Page tree
Skip to end of metadata
Go to start of metadata

Security, WAM and Learning logs are based on the same JSON log format. This format is the default one that can be found in logs sent to an external syslog or on the Kibana interface to create visualizations.

A log is structured in three major parts, with:

  • the request: containing all elements about the request (path, headers, query, etc ...)
  • the context: describing the application and the WAF context (box, reverse proxy, tunnel, workflow, backend, etc ...)
  • the events: containing all informations and security tokens about detected threats (attack family, matching reason, request part, etc ...)
JSON log template
{
    "timestamp": "1527241410891",
    "logAlertUid": "15546bf4600011e8a3b819267d550fc8",
	"request" : { },
	"context" : { },
	"events" : [ ]
}
Security log example
{
    "logAlertUid": "15546bf4600011e8a3b819267d550fc8",
    "@timestamp": "1527241410891",
    "timestamp": "1527241410891",
    "_type_": "Controller_Business_Log_SecurityLog",
    "request": {
      "body": "",
      "cookies": [],
      "headers": [
        {
          "key": "Connection",
          "value": "Keep-Alive"
        },
        {
          "key": "Host",
          "value": "192.168.122.118"
        },
        {
          "key": "User-Agent",
          "value": "ApacheBench/2.3"
        },
        {
          "key": "Accept",
          "value": "*/*"
        }
      ],
      "hostname": "192.168.122.118",
      "ipDst": "192.168.122.118",
      "ipSrc": "192.168.122.1",
      "method": "GET",
      "path": "/87",
      "portDst": 80,
      "protocol": "HTTP/1.0",
      "query": "id=3&passwd=******",
      "requestUid": "Wwfawp5nqnlmi2m29J3d2QAAAEo"
    },
    "context": {
      "tags": "",
      "applianceName": "Management",
      "applianceUid": "d1ecdf0f3ad7a64279b9e01f08c1f642",
      "backendHost": "192.168.122.118",
      "backendPort": 8000,
      "reverseProxyName": "RP1",
      "reverseProxyUid": "ce4770e1d581d92f1344b8b1ac41e8de",
      "tunnelName": "tunnel1",
      "tunnelUid": "a4ae3647b1e7e868b2d0e6ff47b02fd1",
      "workflowName": "WF - All logs",
      "workflowUid": "x256f94d50d6d66f9732e0ab8532d154"
    },
    "events": [
      {
        "eventUid": "15546f6e600011e8a3b819267d550fc8",
        "tokens": {
          "date": 1527241410891973,
          "eventType": "security",
          "engineUid": "icxEngine",
          "engineName": "ICX Engine",
          "attackFamily": "SQL Injection",
          "riskLevel": 80,
          "riskLevelOWASP": 8,
          "cwe": "CWE-89",
          "severity": 5,
          "resolveType": "Default Resolve",
          "part": "Multiple",
          "icxPolicyName": "Default policy",
          "icxPolicyUid": "fbfb5aec58e3ff3bea900f646351cc30",
          "icxRuleName": "SQL Injection",
          "icxRuleUid": "eeeea8b382ef38e44f0b620c39adbbba",
          "matchingParts": [
            {
              "part": "Var_GET",
              "partKey": "passwd",
              "partKeyOperator": "regexp",
              "partKeyPattern": ".*",
              "partKeyMatch": "passwd",
              "partValue": "1' or 1=1 --",
              "partValueOperator": "pattern",
              "partValuePatternUid": "SqlInjectionProprietaryPattern_00359",
              "partValuePatternName": "SQL Injection",
              "partValuePatternVersion": "00359",
              "partValueMatch": "' or 1=1 --",
              "attackFamily": "SQL Injection",
              "riskLevel": 80,
              "riskLevelOWASP": 8,
              "cwe": "CWE-89"
            }
          ],
          "reason": "ICX Engine: SQL Injection in Var_GET 'passwd'",
          "securityExceptionConfigurationUids": [
            "xd298902fbf8340e241f195fe81e7511"
          ]
        }
      }
    ]
}