Skip to content

Wallarm

Wallarm

About

Wallarm gives you the tools to effectively respond to security threats, offering in-depth data, broad integrations, and blocking mechanisms. It first presents detailed information, helping security analysts gauge the threat's nature and severity.

Product Details

Vendor URL: Wallarm

Product Type: WAAP

Product Tier: Tier III

Integration Method: Webhook

Log Guide: Notification Format

Parser Details

Log Format: JSON

Expected Normalization Rate: 100%

Data Label: WALLARM_NOTIFICATIONS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
caused_by_email principal.email
caused_by_username principal.user.user_display_name
client_name principal.hostname
cloud principal.location.name
creator_email principal.email
creator_name principal.user.userid
data.action security_result.action_details
data.entity.id target.resource.id
data.entity.ip target.ip
data.object_type target.resource.resource_subtype
data.object_userid target.user.userid
hit.block_status security_result.category_details
hit.brute_counter security_result.threat_id
hit.domain target.domain.name
hit.domain target.port
hit.id security_result.detection_fields
hit.lom_id security_result.rule_id
hit.method network.http.method
hit.object_type target.resource.resource_subtype
hit.parameter security_result.rule_labels
hit.path target.resource.name
hit.path target.file.full_path
hit.payloads security_result.detection_fields
hit.point target.resource.attribute.labels
hit.probability security_result.confidence_score
hit.protocol additional.fields
hit.proxy_type additional.fields
hit.regex_hash additional.fields
hit.remote_addr4 principal.ip
hit.remote_country principal.location.country_or_region
hit.remote_port principal.port
hit.request_id metadata.product_log_id
hit.request_time network.session_duration
hit.response_status network.http.response_code
hit.tor additional.fields
hit.type security_result.threat_name
hit.wallarm_mode security_result.action_details
notification_type metadata.product_event_type
requests_per_hour security_result.detection_fields
role target.user.attribute.roles
summary metadata.description
trigger.actions.actions_nested_data security_result.action_details
trigger.condition additional.fields
trigger.description security_result.summary
trigger.name security_result.rule_name
user_email target.user.email_addresses
user_name target.user.userid
vuln_link extensions.vulns.vulnerabilities.vendor_knowledge_base_article_id
vuln_link metadata.url_back_to_product
vuln.discovered_by principal.resource.name
vuln.domain target.domain.name
vuln.id extensions.vulns.vulnerabilities.id
vuln.method network.http.method
vuln.path target.file.full_path
vuln.threat extensions.vulns.vulnerabilities.severity_details
vuln.title extensions.vulns.vulnerabilitie.name
vuln.type extensions.vulns.vulnerabilities.description

Product Event Types

Event UDM Event Classification
create_user USER_CREATION
Generic GENERIC_EVENT

Log Sample

{"details":{"client_name":"example_Prod","cloud":"US","hit":{"anomaly":0.4441558441558442,"applications":["default"],"block_status":"monitored","brute_counter":"b:43334:a1234567abcdefg12345","create_time":1726140003,"datacenter":"linode","domain":"autodiscover.example.com","final_wallarm_mode":"monitoring","heur_distance":24.42857142857143,"id":["hits_production_43334_202409_v_1","ABCDEFGHIJKLM"],"libproton_version":"5.0.0","lom_id":1384,"method":"POST","object_type":"hit","parameter":"POST_JSON_DOC_HASH_query_value","path":"/v1/graph","payloads":["ery{__schema {queryType { n"],"point":["post","json_doc","hash","query"],"probability":24.42857142857143,"protocol":"rest","proxy_type":"DCH","regex":[],"regex_hash":-1234567890,"remote_addr4":"10.79.102.36","remote_addr6":null,"remote_country":"US","remote_port":0,"request_id":"eca191b83d3baf535cb352a304efc757","request_time":1726139992,"response_len":0,"response_status":0,"response_time":0,"stamps":[2676,8413],"stamps_hash":-1978666000,"tor":"none","type":"nosqli","wallarm_mode":"block"},"notification_type":"new_hits"},"summary":"[example] New hit detected"}

Sample Parsing

additional.fields["API Protocol"] = "rest"
additional.fields["Proxy Type"] = "DCH"
additional.fields["Regex Hash"] = "-1234567890"
additional.fields["tor"] = "none"
metadata.description = "[example] New hit detected"
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "WALLARM_NOTIFICATIONS"
metadata.product_event_type = "new_hits"
metadata.product_log_id = "eca191b83d3baf535cb352a304efc757"
metadata.vendor_name = "Wallarm"
network.http.method = "POST"
network.session_duration = "1726139992s"
principal.hostname = "example_Prod"
principal.ip = "10.79.102.36"
principal.location.country_or_region = "US"
principal.location.name = "US"
security_result.action_details = "block"
security_result.category_details = "monitored"
security_result.confidence_score = 24.428572
security_result.detection_fields.key = "Hit ID"
security_result.detection_fields.value = "hits_production_43334_202409_v_1"
security_result.detection_fields.key = "Hit ID"
security_result.detection_fields.value = "ABCDEFGHIJKLM"
security_result.detection_fields.key = "Payload"
security_result.detection_fields.value = "ery{__schema {queryType { n"
security_result.rule_id = "1384"
security_result.rule_labels.key = "parameter"
security_result.rule_labels.value = "POST_JSON_DOC_HASH_query_value"
security_result.threat_id = "b:43334:a1234567abcdefg12345"
security_result.threat_name = "nosqli"
target.domain.name = "autodiscover.example.com"
target.file.full_path = "/v1/graph"
target.resource.attribute.labels.key = "Point"
target.resource.attribute.labels.value = "post"
target.resource.attribute.labels.key = "Point"
target.resource.attribute.labels.value = "json_doc"
target.resource.attribute.labels.key = "Point"
target.resource.attribute.labels.value = "hash"
target.resource.attribute.labels.key = "Point"
target.resource.attribute.labels.value = "query"
target.resource.name = "/v1/graph"
target.resource.resource_subtype = "hit"