Before you can see learning suggestions on the system, it needs to have had some
traffic sent to it.
After you create a security policy and begin sending traffic to the application, the
system provides learning suggestions concerning additions to the security policy
based on the traffic it sees. For example, you can have users or testers browse the
web application. By analyzing the traffic to and from the application, Application Security Manager™ generates learning suggestions or
ways to fine-tune the security policy to better suit the traffic and secure the
application.
Note: This task is primarily for building a security policy manually. If
you are using the automatic learning mode, this task applies to resolving
suggestions that require manual intervention, or for speeding up the enforcement of
policy elements.
-
On the Main tab, click .
The Traffic Learning screen opens, and lists suggestions based on
traffic patterns and violations that the system has detected.
-
Take a look at the Traffic Learning screen to get familiar with it.
With no suggestions selected, the right pane displays sections that facilitate
the reviewer decision-making process. These include graphical charts that
summarize policy activity, a summary of top violations in Reduce
Potential False-positive Alerts, an enforcement readiness
summary and a summary of suggestions to add new entity or delete an obsolete
entity.
-
To change the order in which the suggestions are listed, or refine what is
included in the list, use the filters at the top of the column. Click the search
icon to see basic and advanced filters.
-
Review the learning suggestions as follows.
-
Select a learning suggestion.
Information is displayed about the action the system will take
if you accept the suggestion, and what caused the suggestion.
-
Select a suggestion to learn more about what caused it by looking at
the action, the number of samples it is based on, the violations caused
and their violation ratings, and if available, by examining samples of
the requests that caused the suggestion.
-
Select a request to view data about the request on the right, including
any violations it generated, the contents of the request itself, and the
response (if any).
By examining the requests that caused a suggestion, you can determine
whether it should be accepted.
-
To add comments about the suggestion and the cause, click the Add
Comment icon to the right of the suggestion commands, and type the
comments.
-
Decide how to respond to the suggestion. You can start with the suggestions
that have the highest learning scores, or those which you know to be valid for
the application. These are the options.
Option |
What happens |
Accept Suggestion
|
The system modifies the policy by taking the suggested action, such
as adding an entity that is legitimate. If the entity that triggered the
suggestion can be placed in staging (file types, URLs, parameters,
cookies, or redirection domains), clicking Accept Suggestion
displays a second option, Accept suggestion and enable staging on
Matched <<entity>>. Click this option to accept the
suggestion and place the matched entity in staging. |
Delete Suggestion
|
The system removes the learning suggestion, but the suggestion
reoccurs if new requests cause it. The learning score of the suggestion
starts over from zero in that case. |
Ignore Suggestion
|
The system does not change the policy and stops showing this
suggestion on the Traffic Learning screen now and in the future. You can
view ignored suggestions by filtering by status ignored. |
Note: If you are
working in automatic learning mode, when the learning score reaches 100%,
the system can accept most of the suggestions if you selected the
Learning Mode Auto-apply Policy, or you can accept
suggestions manually at any time. If you are using manual learning, when the
learning score reaches 100% (or before that if you know the suggestions are
valid), you need to accept the suggestions manually.
If you know that a
suggestion is valid, you can accept it at any time even before the
learning score reaches 100%. The ones that reach 100% have met all the
conditions so that they are probably legitimate entities.
-
To put the security policy changes into effect immediately, click Apply
Policy.
By default, a security policy is put
into an enforcement readiness period for seven days. During that time, you can examine
learning suggestions and adjust the security policy making sure that users can access
the application. The security policy then includes elements unique to your web
application.
It is a good idea to periodically review the learning suggestions on the Traffic
Learning screen to determine whether the violations are legitimate and caused by an
attack, or if they are false positives that indicate a need to update the security
policy. Typically, a wide recurrence of violations at some place in the policy (with a
low violation rating and a high learning score) indicates that they might be false
positives, and hence the policy should be changed so that they will not be triggered
anymore. If the violations seem to indicate true attacks (for example, they have a high
violation rating), the policy should stay as is, and you can review the violations that
it triggered.