Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Introduction

The tags beginning with waf.fastly identify events generated by Fastly.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as waf.fastly. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Fastly Next-Gen WAF

waf.fastly.nextgen_waf.site_activity.corp.site

waf.fastly.nextgen_waf.corp_activity

waf.fastly.nextgen_waf.corp_event

waf.fastly.nextgen_waf.request_feed

waf.fastly.nextgen_waf.site_activity

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

waf.fastly.nextgen_waf.corp_activity

Field

Type

Extra fields

eventdate

timestamp

 

hostname

str

 

id

str

 

event_type

str

 

msg_data__corp_name

str

 

msg_data__detail_link

str

 

msg_data__email

str

 

msg_data__token_name

str

 

msg_data__user_agent

str

 

msg_data__inviter_email

str

 

msg_data__inviter_name

str

 

msg_data__recipient_email

str

 

msg_data__role

str

 

msg_data__site_roles

str

 

msg_data__site_word

str

 

message

str

 

attachments

str

 

created

timestamp

 

at_devo_environment

str

 

at_devo_pulling_id

str

 

corp_name

str

 

site

str

 

rawMessage

str

 

hostchain

str

 

tag

str

 

waf.fastly.nextgen_waf.corp_event

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

id

str

 

 

timestamp

timestamp

 

 

source_ip4

ip4

ip4(source)

source

source_ip6

ip6

ip6(source)

source

remote_country_code

str

 

 

remote_hostname

str

 

 

user_agents

str

 

 

action

str

 

 

threat_type

str

 

 

reasons_sqli

int4

 

 

reasons_xss

int4

 

 

reasons_cmdexe

int4

 

 

reasons_traversal

int4

 

 

request_count

int4

 

 

tag_count

int4

 

 

window

int4

 

 

expires

timestamp

 

 

expired_by

str

 

 

at_devo_environment

str

 

 

at_devo_pulling_id

str

 

 

detected_timestamp

timestamp

 

 

alert_id

str

 

 

example_request__id

str

 

 

example_request__server_hostname

str

 

 

example_request__remote_ip4

ip4

ip4(example_request__remote_ip)

example_request__remote_ip

example_request__remote_ip6

ip6

ip6(example_request__remote_ip)

example_request__remote_ip

example_request__remote_hostname

str

 

 

example_request__remote_country_code

str

 

 

example_request__user_agent

str

 

 

example_request__timestamp

timestamp

 

 

example_request__method

str

 

 

example_request__server_name

str

 

 

example_request__protocol

str

 

 

example_request__tls_protocol

str

 

 

example_request__tls_cipher

str

 

 

example_request__path

str

 

 

example_request__uri

str

 

 

example_request__scheme

str

 

 

example_request__headers_in

str

 

 

example_request__agent_response_code

int4

 

 

example_request__response_code

int4

 

 

example_request__response_size

int4

 

 

example_request__response_millis

int4

 

 

example_request__headers_out

str

 

 

example_request__summation__attacks

str

 

 

example_request__tags

str

 

 

corp_name

str

 

 

site

str

 

 

rawMessage

str

 

 

hostchain

str

 

 

tag

str

 

 

waf.fastly.nextgen_waf.request_feed

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

id

str

 

 

server_hostname

str

 

 

remote_ip4

ip4

ip4(remote_ip)

remote_ip

remote_ip6

ip6

ip6(remote_ip)

remote_ip

remote_hostname

str

 

 

remote_country_code

str

 

 

user_agent

str

 

 

timestamp

timestamp

 

 

method

str

 

 

server_name

str

 

 

protocol

str

 

 

file_path

str

 

 

uri

str

 

 

response_code

int4

 

 

response_size

int4

 

 

response_millis

int4

 

 

agent_response_code

int4

 

 

tags

str

 

 

detected_timestamp

timestamp

 

 

source_ip4

ip4

ip4(source)

source

source_ip6

ip6

ip6(source)

source

user_agents

str

 

 

action

str

 

 

threat_type

str

 

 

reasons_sqli

int4

 

 

reasons_cmdexe

int4

 

 

reasons_traversal

int4

 

 

reasons_useragent

int4

 

 

reasons_xss

int4

 

 

request_count

int4

 

 

tag_count

int4

 

 

window

int4

 

 

expires

timestamp

 

 

expired_by

str

 

 

alert_id

str

 

 

example_request__id

str

 

 

example_request__server_hostname

str

 

 

example_request__remote_ip4

ip4

ip4(example_request__remote_ip)

example_request__remote_ip

example_request__remote_ip6

ip6

ip6(example_request__remote_ip)

example_request__remote_ip

example_request__remote_hostname

str

 

 

example_request__remote_country_code

str

 

 

example_request__user_agent

str

 

 

example_request__timestamp

timestamp

 

 

example_request__method

str

 

 

example_request__server_name

str

 

 

example_request__protocol

str

 

 

example_request__tls_protocol

str

 

 

example_request__tls_cipher

str

 

 

example_request__path

str

 

 

example_request__uri

str

 

 

example_request__scheme

str

 

 

example_request__headers_in

str

 

 

example_request__agent_response_code

int4

 

 

example_request__response_code

int4

 

 

example_request__response_size

int4

 

 

example_request__response_millis

int4

 

 

example_request__headers_out

str

 

 

example_request__summation__attacks

str

 

 

example_request__tags

str

 

 

at_devo_environment

str

 

 

at_devo_pulling_id

str

 

 

corp_name

str

 

 

site

str

 

 

rawMessage

str

 

 

hostchain

str

 

 

tag

str

 

 

waf.fastly.nextgen_waf.site_activity

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

hostname

str

 

 

id

str

 

 

event_type

str

 

 

msg_data__ip4

ip4

ip4(msg_data__ip)

msg_data__ip

msg_data__ip6

ip6

ip6(msg_data__ip)

msg_data__ip

msg_data__affected_tags

str

 

 

msg_data__agent_action

str

 

 

msg_data__alert_action

str

 

 

msg_data__analyze_duration

str

 

 

msg_data__attacks

str

 

 

msg_data__corp

str

 

 

msg_data__country_name

str

 

 

msg_data__detail_link

str

 

 

msg_data__duration

str

 

 

msg_data__event_date

timestamp

parsedate(replace(replace(msg_data__event_date_str, " at", ""), " UTC", ""), "MMM DD, YYYY HH:mm", "UTC")

msg_data__event_date_str

msg_data__event_host

str

 

 

msg_data__formatted_tags

str

 

 

msg_data__id

str

 

 

msg_data__malicious_requests

str

 

 

msg_data__overlap_check

str

 

 

msg_data__rule_detail

str

 

 

msg_data__site

str

 

 

message

str

 

 

created

timestamp

 

 

at_devo_environment

str

 

 

at_devo_pulling_id

str

 

 

attachments

str

 

 

corp_name

str

 

 

site

str

 

 

rawMessage

str

 

 

hostchain

str

 

 

tag

str

 

 

  • No labels