This alert fires when logs containing triggered WAF rules have any mention of a CVE over a determined period of time in the context of a single IP address. Impact Depending on mentioned CVE, requires investigation. Mitigation Validate the requests intercepted by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and agent and origin response codes.

This alert detects when a SQL Injection (SQLi) attack may take place, based on triggered WAF rules that contain a certain set of keywords that represent SQLi attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an SQLi attack, that can have serious consequences for organizations, including: Data Breach, Application Disruption and Unauthorized Access to organizational assets. Mitigation Validate the requests intercepted by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and agent and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1059

This alert detects when a Cross Site Scripting (XSS) attack may take place, based on triggered WAF rules that contain a certain set of keywords that represent XSS attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an XSS attack, that can have serious consequences for organizations, such as Data Theft and Privacy Breach and Reputation Damage. Mitigation Validate the requests intercepted by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and agent and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1190

This alert detects when a Remote Code Execution (RCE) attack may take place, based on triggered WAF rules that contain a certain set of keywords that represent RCE attacks, over a determined period of time in the context of a single IP address. Impact May be an indication of an RCE attack, where assets may be compromised by malicious actors. Mitigation Validate the requests intercepted by the WAF. If they seem suspicious, investigate further by examining the source IPs, request URLs and agent and origin response codes. MITRE Tactic: TA0001 MITRE Technique: T1203

This alert detects when a successful HTTP GET request (2XX response) targets a URL that ends with a set of specific file extension (such as txt files) that can contain information that shouldn't be disclosed directly to the internet. The following file extensions are detected by this alert: Configuration Files: .env, .config, .ini, .conf Backup Files: .bak, .old, .zip Log Files: .log, .txt, .log.txt Source Code Files: .java, .py, .rb Database Dump Files: .sql, .dump Backup Scripts: .sh, .bat, .ps1 Private Keys and Certificates: .pem, .key, .p12, .crt Please Note: This alert may require tuning based on the web application usage (ie if it serves any of the mentioned file extensions). File extensions can be added/removed and match condition can be tuned to lower/higher rate of occurrence to match the operation of the web application. Impact Information disclosure attacks can have severe consequences for individuals and organizations, which can result in a data and privacy breach. Mitigation Investigate URLs and confirm whether they are legitimate and part of the web application normal operation and purpose. If not, consider blocking the client IP on the WAF MITRE Tactic: TA0009 MITRE Technique: T1048

This alert triggers when a possible brute force attack is performed against a login page.nBrute force attacks on login pages involve systematically attempting multiple combinations of usernames and passwords until a successful login is achieved. This technique relies on the assumption that weak or commonly used credentials can be guessed through exhaustive trial and error. Impact The impact varies depending on the success of the attack and the targeted system's sensitivity, such as: Account compromise, Privilege escalation, Data breach, Resource exhaustion, Weakened security posture. Mitigation If the the aggregated logs show actual login URLs that match your web applications login, check if the requests intercepted at the WAF. If not, consider blocking the offending IP on the WAF. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert detects when 5xx agent response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Check the exact status code generated and investigate it further to understand its cause. MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 5xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Here, the origin response indicates that the error response was generated by your origin web server. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 4xx origin response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Here, the origin response indicates that the error response was generated by your origin web server. Impact An excessive 5xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Following actions can be taken to mitigate/troubleshoot this behavior: Investigate excessive server loads, crashes, or network failures. Identify applications or services that timed out or were blocked. Review origin web server error logs to identify web server application crashes or outages. MITRE Tactic: TA0040 MITRE Technique: T1498

This alert detects when 4xx agent response errors are generated more than the usual number. So, in this case, if the status code exceeds the threshold value of 10 above the usual number the alert will be triggered. The 'usual number' is calculated by the algorithm dynamically based on the pattern of the previous 7 days of data. The algorithm takes one week to learn the traffic pattern. Impact An excessive 4xx error prevents the server from fulfilling legitimate requests and from loading your site content, resulting in a poor user experience. Mitigation Check the exact status code generated and investigate it further to understand its cause. MITRE Tactic: TA0040 MITRE Technique: T1498