F5 Application Security Manager¶
About¶
Application Security Managerâ„¢ (ASM) is a web application firewall that secures web applications and protects them from vulnerabilities. ASM also helps to ensure compliance with key regulatory mandates, such as HIPAA and PCI DSS. The browser-based user interface provides network device configuration, centralized security policy management, and easy-to-read audit reports.
Product Details¶
Vendor URL: F5
Product Type: WAF
Product Tier: Tier II
Integration Method: Syslog
Log Guide: Event Messages and Attack Types
Parser Details¶
Log Format: CEF/SYSLOG/CSV
Expected Normalization Rate: 95%
Data Label: F5_ASM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Accessencounterederror | security_result.rule_labels |
| anomalies | additional.fields |
| anomaly_categories | security_result.category_details |
| ApplicationName | target.application |
| attack_type | security_result.summary |
| AttackId | security_result.threat_id |
| AttackTriggerName | security_result.threat_name |
| auth | principal.user.userid |
| AVRProfileName | principal.resource.name |
| bigip_mgmt_ip | intermediary.ip |
| bot_name | additional.fields |
| browser_actual_verification_action | additional.fields |
| browser_configured_verification_action | additional.fields |
| CC | principal.location.country_or_region |
| class | additional.fields |
| client_ip | principal.ip |
| client_ip_geo_location | principal.location.country_or_region |
| context_name | intermediary.resource.name |
| context_type | intermediary.resource.resource_subtype |
| dest_host | target.hostname |
| dest_ip | target.ip |
| dest_port | target.port |
| device_version | metadata.product_version |
| ending | security_result.action_details |
| enforced_by | additional.fields |
| Entity | security_result.about.resource.name |
| errdefs_msgno | additional.fields |
| event_source | metadata.description |
| f5_host | intermediary.hostname |
| f5_severity | security_result.severity_details |
| f5_signature | security_result.rule_id |
| File | security_result.rule_labels |
| Function | security_result.rule_labels |
| HitCount | security_result.detection_fields |
| host | observer.ip |
| Host | target.hostname |
| hostname | intermediary.hostname |
| HTTP_PATH | target.process.file.full_path |
| http_protocol_info | network.application_protocol_version |
| http_request | network.http.method |
| ip_client | principal.ip |
| item | security_result.rule_name |
| Line | security_result.rule_labels |
| loglevel | security_result.severity_details |
| method | network.http.method |
| Module | security_result.detection_fields |
| path | security_result.rule_type |
| platform | principal.platform_version |
| policy_name | security_result.rule_name |
| principalId | principal.user.userid |
| profile_name | additional.fields |
| protocol | network.application_protocol |
| ProtocolName | network.application_protocol |
| reason | security_result.description |
| Referer | network.http.referral_url |
| req_status | security_result.action |
| request | target.url |
| resp_code | network.http.response_code |
| route_domain | additional.fields |
| rule | security_result.rule_id |
| server_ip | target.ip |
| server_port | target.port |
| session_id | network.session_id |
| severity | security_result.severity_details |
| source_ip | principal.ip |
| source_port | principal.port |
| ssl_cipher | network.tls.cipher |
| ssl_version | network.tls.version |
| ST | principal.location.state |
| status | security_result.summary |
| support_id | additional.fields |
| targetFile | target.file.full_path |
| TransactionOutcome | security_result.outcomes |
| uri | target.url |
| user_agent | network.http.user_agent |
| userId | principal.user.userid |
| username | principal.user.userid |
| verb | network.http.method |
| violations | security_result.summary |
| VipName | target.resource.name |
| virtual_ip | target.ip |
| virtual_name | target.resource.name |
| virtual_server | target.hostname |
| virtual_server_name | network.tls.client.server_name |
| virus_name | security_result.threat_name |
| vlan_name | additional.fields |
| VSName | additional.fields |
| x_id | principal.group.product_object_id |
| x_message | security_result.description |
| x_node_path | observer.hostname |
| x_tunnel_id | target.cloud.vpc.product_object_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Connection logs | NETWORK_CONNECTION |
| Generic | GENERIC_EVENT |
| HTTP logs | NETWORK_HTTP |
| Updating client info | STATUS_UPDATE |
Log Sample¶
hostname="abc123.resources.example.com",bigip_mgmt_ip="10.140.228.133",bigip_mgmt_ip2="::",client_ip="10.159.128.99",client_ip_geo_location="CA",client_port="1700",client_request_uri="/trading/watch-list",configuration_date_time="Jan 24 2025 21:29:43",context_name="/PROD_WEB_FE/my.example.com",context_type="Virtual Server",dest_ip="10.168.9.211",dest_port="443",device_product="Application Security Module",device_vendor="F5",device_version="pgo_use x86_64 padc TMM Version 16.1.5.1.0.0.7 ",errdefs_msgno="23003147",http_method="GET",http_protocol_indication="HTTPS",http_protocol_info="HTTP/2, stream 1",route_domain="9",timestamp="Feb 05 2025 14:01:10",virtual_server_name="/PROD_WEB_FE/my.example.com",device_id="N/A",host="my.example.com",request_date_time="Feb 05 2025 09:01:10",profile_name="/PROD_WEB_FE/Verification",support_id="13732885663772128176",request_status="bot_signature",action="allow",reason="",previous_action="None",previous_support_id="N/A",previous_request_date_time="N/A",bot_signature="/PROD_WEB_FE/example Mobile Legacy",bot_signature_category="/Common/Mobile App without SDK",bot_name="/PROD_WEB_FE/example Mobile Legacy",session_id="0",class="Mobile Application",anomaly_categories="N/A",anomalies="N/A",additional_bot_signatures="N/A",micro_service_name="N/A",micro_service_type="N/A",micro_service_matched_wildcard_url="N/A",micro_service_hostname="N/A",configured_mitigation_action="None",configured_mitigation_action_reason="/PROD_WEB_FE/example Mobile Legacy",actual_mitigation_action="None",actual_mitigation_action_reason="None",browser_configured_verification_action="Mobile App Integrity Verification",browser_actual_verification_action="None",browser_actual_verification_action_reason="None",captcha_status="None",browser_verification_status="None",device_id_status="None",device_id_action="None",previous_initiated_action="None",previous_initiated_action_status="None",new_request_status="Accepted",enforced_by="Profile Mitigation and Verification Settings",mobile_is_app="true",challenge_failure_reason="",classification_reason="",client_type="Mobile Application",application_display_name="N/A",application_version="N/A",mobile_in_emulation_mode="N/A",os_name="N/A",jailbroken_or_rooted_device="N/A",mobile_debugger_enabled_device="N/A",imei="N/A",human_behaviour="N/A"
Sample Parsing¶
additional.fields["bot_name"] = "/PROD_WEB_FE/example Mobile Legacy"
additional.fields["browser_configured_verification_action"] = "Mobile App Integrity Verification"
additional.fields["class"] = "Mobile Application"
additional.fields["enforced_by"] = "Profile Mitigation and Verification Settings"
additional.fields["errdefs_msgno"] = "23003147"
additional.fields["profile_name"] = "/PROD_WEB_FE/Verification"
additional.fields["route_domain"] = "9"
additional.fields["support_id"] = "13732885663772128176"
intermediary.hostname = "abc123.resources.example.com"
intermediary.ip = "10.140.228.133"
intermediary.resource.name = "/PROD_WEB_FE/my.example.com"
intermediary.resource.resource_subtype = "Virtual Server"
metadata.event_type = "NETWORK_HTTP"
metadata.log_type = "F5_ASM"
metadata.product_name = "ASM"
metadata.vendor_name = "F5"
network.application_protocol = "HTTPS"
network.application_protocol_version = "HTTP/2, stream 1"
network.http.method = "GET"
network.session_id = "0"
network.tls.client.server_name = "/PROD_WEB_FE/my.example.com"
principal.ip = "10.159.128.99"
principal.location.country_or_region = "CA"
principal.port = 1700
security_result.action_details = "bot_signature"
security_result.action = "ALLOW"
security_result.severity = "LOW"
target.asset.ip = "10.168.9.211"
target.hostname = "my.example.com"
target.ip = "10.168.9.211"
target.port = 443
target.url = "/trading/watch-list"