the ICX rule that detect the event.
icxRuleName

Name of the ICX rule that detect the event.

icxLosDecodingErrorDescription of the error detected during the LOS (Lightweight Object Serialization) decoding of a Microsoft object.

Normalization Engine Tokens

NameDescription
canonSearchTypeType of the remaining encoding.

Blacklist Engine Tokens

NameDescription
eaRuleIdRule id matched by the Blacklist engine.
eaNewRulesWarningModeWarning mode for new rules from a Blacklist update.

Scoringlist Engine Tokens

NameDescription
eaRuleIdRule ids matched by the Scoringlist engine.
eaTotalScoreScore of the Scoringlist engine

SQL Injection Engine Tokens

NameDescription
sqliFingerprintFingerprint of the detected SQL Injection.

Cross-Site Scripting Engine Tokens

NameDescription
xssTagHTML tag detected by the Cross-Site Scripting engine.
xssAttrHTML attribute detected by the Cross-Site Scripting engine.
xssEventHTML event attribute detected by the Cross-Site Scripting engine.
xssMode

Filtering mode used to detect the event: blacklist or whitelist.

Only the blacklist filtering mode is available.

Command Injection Engine Tokens

NameDescription
cmdiMode

Filtering mode of the Command Injection engine: static or dynamic.

cmdiWebshellIndicates if the Webshell mode is enable or not (search for escaping characters).
cmdiCommandCommand detected by the Command Injection engine.
cmdiOptionsCommand arguments detected by the Command Injection engine.

Cookie Ciphering Engine Tokens

NameDescription
cookieCipheringNameName of the cookie that the engine was not able to decrypted.
cookieCipheringValueValue of the cookie that the engine was not able to decrypted.

Cookie Tracking Engine Tokens

NameDescription
cookieTrackingNameName of the cookie altered by the client.
cookieTrackingValueValue of the cookie altered by the client.
cookieTrackingClientIpIndicates if the cookie has not the same IP address as the original. It could lead to Session Hijacking.

Cookie Virtualization Engine Tokens

NameDescription
cookieVirtualizationNameName of the cookie injected by the client.
cookieVirtualizationValueValue of the cookie injected by the client.

XML Parsing Engine Tokens

NameDescription
xmlParsingSuspiciousReasonDescription of the error detected during the XML parsing.

XML Schema Validation Engine Tokens

NameDescription
xmlSchemaValidationErrorDescription of the error detected during the XML schema validation.

The tokens (key/value pairs) can be copied through the administration interface using the right-click of the mouse.