WAF Insights does not support automation via our REST API web service. If you are currently using WAF Insights, upgrade your WAF solution to take advantage of our REST API.
The following endpoints automate the administration of WAF.
Type | Description | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security Application Manager |
A Security Application Manager configuration:
Endpoints: |
||||||||||||
Access Rules |
An access rule identifies valid requests and threats via whitelists, accesslists, and blacklists. Endpoints: |
||||||||||||
Bot Rule Sets |
A bot rule set contains one or more bot rules. Each bot rule defines the set of requests that will require a client (e.g., a web browser) to solve a challenge before resolving the request. Endpoints: |
||||||||||||
Rate Rules |
A rate rule determines the maximum number of requests that will be allowed within a given time period. Endpoints: |
||||||||||||
Custom Rule Sets |
A custom rule set defines custom threat assessment criterion. Endpoints: |
||||||||||||
Managed Rules |
A managed rule identifies a rule set configuration and describes a valid request. Endpoints: |
||||||||||||
Threats Event Log |
The following endpoints retrieve WAF threat event log information:
|
||||||||||||
Rates Event Log |
The following endpoints retrieve event log information on rate limited requests:
|
Although the above endpoints may be used to automate many different aspects of WAF configuration, the primary purpose of these endpoints is to provide the means to automatically update it to adapt to a changing threat landscape.
The basic workflow for automated threat mitigation is:
|
Phase | Description |
---|---|---|
1 |
Threat Detection |
A noticeable increase in malicious threats to your site is detected. This increase may be detected by using one or more of the following tools:
|
2 |
Threat Identification |
Analyze traffic patterns to identify the source of the malicious attack. Example: For example, a sudden increase in traffic from a single IP address may be indicative of a malicious bot. If WAF is currently configured to audit traffic instead of blocking it, this may be detected by analyzing the response for the Get Top Event Log Entries endpoint. A sample request that returns the top IP addresses that are generating traffic to your origin servers is shown below. GET https://api.edgecast.com/v2/mcc/customers/0001/waf/eventlogs/top?field=Client%20IP&start_time=2016-02-23&end_time=2016-02-24 HTTP/1.1
|
3 |
Threat Mitigation |
Update each relevant configuration so that it automatically detects and blocks the source of this application layer attack. Validate that a change will not negatively impact production traffic by auditing traffic using the desired configuration. Configure how traffic will be audited by defining acl_audit_id, profile_audit_id, and rules_audit_id within the desired Security Application Manager configuration via the Manage All Security Application Manager Configurations (Scopes) endpoint. These properties identify how traffic will be audited via an access control list configuration, request profile, and a custom rule set, respectively. The recommended method for updating your configuration via a script is described below.
|