Introduction
The tags beginning with waf.signalsciences identify events generated by Signal Sciences Web Application Firewall.
Valid tags and data tables
The full tag must have 3 levels. The first two are fixed as waf.signalsciences. The third level identifies the type of events sent.
Technology | Brand | Type | Subtype |
|---|---|---|---|
waf | signalsciences | request |
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
|---|---|
| waf.signalsciences.request | waf.signalsciences.request |
How is the data sent to Devo?
Logs generated by Signal Sciences Web Application Firewall are forwarded to Devo using a proprietary Apache nifi collector. Contact us if you need to forward these events to your Devo domain so we can guide you through the process.
Log samples
The following are sample logs sent to each of the waf.signalsciences data tables. Also, find how the information will be parsed in your data table under each sample log.
waf.signalsciences.request
{"id": "6091b7869681fb00060be02c", "serverHostname": "trafik", "remoteIP": "11.190.238.229", "remoteHostname": "private network host", "remoteCountryCode": "", "userAgent": "xhall", "timestamp": "2021-05-04T21:07:18Z", "method": "GET", "serverName": "yep.co", "protocol": "HTTP/1.1", "tlsProtocol": "", "tlsCipher": "", "path": "/originations/api/loans", "uri": "/originations/api/loans", "scheme": "http", "headersIn": [["Host", "yep.co"], ["Sec-Fetch-Site", "same-site"], ["X-Forwarded-Proto", "https"], ["Connection", "keep-alive"], ["Accept-Encoding", "gzip"], ["Accept-Language", "en-US"], ["Cookie", "redacted"], ["Sec-Fetch-Dest", "empty"], ["Sec-Fetch-Mode", "cors"], ["User-Agent", "xhall"], ["X-Forwarded-For", "11.190.238.229"], ["Accept", "application/json, text/plain, */*"], ["Referer", "https://yeps.co/"], ["X-Forwarded-Port", "443"], ["Origin", "https://yeps.co"]], "agentResponseCode": 200, "responseCode": 403, "responseSize": 405, "responseMillis": 53, "headersOut": [["Content-Encoding", "gzip"], ["Access-Control-Allow-Methods", "GET, POST, DELETE, PUT"], ["Content-Type", "text/html;charset=utf-8"], ["Date", "Tue, 04 May 2021 21:07:18 GMT"], ["Vary", "Accept-Encoding"], ["Access-Control-Allow-Credentials", "true"], ["Access-Control-Allow-Headers", "X-Requested-With, Content-Type, X-CommonBond, Content-Disposition"], ["Content-Length", "405"], ["Content-Language", "en"], ["Access-Control-Allow-Origin", "https://yeps.co"]], "summation": {"attrs": {"AllPreSignalsInformational": "false"}, "attacks": []}, "tags": [{"type": "site.from-common-cluster", "location": "", "value": "", "detector": "60171e83b98b5401e9857a93", "redaction": "", "link": ""}, {"type": "HTTP403", "location": "", "value": "403", "detector": "HTTPERROR", "redaction": "", "link": ""}]}
And this is how the log would be parsed:
Field | Value | Type |
|---|---|---|
hostchain |
|
|
hostname |
|
|
tag |
|
|
id |
|
|
serverHostname |
|
|
remoteIP |
|
|
remoteHostname |
|
|
remoteCountryCode |
|
|
userAgent |
|
|
timestamp |
|
|
method |
|
|
serverName |
|
|
protocol |
|
|
tlsProtocol |
|
|
tlsCipher |
|
|
path |
|
|
uri |
|
|
scheme |
|
|
headersIn |
|
|
agentResponseCode |
|
|
responseCode |
|
|
responseSize |
|
|
responseMillis |
|
|
headersOut |
|
|
summation__attrs__AllPreSignalsInformational |
|
|
summation__attacks |
|
|
tags |
|
|
rawMessage |
|
|