Use AI Assistant
RBAC
Users and Groups
AI Assistant requires that Users or Groups be assigned the Role f5xc-ai-assistant-monitor on system.
More information on managing Users and Groups can be found in User Management.
Roles
If using custom Roles, f5xc-ai-assistant-monitor must be added to the role's Allowed API Groups.
More information on managing custom Roles can be found in User Management.
Provide AI assistant Feedback
Users can provide negative feedback with the thumbs-down button.
A dialog opens where additional feedback areas may be selected and specific feedback can be provided.
Users can also provide positive feedback with the thumbs-up button.
A dialog opens where specific feedback can be provided.
AI assistant for Multi-Cloud Network Connect
AI assistant provides a comprehensive list of Suggested Queries, most of which contain [placeholder-text] meant to be replaced with tenant-specific information such as Site, Request ID, Namespace, HTTP Loadbalancer, and others. In addition, AI assistant queries support certain informational fields which can be found in Dashboards, HTTP Requests, and Security Events.
Entries Supported in AI assistant Queries
Note: Additional details on the following fields can be found in Monitor your Site.
-
Site,
site, [site-name]:- Site's given (object) name.
- Example value: "mcn-demo-site"
- Example Query: "Explain site status for mcn-demo-site"
- Site's given (object) name.
-
State,
site_state, [site-state]:- Current Admin State of a given Site.
- Example values: "online", "provisioning", "upgrading", "standby", "failed", "reregistration", "waitingnodes", "decommissioning", "waiting_for_registration"
- Example Query: "Explain why site mcn-demo-site is in state Standby"
- Current Admin State of a given Site.
Additional Example Queries
- Show Site Posture
- How many Sites in state [site-state]
- How many Sites not in state [site-state]
- Explain site status for [site-name]
- Explain why site [site-name] is in state [site-state]
- Show Sites IN state [site-state]
- Show Sites NOT IN state [site-state]
Analyze with AI
When using the Infrastructure > Sites Dashboard in Multi-Cloud Network Connect, the Analyze with AI button will launch AI assistant and query the Site status.
AI assistant for Web App & API Protection
This chapter provides details on the queries and fields the AI Assistant supports for WAAP.
Entries Supported in AI assistant Queries
Note: Additional details on the following fields can be found in Security Events Reference.
-
Request ID,
req_id, [request-id]- Unique request identifier.
- Example value: "0757c3df-197c-4207-95ac-1374c1eda92d"
- Example Query: "Explain request 0757c3df-197c-4207-95ac-1374c1eda92d"
- Unique request identifier.
-
Action,
action, [action]- WAF actual action.
- Example value(s): "block", "allow"
- Example Query: "list requests that were blocked for the last 24 hours for load balancer [lb-name] in namespace [ns-name]"
- WAF actual action.
-
Attack Type,
attack_types.name, [attack-type]- A list of all detected attack types.
- Example value(s): "attack_type_vulnerability_scan", "attack_type_predictable_resource_location", "attack_type_path_traversal","attack_type_server_side_code_injection", "attack_type_command_execution", "attack_type_sql_injection", "attack_type_cross_site_scripting", "attack_type_http_parser_attack", "attack_type_remote_file_include"
- Example Query: "show security events with attack_type_cross_site_scripting for the last 24 hours for load balancer [lb-name] in namespace [ns-name]"
- A list of all detected attack types.
-
Bot Classification,
bot_info.classification, [bot-classification]- Bot (signature) classification.
- Example values: "malicious", "suspicious", "benign"
- Example Query: "show security events where bot classification is suspicious for load balancer [lb-name] in namespace [ns-name]"
- Bot (signature) classification.
-
Country,
country, [country-name]- 2-letter country code.
- Examples: "US", "MX", "KR"
- Example Query: "list requests from the US for the last 24 hours for load balancer [lb-name] in namespace [ns-name]"
- 2-letter country code.
-
Domain,
domain, [domain-name]- Part of URL which is user-friendly form of IP address.
- Examples: "www.f5.com", "docs.nginx.com"
- Example Query: "show requests where domain is www.f5.com for the last 24 hours for load balancer [lb-name] in namespace [ns-name]"
- Part of URL which is user-friendly form of IP address.
-
Method,
method, [http-method]- Valid HTTP method.
- Examples: "GET", "POST", "HEAD"
- Example Query: "list requests for the last 24 hours for load balancer [lb-name] in namespace [ns-name] where HTTP method is POST"
- Valid HTTP method.
-
Namespace,
namespace, [ns-name]- A workspace within tenant's space in which the virtual host was created.
- Example: "default"
- Example Query: "Show security events for load balancer [lb-name] in namespace default"
- A workspace within tenant's space in which the virtual host was created.
-
IP Risk,
policy_hits.policy_hits.ip_risk, [ip-risk]- IP risk as it appears in Webroot IP reputation database.
- Examples: "low", "high"
- Example Query: "show requests where IP Risk is high for load balancer [lb-name] in namespace [ns-name]"
- IP risk as it appears in Webroot IP reputation database.
-
Service Policy Result,
policy_hits.policy_hits.result, [service-policy-result]- Service policy result.
- Examples: "allow", "deny", "default_allow", "default_deny", "ratelimit_drop"
- Example Query: "list security events for the last 24 hours for [lb-name] in namespace [ns-name] where service policy result is deny"
- Service policy result.
-
Recommended Action,
recommended_action, [recommended-action]- API recommended action.
- Examples: "block", "allow", "report"
- Example Query: "show security events for the last 24 hours for loadbalancer [lb-name] in namespace [ns-name] where recommended action is allow"
- API recommended action.
-
HTTP Response Code,
rsp_code, [response-code]- HTTP Response code.
- Examples: "200", "301", "401", "502"
- Example Query: "list requests with response code 502 for the last 24 hours for loadbalancer [lb-name] in namespace [ns-name]"
- HTTP Response code.
-
HTTP Response Code Class,
rsp_code_class, [response-code-class]- HTTP Response code class.
- Examples: "2xx", "3xx", "4xx", "5xx"
- Example Query: "list requests with response code class 5XX for the last 24 hours for loadbalancer [lb-name] in namespace [ns-name]"
- HTTP Response code class.
-
Security Event Type,
sec_event_type, [sec-event-type]- Security event type.
- Examples: "api_sec_event", "bot_defense_sec_event", "svc_policy_sec_event", "waf_sec_event"
- Example Query: "show waf security events for the last 48 hours for loadbalancer [lb-name] in namespace [ns-name]"
- Security event type.
-
Signature Accuracy,
signatures.accuracy, [signature-accuracy]- The accuracy of signature match.
- Examples: "low", "medium", "high"
- Example Query: "show waf security events for the last 48 hours for loadbalancer [lb-name] in namespace [ns-name] where signatures.accuracy is low"
- The accuracy of signature match.
-
Source IP,
src_ip, [ip-address]- The source IP of the client.
- Example: "212.150.5.74"
- Example Query: "show requests from IP 212.150.5.74 for the last 24 hours for loadbalancer [lb-name] in namespace [ns-name]"
- The source IP of the client.
-
HTTP Loadbalancer,
vh_name, [lb-name]- Virtual host/Loadbalancer name.
- Example: "staging_web_fe"
- Example Query: "list requests for the last 24 hours for loadbalancer staging_web_fe in namespace [ns-name]"
- Virtual host/Loadbalancer name.
-
Violations,
violations.name, [violations]- A list of all detected violations.
- Examples: "viol_filetype", "viol_method", "viol_http_response_status", "viol_http_protocol_unparsable_request_content", "viol_evasion_directory_traversals", "viol_malformed_request", "viol_data_guard"
- Example Query: "list security events for the last 24 hours for loadbalancer [lb-name] in namespace [ns-name] where violation is viol_filetype"
- A list of all detected violations.
Additional Example Queries
- How to investigate HTTP Request Logs
- How to investigate Security Events
- Explain request [request-id]
- Explain Security Event [request-id]
- Show allowed requests with Bot Defense security events for the last 24 hours for load balancer [lb-name] in namespace [ns-name]
- Show blocked requests with API security events for the last 24 hours for load balancer [lb-name] in namespace [ns-name]
- Show blocked requests from [country-name] for the last 24 hours for load balancer [lb-name] in namespace [ns-name]
- Show blocked requests from [ip-address] for the last 24 hours for load balancer [lb-name] in namespace [ns-name]
- List security events for the last 30 days where attack type is [attack-type] and method is [http-method] and IP address is [ip-address] and bot classification is [bot-classification] and domain is [domain] for loadbalancer [lb-name] in namespace [ns-name]
Explain with AI
When using the Overview > Security > Security Analytics Dashboard in Web App & API Protection, the Explain with AI button will launch AI assistant and explain the HTTP Request or Security Event.
On this page:
- RBAC
- Users and Groups
- Roles
- Provide AI assistant Feedback
- AI assistant for Multi-Cloud Network Connect
- Entries Supported in AI assistant Queries
- Additional Example Queries
- Analyze with AI
- AI assistant for Web App & API Protection
- Entries Supported in AI assistant Queries
- Additional Example Queries
- Explain with AI