Manual Chapter : Configuring How BIG-IQ FPS Processes Alerts

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Configuring How BIG-IQ FPS Processes Alerts

Before you start managing alerts

Before you can start using Fraud Protection Service (FPS) to manage alerts, you need to deploy a data collection device (DCD) cluster. This cluster includes the BIG-IQ Centralized Management devices and Data Collection devices needed to manage and store the alert data generated from your BIG-IP devices. Additionally, you need to configure your BIG-IP devices to send FPS alerts to the DCD cluster. These tasks are detailed in the document
Planning and Implementing an F5BIG-IQ® Centralized Management Deployment
.

Configure a web service

Before you can perform this task, you must be logged in as Admin and, if you plan to use a proxy for WebService traffic, you must have configured a proxy server that your data collection device cluster can access.
To use a proxy, you must configure a proxy on each device (data collection devices and BIG-IQ devices) in the cluster. Additionally, the proxy names you specify for each node in the cluster must match exactly.
You can add or remove a WebService configuration. You need a web service to download new alert transform rules from the SOC. You also need a web service so you can forward received alerts to the Security Operations Center (SOC) so that the SOC can inspect them.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    .
  3. Click
    WebService Configuration
    , and then select the web service you want to configure.
    • To configure an existing service, click the name of the service.
    • To configure a new service click
      Create
      .
    If you create a web service with a particular set of SOC credentials, and then use that web service in forwarding rules or scheduled alert rule downloads and later delete and recreate it with a different name, then attempts to restore that snapshot will fail. To successfully restore snapshots, you must recreate the web service with the same name.
    When you make changes to your web service configuration, allow up to 5 minutes for these changes to propagate to all of your managed FPS devices before you look for the impact of the configuration changes.
  4. For the
    WebService Name
    , type a name for the web service that you would like to forward alerts to.
    The Security Operations Center (SOC) is the only option.
  5. For
    Description
    , type a description of the account that you would like to send alerts to.
  6. For
    WebService URI
    , use the default value supplied by the BIG-IQ.
  7. For
    Remote Account ID
    , type the remote account ID provided by the SOC.
  8. For
    SOC User
    , type the user name provided by the SOC.
  9. For
    SOC Password
    , type the password provided by the SOC.
  10. If you want the alert traffic for this web service to route through a proxy, select
    Use Proxy
    , and then select the proxy you want to use.
  11. For
    Test SOC Connection
    , click the
    Test
    button to make sure the alert goes through.
    A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  12. Click
    Save & Close
You have configured a web service that can down load alert rules from the SOC and forward alerts to the SOC.

Create an alert transform rule

Before you can perform this task, you must be logged in as Admin.
An alert transform rule is used to modify alerts matching a set of criteria. It might take a few minutes after alert transform rules are created before they take effect.
When you create an alert transform rule, you create a set of criteria that tells your system what to do with incoming alerts. An example of this would be if the system finds a particular string in the alert query when there is generic malware present. If the alert matches all of the criteria that you set up, then the system changes the alert severity, details, recommendation, and status. You can use alert transform rules to ignore a type of alert that is harmless, or you can use alert transform rules to give an alert a higher severity and change the alert status to Monitor.
  1. At the top of the screen, click
    Monitoring
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    .
  3. Click
    Alert Transform Rules
    .
  4. To add an alert transform rule, click
    Create
    .
    The New Alert Transform Rule screen opens.
  5. In
    Transform Rule Name
    , type a name for the rule.
  6. In
    Status
    , select the
    Enabled
    check box if you want the transform rule to be enabled immediately after creating it.
    If the
    Enabled
    check box is not selected, the transform rule is inactive until this setting is changed.
    Enabling a rule does not apply it on alerts. To apply the rule, you must enable it and then click
    Apply
    .
  7. In
    Description
    , type a description of the alert rule.
  8. In
    Find
    , type the text that you want the BIG-IQ® to search for in the alert data.
    The BIG-IQ searches for this text in the areas you specify in the
    Where
    field, and the alert transform rule can be applied on alerts where this text is found.
  9. For the
    Where
    setting, select which parts of the alert should be searched.
    The BIG-IQ searches for the text you specify in the
    Find
    field in the parts of the alert you specify here.
  10. For the
    When
    setting, select which types of alerts should be searched.
  11. For the
    Accounts
    setting, retain the default,
    All Accounts
    , or clear the check box and specify on which accounts the rule should be applied.
  12. For
    Alert Severity
    , select a severity number for the rule.
    By default, most rules are given a severity number of 50.
  13. In
    Alert Details
    , type additional information to display in the rule.
  14. In
    Alert Recommendation
    , type a recommendation to display in the rule.
  15. For
    Alert Status
    , select a status that will be assigned to matching alerts.
  16. Select the check box next to
    Use regex to obfuscate the user name from selected fields
    if you want the rule to hide the user name in selected alert fields.
    If you select this check box, the properties
    User Regular Expression
    and
    Match User Regular Expression on
    appear.
    1. For
      User Regular Expression
      , type a regular expression for identifying a user name in an alert.
      If the BIG-IQ finds this regular expression, the actual user name is replaced with
      username
      . For example, if you specify the regex:
      username=([a-zA-Z]*)
      and the alert URL is
      https://myusername.com?username=johndoe
      , after the regex is matched and applied, the alert URLrendersit as
      https://djohndoe.com?username=USERNAME
      .
    2. For
      Match User Regular Expression on
      , select the parts of the alert that you want the BIG-IQ to search to determine if they contain the regular expression.
  17. Click
    Save & Close
    .

Creating a schedule to download alert transform rules from the SOC

Before you can create a new download schedule, you must configure a web service.
You can set up a schedule to download alert transform rules from the Security Operations Center (SOC). You can start downloads immediately, or repeat them on a daily, weekly, or monthly basis. You can only create one repeating schedule. However, you can create a new schedule that will run immediately.
Transform rules are downloaded only for the account configured in the SOC WebService.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    , and then click
    Transform Rule Import Schedule
    .
  3. Click the
    Create
    button.
    The New FPS Download Schedule screen opens.
  4. Type a
    Name
    and
    Description
    for the schedule.
  5. From the
    WebService
    list, select the service you want to use.
  6. For
    Import Alert Rules Frequency
    , select the frequency for downloading the transform rules .
  7. For
    Start Date
    , specify the date and time that you want the first download to start.
  8. For
    End Date
    , either select
    No End Date
    , or specify the date and time that you want downloads to stop.
  9. Select
    Should Apply
    if you want the downloaded alert transform rules to be immediately applied on alerts in the BIG-IQ.
  10. Select
    Should Forward
    if you want to forward notifications about alerts that were modified by the transform rule to a third party, according to the forwarding rules configured in the BIG-IQ.
  11. Click
    Save & Close.
    The FPS Download Schedules screen opens and the schedule that you created is listed.
After a successful download occurs, you can check the download results in the FPS Download Schedules screen, including the following information:
  • Total Rules:
    The total number of transform rules that were received in the download.
  • Total Rules Ignored:
    The total number of rules that were ignored for either of the following reasons:
    1. The rule is not associated with the account that performed the download.
    2. Validation of the rule failed.
  • Total Rules Updated:
    The total number of rules that were received in a previous download and were updated in the latest download.

Importing a CSV file with alert rules

Importing alert transform rules from a CSV file is helpful if you do not want to schedule a download of the alert transform rules from the Security Operations Center (SOC) over the Internet.
You can save alert transform rules (called
signatures
) from the SOC into a CSV file, then use the steps in this task to import the CSV file into FPS.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    , and then click
    Alert Transform Rules
    .
  3. Click the
    Import
    button.
    A popup screen opens.
  4. Click
    Choose File
    , and then choose a CVS file to import.
  5. Select a target account.
  6. Click
    Import
    .
    The imported alert transform rules are applied to the types of alerts the account is configured to receive.

Modifying alert forwarding rules

Before you can perform this task, you must be logged in as Admin, and if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your Data Collection Device cluster can access.
You can add, clone, or remove alert forwarding rules. You can forward alerts to a web service, an email address, a sys-log, or to a custom WebService location.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    , and then click
    Alert Forwarding Rules
    .
  3. On the Alert Forwarding Rules screen, select an action as appropriate:
    • To view details for an alert forwarding rule, click the rule name.
    • To create an alert forwarding rule, click
      Create
      .
    • To clone an alert forwarding rule, select the check box by the rule and click
      Clone
      .
    • To delete an alert forwarding rule, select the check box by the rule and click
      Delete
      .
    • To enable an alert forwarding rule, select the check box by the rule and click
      Enable
      .
    • To disable an alert forwarding rule, select the check box by the rule and click
      Disable
      .
  4. On the New Alert Forwarding Rules screen, fill in the settings as needed:
    1. For
      Forwarding Rule Name
      , type a name for the alert rule.
    2. For
      Description
      , type a description of the alert rule.
    3. For
      Status
      , select the
      Enabled
      check box to forward alerts.
  5. On the left, click
    Alerts Matching
    , and fill in the settings as needed:
    1. For
      Alert Severity Equal OR Greater Than
      , select the alert severity level from the list.
    2. For
      Alert Categories
      , move an alert category from the
      Available
      list to the
      Selected
      list.
    3. For
      Alert Status
      , select a status for the alert, and move it from the
      Available
      list to the
      Selected
      list.
    4. To forward only alerts that include a user name, for
      Username
      , select
      Must be Present
      .
      Enabling this setting significantly reduces the volume of alerts that FPS forwards.
    5. For
      Accounts
      , use the default
      All Accounts
      , or select a specific fraud protection account and move it to the
      Selected
      column. The alert forwarding rule will then only act on the alerts that the account is set to receive.
  6. On the left, click
    Notification Targets
    and select one or more means for forwarding alerts.
    1. Enable
      WebService
      to send alert notifications to the F5 Security Operations Center (SOC) dashboard through the cloud WebService.
      For additional details on how to use the fields in the WebService area, refer to WebService method forwarding detail.
      You must configure WebService Config in Fraud Protection Service before you can select this option.
    2. Enable
      Email
      to send notifications to an email address.
      For additional details on how to use the fields in the Email area, refer to Email forwarding method detail.
      You must configure the DNS and SMTP server on your data collection devices to use this option.
    3. Enable
      Syslog
      to send alert notifications to a Syslog server.
      For additional details on how to use the fields in the Syslog area, refer to Syslog forwarding method detail.
    4. Enable
      Custom
      to send custom alert notifications to a third party web service.
      For additional details on the Custom area, and how to use the fields in it, refer to Custom forwarding method detail.
  7. Click
    Save & Close
    .

WebService forwarding method detail

When you use the WebService forwarding method, you use the web service tab to define how the alert is sent.
  1. For
    WebService
    , select the web service to which you want the alert to be sent.
  2. Specify the variables that you want to have included in the alert by using the arrow button to move them from the
    Available
    list to the
    Selected
    list.
    For a list of forwarding method variables that you can use, refer to
    Supported Forwarding Method variables
    .
  3. Click
    Save & Close
    .

Email forwarding method detail

When you use the Email forwarding method, you use the Email tab to define how the alert is sent.
  1. For
    Sender Name
    , the screen specifies the name of the email sender (F5 Fraud Protection Service).
  2. For
    Sender Email Address
    , type the email address from which you want the alert notifications forwarded.
  3. For
    Email Recipient(s)
    , type the email address to which you want the alert notifications forwarded.
  4. To run a test of the email addresses you specified above, click
    Test
    .
    A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  5. For
    Email Subject
    , you can either use the default parameters to specify the alert email subject, or create your own using the supported parameters.
    For a list of forwarding method variables that you can use, refer to
    Supported Forwarding Method variables
    .
  6. For
    Mail Template
    , you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert.
  7. When you finish configuring the alert sending method, click
    Save & Close
    .

Syslog forwarding method detail

When you use the Syslog forwarding method, you use the Syslog tab to define how the alert is sent.
  1. For
    Syslog Facility
    , type the facility number to which you want the alert notifications to be forwarded.
  2. For
    Syslog Severity
    , select the severity level that you want to be appended to all forwarded alert notifications.
    The severity level you select here is added to all forwarded alerts. This level is unrelated to the severity level number assigned independently to each alert.
  3. For
    Syslog Server
    , type the IP address of the server to which you want the alerts to be forwarded.
  4. For
    Syslog Port
    , type the port number to which you want the alerts to be forwarded.
  5. For
    Syslog Protocol
    , select the protocol that the target syslog server uses to accept forwarded alerts.
  6. To run a test of the specified settings, click
    Test
    .
    A successful test confirms only that the alert was successfully sent. You should confirm with the recipient that the test message is received.
  7. For
    Syslog Template
    , you can add or subtract from the default list of parameters.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to
    Supported Forwarding Method variables
    .
  8. When you finish configuring the alert sending method, click
    Save & Close
    .

Custom forwarding method detail

Before you can perform this task, if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your data collection device cluster can access.
When you are configuring an alert forwarding rule and select the Custom method, you use the Custom tab to define the details of how the alert is sent. This alert type specifies a number of parameters that the alert receiving entity has specified as requirements of the service they use to listen for forwarded alerts. You specify the values for these parameters so that the forwarded alerts satisfy the requirements of the alert receiving entity.
  1. If the alert recipient uses a service that requires an alert token, select the check box for
    Uses Token
    .
    The screen displays additional settings.
    1. For
      WS Token Timeout
      , type the number of seconds that the alert recipient specifies for forwarded alert tokens.
    2. For
      WS Token URL
      , type the IP address that the alert recipient specifies for forwarded alert tokens.
    3. For
      WS Token Method
      , select the REST API method that the alert recipient specifies for forwarded alert tokens.
    4. For
      WS Token Headers
      , type the required request header information specified by the alert recipient for forwarded alert token headers.
    5. For
      WS Token Request
      , type the required request body information specified by the alert recipient for forwarded alert tokens.
    6. For
      WS Token Response
      , type the required request response information specified by the alert recipient for forwarded alert responses.
  2. If you want the alert traffic for this custom rule to route through a proxy, select
    Use Proxy
    , and then select the proxy you want to use.
  3. For
    WS Alert URL
    , type the IP address specified by the alert recipient for forwarded alert responses.
  4. For
    WS Alert Method
    , select the REST API method that the alert recipient specifies for forwarded alerts.
  5. To run a test of the specified settings, click
    Test
    .
    A successful test confirms only that the alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  6. For
    WS Alert Headers
    , type the required alert header information specified by the alert recipient for forwarded alert headers.
  7. For
    WS Alert Request
    , type in the parameters that you want to be included in the forwarded alerts.
    Parameters listed here are included in the forwarded alert. For a list of forwarding method variables that you can use, refer to
    Supported Forwarding Method variables
    .
  8. When you finish configuring the alert sending method, click
    Save & Close
    .

Supported forwarding method variables

There are a number of forwarding method variables that you can use when you create an alert rule.
Variable Name
Alert Field
Account ID
{accountid}
Account Name
{account}
Alert Date (dd.mm.yyyy hh:mm)
{date}
Alert Date (yyyy-mm-dd hh:mm:ss)
{datefull}
Alert Date (Unix Timestamp)
{unixdate}
Alert Domain
{domain}
Alert Name
{name}
Alert Severity
{severity}
Alert Query
{query}
Alert Recommendation
{recommendation}
Alert Status (Numeric)
{statusid}
Alert Status (Textual)
{status}
Alert Type
{type}
Alert URL
{url}
Alert GUID
{guid}
Alert Referer
{referer}
Alert Details
{details}
Application Cookies
{session_data}
Authentication Token (For CustomWS Notifications)
{token}
Client Host Name
{hostname}
Client IP
{ip}
Client Language
{language}
Client Proxy Host Name
{proxyname}
Client Proxy IP
{proxy}
Client Username
{user}
Client User Agent
{agent}
Client Country
{geoip_country}
Client City
{geoip_city}
Client Device ID
{device_id}
Client Device Parameters
{device_params}
Full Alert HTML Data
{ht_data}
MD5 of Full Alert HTML
{ht}
MD5 of Minimal Alert HTML
{min}
Minimal Alert HTML Data
{min_data}

Add a fraud protection account

You create Fraud Protection accounts in order to receive alerts related to alert identifiers that have been configured on the BIG-IP system. You can then assign BIG-IQ users to limit their view of alerts and rules.
Accounts are used to filter alerts, and to transform rules and forwarding rules based on the alert ID configured on the BIG-IP system. Each FPS account has an account ID, and all alerts have an account ID field. You can view only the alerts whose account ID field matches an FPS account ID to which your user login has been assigned access.
The account name you give is displayed in place of the alert ID. If you configure an account, set the default view for each user that you assign to the account. Alert transform rules and forwarding rules that have an account are applied to alerts with the matching alert ID. If no accounts are assigned, then all alerts are considered.
  1. At the top of the screen, click
    Configuration
    .
  2. On the left, click
    EVENTS
    Fraud Protection Service
    Configuration
    , and then click
    WebService Configuration
    .
  3. Click
    Create
    .
    The New FPS WebService Configuration screen opens.
  4. Fill in as appropriate:
    WebService Name
    Type a name for the account that you would like to send alerts to (for example,
    MortgageDept
    ).
    Description
    Type a description of the account that you would like to send alerts to.
    WebService URI
    This value is always filled in by default. The only reason to change this is if you want to forward to another legacy dashboard.
    Remote Account ID
    Type the remote account ID provided to you by the SOC.
    SOC User
    Type the user name provided to you by the SOC By default, the administrator is selected to look at the account.
    To create a user, go to
    System Management
    User Management
    Users
    and click
    Add
    . Be sure to give the user a user role of Fraud Protection Manager or Fraud Protection View
    .
    SOC Password
    Type the password provided to you by the SOC.
    Proxy
    To route the alert traffic for this web service through a proxy, select
    Use Proxy
    , and then select the proxy you want to use.
    Test SOC Connection
    To test the SOC connection, click the Test button to confirm that your settings are correct.
    A successful test confirms only that a test alert was successfully sent (or, if you specified a proxy, that the alert reached the proxy server). You should confirm with the recipient that the test message is received.
  5. Click
    Save & Close
    .
You now have a fraud protection account that can manage the alerts that you specify.