Select Service
Security Events Reference
Published April 5, 2023 | Last modified October 31, 2024
Objective
This guide presents reference information on the various fields of the security event types (WAF, Bot Defense, API, Service Policy).
WAF Security Event
This table presents reference information on WAF security event types.
WAF Client Details
| Name | Type | Description | Values |
|---|---|---|---|
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE(15169) |
| as_number | string | Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: 15169 |
| as_org | string | Autonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE |
| city | string | Client's city name. | For Example: Paris |
| country | string | Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2 | For Example: US |
| latitude | string | Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | |
| longitude | string | Client's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK. | |
| region | string | Client's region name. | |
| sni | string | Server name indication, the extension of TLS protocol. | |
| src_ip | string | The source IP of the client. | For Example: 212.150.5.74 |
| tls_fingerprint | string | Identification of a client based on the fields in its Client Hello message during a TLS handshake. | |
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For Example: IP-212.150.5.74 |
WAF Device Details
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: iPhone |
WAF HTTP Protocol Details
| Name | Type | Description | Values |
|---|---|---|---|
| authority | string | authority = [userinfo "@"] host [":" port] | For Example: www.google.com |
| domain | string | Part of URL which is user-friendly form of IP address. | |
| http_version | string | HTTP Protocol version. | For Example: HTTP/1.1 |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| original_path | string | Request path before decoding. | |
| reg_headers | string | Request headers. | |
| req_path | string | Request path after decoding. | |
| req_params | string | Query parameters. | |
| user_agent | string | Value of HTTP User-Agent header. | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header. |
WAF Request Details
| Name | Type | Description | Values |
|---|---|---|---|
| dst_ip | string | IP of the upstream server. | |
| dst_port | number | Destination port on the upstream server. | |
| req_headers_size | number | Request headers size in bytes. | |
| req_size | number | Request size in bytes. | |
| src_port | string | Source port of the client. |
WAF Response Details
| Name | Type | Description | Values |
|---|---|---|---|
| rsp_code | string | Response code | Note: the value will be 0 if request is blocked. |
| rsp_code_class | number | Response code class | 2xx, 3xx, 4xx, 5xx |
| rsp_size | number | Response size | Note: the value will be 0 if request is blocked. |
WAF Details
| Name | Type | Description | Values |
|---|---|---|---|
| calculated_action | string | WAF recommended action. | Valid Values: allow report block |
| action | string | WAF actual action. | |
| waf_mode | string | WAF mode (Deprecated, will be removed in one of the upcoming releases). | allow, report, block |
| bot_info.name | string | The name of the detected bot. | For Example: Bing. Default: UNKNOWN |
| bot_info.type | string | The type of the detected bot. | For Example: Search Engine Default: UNKNOWN |
| bot_info.classification | string | Bot classification. | We support 3 bot classification types: Malicious, Suspicious, Bening Default: UNKNOWN |
| bot_info.anomaly | string | Explains how WAF detected the bot. | For Example: Suspicious HTTP Headers, Invalid HTTP Headers, Search Engine Verification Failed |
| attack_types | array | A list of all detected attack types. | Each attack in the list is represented by name. For instance: ATTACK_TYPE_PREDICTABLE_RESOURCE_LOCATION |
| signatures | array | A list of all detected WAF signatures (patterns). | Signature section below provides a detailed structure of signature. |
| violations | array | A list of all detected violations. | Violation section below provides a detailed structure of violation. |
WAF Signature Details
| Name | Type | Description | Values |
|---|---|---|---|
| id | number | Response code | For Example: 200010019 |
| name | string | Human friendly description of the signature. | For Example: “windows access” |
| accuracy | string/enum | Signature accuracy. Represents detection certainty. | We support 3 kinds of accuracy: high_accuracy, medium_accuracy, low_accuracy |
| attack_type | string | Attack vector. | |
| context | string | The place in request/response where this signature is detected. | For Example: parameter (filePath) |
| matching_info | string | Detailed explanation where the signature is detected. | |
| state | string/enum | Signature status. | Enabled - active AutoSuppressed - excluded internally by ML engine |
WAF Violation Details
| Name | Type | Description | Values |
|---|---|---|---|
| name | string/enum | Unique violation identifier. | For Example: VIOL_EVASIONS_DIRECTORY_TRAVERSALS |
| context | string | The place in request/response where this violation is detected. | For Example: url |
| attack_type | string/enum | Attack vector. | |
| matching_info | string | Detailed explanation where the violation is detected. | |
| state | string/enum | Violation status. | For more details, please, see signatures |
WAF Metadata Details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| sec_event_type | string | Security event type. | For WAF security event the value always will be “waf_sec_event” |
| sec_event_name | string | Security event name. | For WAF security event the value always will be “WAF” |
| cluster_name | string | F5DC cluster name to which request was routed. | For Example: pa2-par-int-ves-io |
| hostname | string | Hostname of machine which generated this log record. | For Example: master-0 |
| messageid | string | Unique log type identifier. | For WAF security event the value always will be c102667e-dea5-4551-b495-71bf4217a9f6 |
| namespace | string | A workspace within tenant's space in which the virtual host was created. | |
| req_id | string | Unique request identifier. | |
| tenant | string | Organization or group of users sharing common access with specific privileges to F5DC resources. | |
| vh_name | string | Virtual host name. | |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, Its a request coming from a client via public internet etc, then the value will appear as: N:public |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup |
Bot Defense Security Event
This table presents reference information on bot defense security event types.
Bot Defense Client Details
| Name | Type | Description | Values |
|---|---|---|---|
| as_number | string | Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: 15169 |
| as_org | string | Autonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE |
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE(15169) |
| city | string | Client's city name. | For Example: Paris |
| country | string | Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2 | For Example: US |
| latitude | string | Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | |
| longitude | string | Client's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK. | |
| network | string | Source IP network. | |
| region | string | Client's region name. | |
| src_ip | string | The source IP of the client. | For Example: 212.150.5.74 |
| src_port | string | This is the src port of the client. | |
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For Example: IP-212.150.5.74 |
Bot Defense Device Details
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: iPhone |
Bot Defense Server Details
| Name | Type | Description | Values |
|---|---|---|---|
| dst_ip | string | Destination ip on the origin server. | |
| dst_port | string | Destination port on the origin server. | For Example: 443 |
Bot Defense TLS Details
| Name | Type | Description | Values |
|---|---|---|---|
| tls_fingerprint | string | SL-TLS Fingerprint |
Bot Defense HTTP Request/Response Details
| Name | Type | Description | Values |
|---|---|---|---|
| tls_fingerprint | string | authority = [userinfo "@"] host [":" port] | For Example: www.google.com |
| domain | string | Extracted domain from authority | |
| http_version | string | Valid HTTP protocol version. | HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| method | json string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| req_headers | string | Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%. | |
| req_headers_size | string | Request headers size. | |
| req_id | string | Unique request identifier. | |
| req_path | string | Request path. | |
| req_size | string | Request size. | |
| rsp_code | string | Respond code. | |
| rsp_code_class | string | Respond code class. | 2xx, 3xx, 4xx, 5xx |
| rsp_size | string | Respond size. | |
| user_agent | string | Value of HTTP User-Agent header. | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header. |
Bot Defense Details
| Name | Type | Description | Values |
|---|---|---|---|
| bot_defense.automation_type | string | The reason why client is detected as a bot. | Token Missing, Rate Limit Exceeded, Threat Intelligence, Token Blacklisted, Token Expired, Native Token Missing, Payload Replay, Token Invalid, Native Token Invalid, AI Payload Invalid, Native Token Blacklisted, AI Payload Missing |
| bot_defense.insight | string | Shape bot classification. | HUMAN, GOODBOT, MALICIOUS, UNAVAILABLE |
| bot_defense.recommendation | string | Shape Bot Defense recommended action. | Action_alert, Action_block, Action_redirect |
| action | string | Bot Defense action. | allow, block |
Bot Defense Metadata Details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| cluster_name | string | F5DC cluster name to which request was routed. | For Example: pa2-par-int-ves-io |
| hostname | string | Hostname of machine which generated this log record. | For Example: master-0 |
| messageid | string | Unique log type identifier. | For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f |
| namespace | string | A workspace within tenant's space in which the virtual host was created. | namespace |
| sec_event_name | string | Security event name. | BOT Defense Violation |
| sec_event_type | string | Security event type. | bot_defense_sec_event |
| site | string | Which cluster handled the req. | For Example: "ams9-ams” |
| sni | string | Hostname sni | |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc.) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, It's a request coming from a client via public internet etc., then the value will appear as: N:public |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (like v8s service etc.). The value will be an instance of the service (for e.g., pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup. |
| src_site | string | This is the F5DC site (RE or CE etc.) which receives the request from the client. | This is the site where client traffic is hitting. For Example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE. |
| tenant | string | Organization or group of users sharing common access with specific privileges to F5DC resources. | |
| time | string | Event generated time | |
| vh_name | string | Tenant's virtual host name. | |
| vhost_id | string | Tenant's virtual host ID. |
Service Policy Security Event
This table presents reference information on security policy security event types.
Service Policy Client Details
| Name | Type | Description | Values |
|---|---|---|---|
| as_number | string | Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: 15169 |
| as_org | string | Client's region name. | |
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE(15169) |
| city | string | Client's city name. | For Example: GOOGLE |
| country | string | Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2 | For Example: GOOGLE(15169) |
| latitude | string | Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | For Example: Paris |
| longitude | string | Client's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK. | For Example: US |
| mtls | string | Mutual TLS authentication between clients and HTTPS load balancer. | |
| region | string | Client's region name. | |
| sni | string | SNI (Server Name Indication) is a TLS extension that helps secure web connections on shared hosting by allowing clients to specify the desired domain. | |
| src_ip | string | The source IP of the client. | For Example: 212.150.5.74 |
| tls_cipher_suite | string | TLS cipher suite negotiated during handshake. | For Example: TLSv1_3/TLS_AES_128_GCM_SHA256 |
| tls_fingerprint | string | Identification of a client based on the fields in its Client Hello message during a TLS handshake. | |
| tls_version | string | TLS version is a specific iteration of the Transport Layer Security protocol, used to secure data during transmission over networks. | TLSv1_3, TLSv1_2.. |
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For Example: IP-212.150.5.74 |
Service Policy Device Details
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: iPhone |
Service Policy Request Details
| Name | Type | Description | Values |
|---|---|---|---|
| dst | string | The detail of the destination/origin server where the request is going to. | If this is a vk8s service, then the value will be S:< service name >, For example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:< dns name >, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com |
| dst_instance | string | Detail of the specific destination instance where requests are going to. | For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to) |
| dst_ip | string | Destination ip of the origin server | For Example: 185.15.129.72 |
| dst_port | string | Destination port on the origin server. | For Example: 443 |
| dst_site | string | Site which is used to send the traffic to the endpoint / origin server. | In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used. |
| duration_with_data_tx_delay | string | last_downstream_tx_byte - first_upstream_tx_byte | Indicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process |
| duration_with_no_data_tx_delay | string | first_downstream_tx_byte - first_upstream_tx_byte | Like duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client |
| rtt_downstream_seconds | string | Round trip of connection to downstream (client). | |
| rtt_upstream_seconds | string | Round trip of connection to the upstream/origin server. | |
| site | string | This is the F5DC site (RE or CE etc.) which receives the request from the client. | This is the site where client traffic is hitting. It could be also CE, if the LB is exposed via CE. |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc) this value will be the name of the service. For example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate Case 3. If not Case1/2, It's a request coming from a client via public internet etc, then the value will appear as: N:public |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (like v8s service etc). The value will be an instance of the service (for eg pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup |
| src_port | string | This is the src port of the client. | |
| src_site | string | This is the F5DC site (RE or CE etc.) which receives the request from the client. | This is the site where client traffic is hitting. For example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE |
| time_to_first_downstream_tx_byte | string | Time interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc. | |
| time_to_first_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the first upstream byte received (i.e., time it takes to start receiving a response). | |
| time_to_first_upstream_tx_byte | string | Time interval between the first downstream byte received and the first upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byteabout not accounting for kernel socket buffer time, etc. | |
| time_to_last_downstream_tx_byte | string | Time interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate. | |
| time_to_last_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response). | |
| time_to_last_upstream_tx_byte | string | Time interval between the first downstream byte received and the last upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc. |
Service Policy HTTP Details
| Name | Type | Description | Values |
|---|---|---|---|
| api_endpoint | string | The endpoint (path) of the request. | |
| authority | string | authority = [ userinfo "@" ] host [ ":" port ] | For Example: www.google.com |
| domain | string | ||
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| network | string | Network value. | |
| original_authority | string | Original authority. | |
| original_path | string | Request path. | |
| protocol | string | Valid HTTP protocol version. | HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| proxy_type | string | Type of Proxy to be used while connecting from one virtual network to another. | |
| req_body | string | Request body. The system logs request headers only if API discovery is enabled and sample it up to 25%. | |
| req_headers | string | Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%. | |
| req_parameters | string | Query parameters. | |
| req_path | string | Request path. | |
| req_size | string | Request size in bytes. | |
| scheme | string | Valid HTTP scheme. | https/http The value will be empty for non-http requests. |
| user_agent | string | Value of HTTP User-Agent header. | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header. |
Service Policy Response Details
| Name | Type | Description | Values |
|---|---|---|---|
| response_flags | string | Additional details about the response or connection if any above and beyond the standard response code. | |
| rsp_body | string | Response body. | |
| rsp_code | string | Response code. | |
| rsp_code_class | string | Response code class. | 2xx, 3xx, 4xx, 5xx |
| rsp_code_details | string | Response code reason. | This is the list of all possible response code details. These values may change. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/response_code_details |
| rsp_headers | string | Response headers. | |
| rsp_size | string | Response size in bytes. |
Service Policy Details
| Name | Type | Description | Values |
|---|---|---|---|
| action | string | Action to enforce on the request when matching service policy rule. | |
| ip_risk | string | IP risk as it appears in Webroot IP reputation database. | Valid Values: LOW_RISK MEDIUM_RISK HIGH_RISK |
| ip_trustcore | string | The score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk. | Numeric string value between 0 and 100. |
| ip_trustworthiness | string | Property describing IP trustworthiness (the opposite of risk). | Valid Values: LOW MEDIUM HIGH |
| malicious_user_mitigation_action | string | Malicious user mitigation action if malicious user feature is configured. | Valid Values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE |
| policy | string | The name of the last executed service policy. | |
| policy_namespace | string | The namespace of the last executed service policy. | |
| policy_rule | string | The name of the last executed service policy rule. | |
| policy_rule_description | string | Description of service policy rule as it appears in configuration. | |
| policy_set | string | The name of the last executed service policy set. | |
| rate_limiter_action | string | Rate limiter result. | Valid Values: fail pass none or empty string |
| result | string | Service policy result. | Valid Values: allow deny default_allow default_deny |
Service Policy Metadata Details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| cluster_name | string | F5DC cluster name to which request was routed. | For Example: pa2-par-int-ves-io |
| connected_time | string | Connection start time. | |
| connected_state | string | Connection state. | |
| hostname | string | Hostname of machine which generated this log record. | For Example: master-0 |
| lb_port | string | Load balancer port. | For Example: 443 |
| messageid | string | Unique log type identifier. | For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f |
| namespace | string | A workspace within tenant's space in which the virtual host was created. | |
| req_id | string | Unique request identifier. | |
| sec_event_name | string | Security event name. | |
| sec_event_type | string | Security event type. | Values: SVC_POLICY_SEC_EVENT BOT_DEFENSE_SEC_EVENT WAF_SEC_EVENT API_SEC_EVENT |
| tenant | string | Organization or group of users sharing common access with specific privileges to F5DC resources. | |
| terminated_time | string | Connection terminated time. | |
| time | string | Event generated time | |
| timeseries_enabled | bool | Indicates that DDoS protection is enabled for this LB. | |
| vh_name | string | Tenant's virtual host name. | |
| vh_type | string | Virtual host type. | Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER |
API Security Event
This table presents reference information on API security event types.
API Client Details
| Name | Type | Description | Values |
|---|---|---|---|
| as_number | string | Autonomous system number. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: 15169 |
| as_org | string | Autonomous system name. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE |
| asn | string | Autonomous system identifier represented by both name and number. More about autonomous systems: https://en.wikipedia.org/wiki/Autonomous_system_(Internet) | For Example: GOOGLE(15169) |
| city | string | Client's city name. | For Example: Paris |
| country | string | Client's country ISO 3166-2 (two-letter) code. https://en.wikipedia.org/wiki/ISO_3166-2 | For Example: US |
| latitude | string | Client's geo location latitude. Latitude is a horizontal line that measures the distance north or south of the equator. | |
| longitude | string | Client's geo location longitude. Longitude is a vertical line which measures east or west of the meridian in Greenwich, UK. | |
| mtls | bool | Mutual TLS authentication between clients and HTTPS load balancer. | |
| network | string | Source IP network. | |
| region | string | Client's region name. | |
| src_ip | string | The source IP of the client. | For Example: 212.150.5.74 |
| src_port | string | This is the src port of the client. | |
| user | string | User identifier as configured in User Identification Policy. If not configured, the system uses src_ip as a default user identifier. | For Example: IP-212.150.5.74 |
API Device Details
| Name | Type | Description | Values |
|---|---|---|---|
| browser_type | string | Client's browser type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: Chrome |
| device_type | string | Client's device type. This information is taken from HTTP User-Agent header therefore it's populated for HTTP traffic only. | For Example: iPhone |
API TLS Details
| Name | Type | Description | Values |
|---|---|---|---|
| tls_cipher_suite | string | Destination ip on the origin server. | |
| tls_fingerprint | string | Destination port on the origin server. | For Example: 443 |
| tls_version | string | TLS version is a specific iteration of the Transport Layer Security protocol, used to secure data during transmission over networks. | TLSv1_3, TLSv1_2.. |
API Request Details
| Name | Type | Description | Values |
|---|---|---|---|
| dst | string | The detail of the destination/origin server where the request is going to. | If this is a vk8s service, then the value will be S:< service name >, For Example: S:frontend.arcadia-trading For something like a DNS endpoint, the value will be S:< dns name >, For example: S:prod.croix-rouge.fr if endpoint or origin server is public ip, the value will appear like this: S:185.15.129.72 Note: for FWD PROXY/Connect Proxy cases, the dst will be 2 level URL of the destination for eg something like yahoo.com or google.com. |
| dst_instance | string | Detail of the specific destination instance where requests are going to. | For vk8s service, the value will be Pod name. For example: ingress-kong-757d459b79-nc7hd This pod name is associated with the dst above. If this is DNS endpoint, the value will be IP address of the endpoint. If destination itself was configured to be a public ip (static) then this field will be set to STATIC. For Proxy cases, the value will be Country code of the destination IP (where traffic is headed to). |
| dst_ip | string | Destination ip of the origin server. | |
| dst_port | string | Destination port on the origin server. | For Example: 443 |
| dst_site | string | Site which is used to send the traffic to the endpoint / origin server. | In most cases the value will be the same as RE Site (for example: pa2-par), which got the traffic. But it can be a CE Site, if the endpoint is discovered in CE. Or another RE, if the endpoint discovered in that RE is used. |
| duration_with_data_tx_delay | string | last_downstream_tx_byte - first_upstream_tx_byte | Indicates how much "time" it took to process the request/response inside XC LB. (like eg WAF, API detection, service policy, Bot detection, etc if enabled) + time upstream spent to process. |
| duration_with_no_data_tx_delay | string | first_downstream_tx_byte - first_upstream_tx_byte | Like duration_with_data_tx_delay, except that reference is taken from the moment first byte is sent to client. |
| rtt_downstream_seconds | string | Round trip of connection to downstream (client). | |
| rtt_upstream_seconds | string | Round trip of connection to the upstream/origin server. | |
| time_to_first_downstream_tx_byte | string | Time interval between the first downstream byte received and the first downstream byte sent. There may be a considerable delta between the time_to_first_upstream_rx_byte and this field due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc. | |
| time_to_first_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the first upstream byte received (i.e., time it takes to start receiving a response). | |
| time_to_first_upstream_tx_byte | string | Time interval between the first downstream byte received and the first upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byteabout not accounting for kernel socket buffer time, etc. | |
| time_to_last_downstream_tx_byte | string | Time interval between the first downstream byte received and the last downstream byte sent. Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta between time_to_last_upstream_rx_byte and this field. Note also that this is an approximate time. In the current implementation it does not include kernel socket buffer time. In the current implementation it also does not include send window buffering inside the HTTP/2 codec. In the future it is likely that work will be done to make this duration more accurate. | |
| time_to_last_upstream_rx_byte | string | Time interval in seconds between the first downstream byte received and the last upstream byte received (i.e. time it takes to receive a complete response). | |
| time_to_last_upstream_tx_byte | string | Time interval between the first downstream byte received and the last upstream byte sent. There may by considerable delta between time_to_last_rx_byte and this value due to filters. Additionally, the same caveats apply as documented in time_to_last_downstream_tx_byte about not accounting for kernel socket buffer time, etc. |
API HTTP Details
| Name | Type | Description | Values |
|---|---|---|---|
| api_endpoint | string | The endpoint (path) of the request. | api_endpoint |
| authority | string | authority = [ userinfo "@" ] host [ ":" port ] | For Example: www.google.com |
| content-type | string | Value of HTTP Content-Type header. | |
| domain | string | ||
| http_version | string | Valid HTTP protocol version. | HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| method | string | Valid HTTP method. | HEAD/GET/POST/OPTIONS… The value will be METHOD_UNSPECIFIED for non-http requests. |
| network | string | Network value. | |
| original_authority | string | Original authority. | original_authority |
| original_path | string | Request path. | original_path |
| protocol | string | Valid HTTP protocol version. | HTTP10/HTTP11/HTTP2 The value will be PROTOCOL_UNSPECIFIED for non-http requests. |
| proxy_type | string | Type of Proxy to be used while connecting from one virtual network to another. | proxy_type |
| referrer | string | Request path. | Value of HTTP Referer header. |
| req_headers | json string | Request headers. The system logs request headers only if API discovery is enabled and sample it up to 25%. | |
| req_headers_size | int | Request headers size. | |
| req_id | string | Unique request identifier. | |
| req_path | string | Request path. | |
| req_size | string | Request size in bytes. | |
| rsp_code | string | Response code. | |
| rsp_code_class | string | Response code class. | 2xx, 3xx, 4xx, 5xx |
| rsp_size | string | Response size. | |
| scheme | string | Valid HTTP scheme. | https/http The value will be empty for non-http requests. |
| user_agent | string | Value of HTTP User-Agent header. | |
| x_forwarded_for | string | Value of HTTP X-Forwarded-For header. |
API Response Details
| Name | Type | Description | Values |
|---|---|---|---|
| response_flags | string | Additional details about the response or connection if any above and beyond the standard response code. | |
| rsp_code_details | string | Response code reason. | This is the list of all possible response code details. These values may change. https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/response_code_details |
| rsp_headers | string | Response headers. |
API Details
| Name | Type | Description | Values |
|---|---|---|---|
| action | string | AsPI actual action. | |
| oas_req_Status | string | Open API Specification validation result for HTTP request. | Valid Values: OpenAPIBodyTooLongSkipped OpenAPISpecNotFound OpenAPIPathNotFound OpenAPIViolation OpenAPIValidationSuccessful OpenAPIRateLimitExceeded OpenAPIErrorInternalServerError OpenAPIErrorServiceUnavailabl OpenAPIErrorNotAccaptable OpenAPISkip |
| oas_rsp_status | string | Open API Specification validation result for HTTP response. | Valid Values: OpenAPIViolation OpenAPIValidationSuccessful OpenAPISkipped |
| policy_hits.ip_risk | string | IP risk as it appears in Webroot IP reputation database. | Valid Values: LOW_RISK MEDIUM_RISK HIGH_RISK |
| policy_hits.ip_trustscore | string | The score between 0 and 100. Represents IP trust. 100 means high trust low risk, 0 means low trust high risk. | Numeric string value between 0 and 100. |
| policy_hits.ip_trustworthiness | string | Property describing IP trustworthiness (the opposite of risk). | Valid Values: LOW MEDIUM HIGH |
| policy_hits.malicious_user_mitigation_action | string | Malicious user mitigation action if malicious user feature is configured. | Valid Values: MUM_NONE MUM_BLOCK_TEMPORARILY MUM_JAVASCRIPT_CHALLENGE MUM_CAPTCHA_CHALLENGE |
| policy_hits.oas_request_properties | string | The properties of the current http request that needs Open API Specification validation. | |
| policy_hits.oas_response_properties | string | The properties of the current http response that needs Open API Specification validation. | |
| policy_hits.oas_response_validation_action | string | The desired action to be taken in case the Open API Specification validation fails for the http response. | |
| policy_hits.oas_validation_actoin | string | The desired action to be taken in case the Open API Specification validation fails for the http request. | |
| policy_hits.policy | string | The name of the last executed service policy. | |
| policy_hits.policy_namespace | string | The policy namespace. | |
| policy_hits.policy_rule | string | The name of the last executed service policy rule. | |
| policy_hits.policy_set | string | The name of the last executed service policy set. | |
| policy_hits.rate_limiter_action | string | Rate limiter result. | Valid Values: fail pass none or empty string |
| policy_hits.rate_limiter_user_id | string | Detected User-ID for the rate limiting. | |
| policy_hits.result | string | Service policy result. | Valid Values: allow deny default_allow default_deny |
| recommended_action | string | API recommended action. | Valid Values: low report block |
| signatures.accuracy | string | The accuracy of signature match. | |
| signatures.attack_type | string | The detected attack type. | |
| signtures.context | string | In which context (HTTP Request/Response) the signature detection was. | |
| signatures.id | string | Signature ID. | |
| signatures.id_name | string | Signature ID and name concatenation. | |
| signature.matching_info | string | Extended information where the suspicious data was which triggered the signature detection. | |
| signature.name | string | Signature name. | |
| signature.state | string | If we enforce the signature in case it got catch. | |
| violations.context | string | In which context (HTTP Request/Response) the violation detection was. | |
| violations.description | string | The Open API Specification violation explanation. | |
| violations.field | string | Header or Parameter name which trigger the Open API Specification violation. | |
| violations.property | string | Which property under Open API Specification triggers the violation detection. |
API Metadata Details
| Name | Type | Description | Values |
|---|---|---|---|
| app_type | string | Application profile type name. | |
| cluster_name | string | F5DC cluster name to which request was routed. | For Example: pa2-par-int-ves-io |
| connected_time | string | Connection start time. | |
| connected_state | string | Connection state. | |
| hostname | string | Hostname of machine which generated this log record. | For Example: master-0 |
| lb_port | string | Load balancer port. | For Example: 443 |
| messageid | string | Unique log type identifier. | For access log the value always will be dea91c9a-beed-4561-67af-ab4112426b1f |
| namespace | string | A workspace within tenant's space in which the virtual host was created. | namespace |
| sec_event_name | string | Security event name. | App Security Misconfiguration, API Rate Limiting, OpenAPI Validation Failure, API Protection Rule, OpenAPI Fall Through |
| sec_event_type | string | Security event type. | api_sec_event |
| site | string | Which cluster handled the req. | For Example: "ams9-ams” |
| sni | string | Hostname sni | |
| src | string | The “source” of the service which is sending the request. | Case 1. If this is a service-to-service communication happening via envoy (like v8s service etc.) this value will be the name of the service. For Example: S:lilac-edge-node-6.lilac-edge Case 2. If this is mTLS src then the value will be the first SAN in the client certificate. Case 3. If not Case1/2, It's a request coming from a client via public internet etc., then the value will appear as: N:public |
| src_instance | string | Details of the instance which generated the traffic. | Case 1. If this is service-to-service communication happening via envoy (v8s service etc.). The value will be an instance of the service (for e.g., pod name like in recommendationservice-69cddc6ffb-m794d) Case 2. If this is mTLS src_instance, the value will be the Subject Name in the client certificate. Case 3. If this is request from a public client, then the value will be the country detected by geo lookup. |
| src_site | string | This is the F5DC site (RE or CE etc.) which receives the request from the client. | This is the site where client traffic is hitting. For Example: dc12-ash If the client is close to dc12 and traffic from client is coming to dc12. It could be also CE, if the LB is exposed via CE. |
| tenant | string | Organization or group of users sharing common access with specific privileges to F5DC resources. | |
| terminated_time | string | Connection terminated time. | |
| time | string | Event generated time. | |
| timeseries_enabled | bool | Indicates that DDoS protection is enabled for this LB. | |
| vh_name | string | Tenant's virtual host name. | |
| vh_type | string | Virtual host type. | Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER |
| vhost_id | string | Tenant's virtual host ID. | Valid Values: VIRTUAL_SERVICE HTTP_LOAD_BALANCER API_GATEWAY TCP_LOADBALALNCER PROXY LOCAL_K8S_API_GATEWAY CDN_LOADBALALNCER |
On this page:
- Objective
- WAF Security Event
- WAF Client Details
- WAF Device Details
- WAF HTTP Protocol Details
- WAF Request Details
- WAF Response Details
- WAF Details
- WAF Signature Details
- WAF Violation Details
- WAF Metadata Details
- Bot Defense Security Event
- Bot Defense Client Details
- Bot Defense Device Details
- Bot Defense Server Details
- Bot Defense TLS Details
- Bot Defense HTTP Request/Response Details
- Bot Defense Details
- Bot Defense Metadata Details
- Service Policy Security Event
- Service Policy Client Details
- Service Policy Device Details
- Service Policy Request Details
- Service Policy HTTP Details
- Service Policy Response Details
- Service Policy Details
- Service Policy Metadata Details
- API Security Event
- API Client Details
- API Device Details
- API TLS Details
- API Request Details
- API HTTP Details
- API Response Details
- API Details
- API Metadata Details