Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
Before you start managing alerts
Before you can start using Fraud Protection Service (FPS) to manage alerts, you need to deploy a data collection device (DCD) cluster. This cluster includes the BIG-IQ® Centralized Management devices and Data Collection devices needed to manage and store the alert data generated from your BIG-IP® devices. Additionally, you need to configure your BIG-IP devices to send their FPS alerts to the DCD cluster. These tasks are detailed in the document Planning and Implementing an F5®BIG-IQ® Centralized Management Deployment.
Configure a web service
Before you can perform this task, you must be logged in as Admin and, if you plan to use a proxy for WebService traffic, you must have configured a proxy server that your data collection device cluster can access.
Create an alert transform rule
Before you can perform this task, you must be logged in as Admin.
An alert transform rule is used to modify alerts matching a set of criteria. It might take a few minutes after alert transform rules are created before they take effect.
When you create an alert transform rule, you create a set of criteria that tells your system what to do with incoming alerts. An example of this would be if the system finds a particular string in the alert query when there is generic malware present. If the alert matches all of the criteria that you set up, then the system changes the alert severity, details, recommendation, and status. You can use alert transform rules to ignore a type of alert that is harmless, or you can use alert transform rules to give an alert a higher severity and change the alert status to Monitor.
Creating a schedule to download alert transform rules from the SOC
- Total Rules: The total number of transform rules that were received in the download.
-
Total Rules Ignored: The total number of rules that were
ignored for either of the following reasons:
- The rule is not associated with the account that performed the download.
- Validation of the rule failed.
- Total Rules Updated: The total number of rules that were received in a previous download and were updated in the latest download.
Importing a CSV file with alert rules
Importing alert transform rules from a CSV file is helpful if you do not want to schedule a download of the alert transform rules from the Security Operations Center (SOC) over the Internet.
You can save alert rules (called signatures) from the SOC into a CSV file, then use the steps in this task to import the CSV file into FPS.
Modifying alert forwarding rules
Before you can perform this task, you must be logged in as Admin, and if you plan to use a proxy to forward custom alerts, you must have configured a proxy server that your Data Collection Device cluster can access.
- At the top of the screen, click Monitoring.
- On the left, expand Alert Forwarding Rules. , and then click
-
On the Alert Forwarding Rules screen, select an action as appropriate:
- To view details for an alert forwarding rule, click the rule name.
- To create an alert forwarding rule, click Create.
- To clone an alert forwarding rule, select the check box by the rule and click Clone.
- To delete an alert forwarding rule, select the check box by the rule and click Delete.
- To enable an alert forwarding rule, select the check box by the rule and click Enable.
- To disable an alert forwarding rule, select the check box by the rule and click Disable.
-
On the New Alert Forwarding Rules screen, fill in the settings as needed:
- For Forwarding Rule Name, type a name for the alert rule.
- For Description, type a description of the alert rule.
- For Status, select the Enabled check box to forward alerts.
-
On the left, click Alerts Matching, and fill in the
settings as needed:
-
On the left, click Notification Targets and select one
or more means for forwarding alerts.
- Click Save & Close.
WebService forwarding method detail
Email forwarding method detail
Syslog forwarding method detail
Custom forwarding method detail
Supported forwarding method variables
There are a number of forwarding method variables that you can use when you create an alert rule.
Variable Name | Alert Field |
---|---|
Account ID | {accountid} |
Account Name | {account} |
Alert Date (dd.mm.yyyy hh:mm) | {date} |
Alert Date (yyyy-mm-dd hh:mm:ss) | {datefull} |
Alert Date (Unix Timestamp) | {unixdate} |
Alert Domain | {domain} |
Alert Name | {name} |
Alert Severity | {severity} |
Alert Query | {query} |
Alert Recommendation | {recommendation} |
Alert Status (Numeric) | {statusid} |
Alert Status (Textual) | {status} |
Alert Type | {type} |
Alert URL | {url} |
Alert GUID | {guid} |
Alert Referer | {referer} |
Alert Details | {details} |
Application Cookies | {session_data} |
Authentication Token (For CustomWS Notifications) | {token} |
Client Host Name | {hostname} |
Client IP | {ip} |
Client Language | {language} |
Client Proxy Host Name | {proxyname} |
Client Proxy IP | {proxy} |
Client Username | {user} |
Client User Agent | {agent} |
Client Country | {geoip_country} |
Client City | {geoip_city} |
Client Device ID | {device_id} |
Client Device Parameters | {device_params} |
Full Alert HTML Data | {ht_data} |
MD5 of Full Alert HTML | {ht} |
MD5 of Minimal Alert HTML | {min} |
Minimal Alert HTML Data | {min_data} |
Add a fraud protection account
You create Fraud Protection accounts in order to receive alerts related to alert identifiers that have been configured on the BIG-IP® system. You can then assign BIG-IQ® users to limit their view of alerts and rules.
Accounts are used to filter alerts, and to transform rules and forwarding rules based on the alert ID configured on the BIG-IP system. Each FPS account has an account ID, and all alerts have an account ID field. You can view only the alerts whose account ID field matches an FPS account ID to which your user login has been assigned access.
The account name you give is displayed in place of the alert ID. If you configure an account, set the default view for each user that you assign to the account. Alert transform rules and forwarding rules that have an account are applied to alerts with the matching alert ID. If no accounts are assigned, then all alerts are considered.