Applies To:
Show VersionsBIG-IQ Centralized Management
- 6.0.0
Fraud Protection Service overview
BIG-IQ® Fraud Protection Service (FPS) sends alerts to users whenever they are victims of malware or phishing attacks. BIG-IQ filters all alerts into different types and displays them for you to monitor. FPS has the ability to create rules to modify alerts, rules for forwarding alerts, or download rules from the Security Operations Center (SOC). Types of alerts include:
- Uninspected Alerts
-
This list contains all alert types that have a status of new.
- Monitored Alerts
- This list contains all monitored alert types.Note: If you have configured fraud protection accounts, then you can view only the alerts that have been specified for your account to view.
- Phishing Alerts
- Phishing alerts include phishing user, copied pages, and user defined phishing. These alerts are created when a phishing victim enters user credentials onto a phishing web site, or when a phishing site has been detected by JavaScript. The user name that appears in the alert is the user name that is entered into the phishing site.
- Malware Alerts
- Malware alerts are separated into generic malware, targeted malware, external scripts, page modification, and user defined malware. The Malware Detection component thus enables the organization to take the necessary steps to mitigate the risks of the attack in real time. This component helps the organization to keep track of its affected users and reveal malicious money transaction attempts.
- Suspicious Transactions
- Suspicious Transactions include browser automation, remote access tools, transaction modification, and user defined. Suspicious transactions prevent automatic requests to the application's server by confirming that the request was made by a human and not issued automatically. Automatic requests can be issued by a Trojan horse attack injecting a malicious JavaScript code to the user's browser in order to perform an automatic money transfer to the attacker's account, or by random bots attempting to automatically scrape data from the application automation.
- Suspicious Logins
- Suspicious logins include stolen credentials and user inspection. These alerts provide protection against Trojan horse attacks, providing an encryption for the information at the application layer on the client side. This ensures that the information that is exposed to the Trojan horse attack will be encrypted. The encryption is conducted on the client side, using a public key generated by the web server and provided uniquely per session. When the encrypted information is received by the web server, it is decrypted using a private key that is kept on the server side.
- Mobile
- Mobile alerts integrate with the applications of financial service providers, improving protection against the aforementioned threats and provides alerts received on possible attacks. Mobile alerts neutralizes local threats found on customers’ mobile devices, without altering the user experience. These alerts are created when the system detects an infected mobile device. Alert types that are included in this category are Mobile Malware, Mobile Man-in-the-middle (MITM), Mobile Security, and User Defined. Prevents phishing, Trojan horse attacks, and pharming attacks on mobile devices in real time, through detection, prevention, and application-level encryption.
- Validation Errors
- Validation error alerts are created when the expected cookie is missing or corrupted. Validation errors include transaction errors, encryption errors, missing components, and mobile errors.
- Unfiltered Alerts
- Unfiltered alerts are unfiltered views of all alerts except those that have the status of Ignore.
- Saved Filters
- Saved filters is a list of custom filters that you create and save. These are unique to each user. Saved filters are helpful if you would like to create your own view of alerts. If you are trying to track down a specific type of attack, you can save a unique filter to repeatedly check on a specific type of alert. The BIG-IQ® Fraud Protection Service provides a rich set of querying features which allow you to quickly and efficiently locate alerts that you are interested in.
FPS Alerts overview
There are a number of things you can do to specify the response to different kinds of alert types.
Each alert type has its own user interface, but the controls used to edit the rules that govern the response to these alerts are very similar.
Most alert types are organized into groups. On any list screen, you can click the little black triangle to expand the list.
- To access the Filter Alerts screen, click the Filter button at the top left of the screen. On the Filter Alerts screen you can view the existing query that defines the current alert rule. You can specify additional detail to further refine the query or create a new custom query.
- To refresh the list of alerts on the screen, click Refresh.
- To create a rule based on an alert, select the check box of the alert you want to use as the basis for the rule, and click Create Rule.
- To filter the list of alerts so that only alerts generated during one session are displayed, select the check box of the alert you are interested in, and click Filter Related.
- To export one or more alerts files to a CSV file that you can edit or inspect, click More, and then select Export.
- To change the status for an alert, select the check box for that alert, click
More, and then select Change
Status.Note: If all the check boxes are selected in a list, you can choose to either change the status for all of the alerts that are in view, or change the status for all of the alerts that match the query.
- To remove an alert, select the check box for that alert, click
More, and then select Delete.
Note: If all the check boxes are selected in a list, you can choose to either remove all of the alerts that are in view, or remove all of the alerts that match the query.
- A Filter Related button becomes active. Click this button to view only alerts that have the same session global unique identifier (GUID) as the selected alert.
- A preview pane opens to show you details about the selected alert.
- From the Filter control, select the type of match (Contains, or Exact) that you want to use.
- In the Filter field, type the filter criteria you want to use, and press Enter.
- A Filtered by field displays the alert criteria you applied, and the screen displays only alerts that match that criteria.
- To see the rest of the alerts again, click the X to clear your filtered by alert criteria.
To display additional information about a specific alert, select the check box that corresponds to it. A preview pane opens.
When you select a single alert, a preview pane opens to show you details about the selected alert. The tabs that display depend on what data is available for the selected alert.
Details | This tab displays details about the URL that triggered the alert.
|
HTML | This tab is visible only if the alert includes these details. It shows you the raw HTML that was included in the alert. |
Data |
This tab is visible only if the alert includes these details. It shows you the raw HTML and other data that was extracted for further diagnosis of the alert condition. If the alert type is External Sources or Trojan Validator, this tab displays the malware detection alerts.If the alert type is External Sources, the alert type is 6 and the alert component is 5 and the value contains the forbidden added HTML element and its contents in escaped base64 format. If the alert type is Trojan Validator, the alert type is 6 and the alert component is 3. The value contains the bait signatures in escaped base64 format. |
About | This tab gives a brief summary of details about the alert type. |
Advanced | This tab displays the exact query that was sent in the alert. This information can be used to debug alerts and understand the cause of the alert. It is helpful for the Security Operations Center (SOC). |
Add an advanced query filter
Before you can perform this task, you must be logged in as Admin.
BIG-IQ® Fraud Protection Service provides a rich set of querying features that allow you to quickly and efficiently locate the alerts that you are interested in.
When you select the Filter button from an alerts screen, or when you select add/edit from the Saved Filters screen, you see a dialog box that allows you to specify what alerts you want to filter for.
The screen provides the most common filters in list and text boxes, but you can specify additional filters. The filters that display initially depend on the type of alert you are configuring.
Additional Query Parameters
If what you want can not be specified with the quick selections, you can use the query language. Available query parameters are listed here.
Parameter Name | What it means |
---|---|
category | The type of alert. Select one or more categories. If none are selected, the search will apply to all categories. |
alertUrl | Type the source URL that caused the alert. |
alertType | A specific type of alert within a category. |
device | A specific variation within a type of alert. |
component | A specific variation within a type of alert. |
domain | Type the domain of the site that was in use when the alert was sent. You can also type the domain of the phishing site, or the host of the site that was detected. |
clientIp | Type the IP address of the victim of the alert that you are interested in. |
details | This parameter can contain many different values depending on the type of alert. |
device | The device ID of the machine generating the alert (typically a mobile device). |
alertId | A unique ID configured on the BIG-IP® device for each virtual IP address. |
severity | Specifies the ID of the customer in the dashboard. When configuring a mobile security anti-fraud profile, you must ensure that the value you assign here for Alert Identifier is the same value used for VMobile's customer parameter in the init iOS method and Android constructor. |
status | The status assigned by the SOC. |
userAgent | The user browser type and operating system. |
continent | The continent code. |
country | The country code. |
region | The region code. |
language | User browser and OS language. |
referer | The URL of the site that was visited just before the alert URL was visited. |
uri | The URI to which the client requested to go. |
user | Type the name of the user that triggered the alert. |
guid | Type the unique identifier for the set of alerts that make up one session. |
rule | As set by the user in the rule. |
alertDetails | As set by the user in the rule. |
recommendation | As set by the user in the rule. |
date | You can specify last 2 weeks, last month, last three months, last six months or select a custom date range. If you only specify a start date, BIG-IQ® selects all alerts from the start date to the current date. |
cookie | Cookie information associated with this alert. |
dateType | Type the number of days back from which to start the query. |
Create and save a custom filter
Before you can perform this task, you must be logged in as Admin.
Change an alert status
Remove an alert
Before you can perform this task, you must be logged in as Admin.
Export an alert
Before you can perform this task, you must be logged in as Admin.
- At the top of the screen, click Monitoring.
- On the left, click Alerts. , and then click
- On the left, select the alert type that you want to export.
- Select the alert you wish to export, then click the More button, and select Export.
Signature files overview
FPS malware signatures allow the BIG-IP® system to discover generic malware targeting web sites and mobile apps, and enhances protection of your anti-fraud profile. It is important to help keep the fraud protection on your system up to date by updating malware signatures with a signature file provided by F5®.
Signature file updates can be downloaded from the F5 Update server or uploaded from a local server. The upload option is relevant in a case where F5 has provided you directly with a signature file update.
Signature file updates can be downloaded from the F5 update server either manually or automatically. If you choose the automatic download option, you can configure the time interval for the periodic updates.
Downloading a signature file from the F5 update server
You can check the status of the download by going to
and clicking on the name of the signature file in the list. If you chose the download and install option, check the status at .Uploading a signature file stored locally
Installing a signature file
Scheduling automatic signature file updates
Engine files overview
The FPS JavaScript Engine allows the BIG-IP® system to discover generic malware targeting web sites and mobile apps, and enhances protection of your anti-fraud profile. It is important to help keep the fraud protection on your system up to date by updating the engine with an engine file provided by F5®.
Engine file updates can be downloaded from the F5 update server or uploaded from a local server. The upload option is relevant in a case where F5 has provided you directly with an engine file update.
Downloading an engine file from the F5 update server
You can check the status of the download by going to
and clicking on the name of the engine file in the list. If you chose the download and install option, check the status at .