ThreatX WAF¶
About¶
A cloud native, next gen managed WAF designed to simplify protecting multi-cloud environments against sophisticated security threats. Get instant visibility into potential attacks against your APIs and applications.
Product Details¶
Vendor URL: ThreatX WAF
Product Type: Web Access Firewall
Product Tier: Tier II
Integration Method: Syslog
Log Guide: ThreatX Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: THREATX_WAF
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| app_name | target.application |
| content_type | target.file.mime_type |
| contrib_score | security_result.confidence_details |
| dst_host | target.hostname |
| ip | principal.ip |
| matches.classification | security_result.threat_name |
| matches.description | metadata.description |
| matches.state | security_result.summary |
| message | target.file.full_path |
| msg_id | metadata.product_log_id |
| msg_type | metadata.product_event_type |
| request_id | network.session_id |
| request_method | network.http.method |
| risk | security_result.priority_details |
| rules.classification | security_result.description |
| rules.description | security_result.rule_name |
| tls_fingerprint | additional.fields |
| uri | target.url |
| user_agent | network.http.user_agent |
| username | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| BlockEvent | NETWORK_HTTP |
| Generic | GENERIC_EVENT |
Log Sample¶
{"version":1,"severity":6,"facility":1,"priority":14,"subscription_id":"threatx/waf/ex","enterprise_id":null,"app_name":"ThreatX","hostname":"syslog.threatx.io","pid":null,"msg_id":"123a456b789c123","message":"api.example.com/feed/updatefeediteminteraction","msg_type":"MatchEvent","timestamp":"2024-03-04T18:54:41Z","request_id":"98765432112345678912345","user_agent":"example/4.48.0 android/13 example/EX-123","matches":[{"id":12345,"description":"Bad Request Format: 3 HTTP status 400 in 60 seconds","classification":"ErrorRate","state":"Scanning","contrib_score":100,"risk":20,"blocking":false,"beta":false}],"ip":"10.1.1.1","dst_host":"api.example.com","uri":"/feed/updatefeediteminteraction","args":"","status_code":400,"ssl":true,"risk":20,"request_method":"POST","content_type":"application/json; charset=UTF-8","content_length":65,"response_length":224,"upstream_response_time":0,"postblock_event":false,"random_id":0,"tls_fingerprint":"772,4865-4866-4867-49195-49196-52393-49199-49200-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-51-45-43-21,29-23-24,:123456789","cookie":null,"js_fingerprint":0}
Sample Parsing¶
additional.fields["tls_fingerprint"] = "123,1234-1234-1234-12345-12345-12345-12345-12345-12345-12345-12345-123-123-12-12,0-12-1234-0-0-0-0-0-0-0-0-0-0,0-0-0,:123456789"
metadata.description = "Bad Request Format: 3 HTTP status 400 in 60 seconds"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "THREATX_WAF"
metadata.product_event_type = "MatchEvent"
metadata.product_log_id = "123a456b789c123"
metadata.product_name = "ThreatX WAF"
metadata.vendor_name = "ThreatX WAF"
network.http.method = "POST"
network.http.user_agent = "example/4.48.0 android/13 example/EX-123"
network.session_id = "98765432112345678912345"
principal.ip = "10.1.1.1"
principal.hostname = "syslog.threatx.io"
security_result.action = "ALLOW"
security_result.confidence_details = "100"
security_result.priority_details = "14"
security_result.severity_details = "6"
security_result.summary = "Scanning"
security_result.threat_name = "ErrorRate"
target.application = "ThreatX"
target.file.full_path = "api.example.com/feed/updatefeediteminteraction"
target.file.mime_type = "application/json; charset=UTF-8"
target.hostname = "api.example.com"
target.url = "/feed/updatefeediteminteraction"