In my previous blog I looked at un-applied policies, disabled rules, and policies with no alerts. This blog will now look at alerts, one of the most critical functionalities of your WAF Gateway. Many alerts may be generated simultaneously, however, managing these alerts does not need to be overwhelming. In this blog post, I aim to simplify the management of WAF Gateway alerts by laying out the workflow step by step. If you have questions or comments, I'd love to hear them in the comments section below.
A single security attack might contain a long sequence of violations, each generating an individual alert and resulting in an alert storm. To correlate alerts into a logical group, prevent alert storms and assist in identifying attacks, On-Premises WAF aggregates violations based on attack type, then displays aggregated violations as an alert in the Alerts window.
The following is an overview of the workflow for working with alerts:
- Scan for alerts with high severity in the Alerts window.
2. View alert descriptions and other details and try to understand what sort of a threat it poses.
3. Try to determine if the alert is a false-positive.
4. If the alert seems important, click the alert to display the violations that generated the alert in the details pane, and analyze its content.
5. If you believe an alert deserves further examination, you can view violation details by right-clicking and opening the corresponding violations.
6. Determine if the violations generating the alert pose a threat. Take action such as:
a) adding an exception,
b) modifying the policy that generated the alert to match the desired treatment of similar events in the future,
c) or adding the behaviour to the On-Premises WAF profile.
7. Additionally, you can flag the alert to assist in management. You can flag alerts as Important, Acknowledged or Dismissed.
8. Finally, you can delete alerts to remove them from the Alerts window. Alerts are permanently deleted, though their source violations are always preserved in the system.
WAF Gateway aggregates violations and presents them as alerts, making the alerts easier to manage. By following the workflow outlined in this blog post, you can effectively manage alerts and protect your system against threats. Remember to take action when necessary, flag alerts for easy management, or delete ineffective alerts. With these best practices in mind, you can ensure that you have optimized your system and reduced long term effort.