Application : Web Application Firewall Activity (6005)

[adplotzk]

{
    "uid": "6005",
    "description": "Web application firewall traffic form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.",
    "extends": "base_event",
    "caption": "Web Application Firewall Activity",
    "name": "web_application_firewall",
    "category": "application",
    "attributes": {
	    "activity_id": {
		    "type": "integer",
		    "group": "classification",
		    "requirement": "required",
		    "description": "The web application firewall activity type identifier",
		    "enum": {
			    "0": {
				    "caption": "Unknown",
				    "description": "The web application firewall activity in the event pertains to a 'Unknown' activity."
			    },
			    "1": {
				    "caption": "Allow",
				    "description": "The web application firewall activity in the event pertains to a 'Allow' activity."
			    },
			    "2": {
				    "caption": "Count",
				    "description": "The web application firewall activity in the event pertains to a 'Count' activity."
			    },
			    "3": {
				    "caption": "Challenge",
				    "description": "The web application firewall activity in the event pertains to a 'Challenge' activity."
			    },
			    "4": {
				    "caption": "Block",
				    "description": "The web application firewall activity in the event pertains to a 'Block' activity."
			    },
			    "99": {
				    "caption": "Other",
				    "description": "The web application firewall activity call in the event pertains to a 'Other' activity."
			    }
		    }
	    },
	    "activity_name": {
		    "type": "string",
		    "group": "classification",
		    "requirement": "optional"
	    },
	    "category_uid": {
		    "type": "integer",
		    "group": "classification",
		    "requirement": "required"
	    },
	    "category_name": {
		    "type": "string",
		    "group": "classification",
		    "requirement": "optional"
	    },
	    "class_uid": {
		    "type": "integer",
		    "group": "classification",
		    "requirement": "required"
	    },
	    "class_name": {
		    "type": "string",
		    "group": "classification",
		    "requirement": "optional"
	    },
	    "type_uid": {
		    "type": "integer",
		    "group": "classification",
		    "requirement": "optional",
		    "description": "The event type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 +",
		    "enum": {
			    "600500": {
				    "caption": "Web Application Firewall Activity: Unknown."
			    },
			    "600501": {
				    "caption": "Web Application Firewall Activity: Allow.",
				    "description": "The web application firewall allows the request to be forwarded to the protected resource for processing and response."
			    },
			    "600502": {
				    "caption": "Web Application Firewall Activity: Count.",
				    "description": "The web application firewall counts the request but does not determine wheather to allow or block it."
			    },
			    "600503": {
				    "caption": "Web Application Firewall Activity:Challenge.",
				    "description": "The web application firewall uses a challenge, CAPTCHA, or puzzle to verify that the request is not coming from a bot or illegitimate source endpoint."
			    },
			    "600504": {
				    "caption": "Web Application Firewall Activity: Block.",
				    "description": "The web application firewall blocks the request."
			    },
			    "600599": {
				    "caption": "Web Application Firewall Activity: Other."
			    }
		    }
	    },
	    "rule": {
		    "type": "rule",
		    "group": "primary",
		    "requirement": "required",
		    "attributes": {
			    "category": {
				    "type": "string",
				    "requirement": "optional"
			    },
			    "description": {
				    "type": "string",
				    "requirement": "optional"
			    },
			    "name": {
				    "type": "recommended",
				    "requirement": "optional"
			    },
			    "type": {
				    "type": "string",
				    "requirement": "optional"
			    },
			    "uid": {
				    "type": "recommended",
				    "requirement": "optional"
			    },
			    "version": {
				    "type": "string",
				    "requirement": "optional"
			    },
			    "condition": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The rule trigger condition for the rule. For example: SQL_INJECTION."
			    },
			    "sensitivity": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The location in the request where the rule matched. For example: HIGH."
			    },
			    "location": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The location in the request where the rule matched. For example: HEADER."
			    },
			    "match_details": {
				    "type": "array",
				    "requirement": "optional",
				    "description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'."
			    },
			    "rate_limit": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The rate limit for a rate-based rule."
			    },
			    "status_code": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The event status code, as reported by the event source."
			    },
			    "response_time": {
				    "type": "timestamp",
				    "requirement": "optional",
				    "description": "The rule response time, usually used for challenge completion time."
			    },
			    "message": {
				    "type": "string",
				    "requirement": "optional",
				    "description": "The description of the event, as defined by the event source."
			    }
		    }
	    }
    }
}

.
.
.
Full EC Context -

{
"uid": "6005",
"description": "Web application firewall traffic is a traffic form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service.",
"extends": "base_event",
"caption": "Web Application Firewall",
"name": "web_application_firewall",
"category": "application",
"attributes": {
	"activity_id": {
		"type": "integer",
		"group": "classification",
		"requirement": "required",
		"description": "The web application firewall activity type identifier",
		"enum": {
			"0": {
				"caption": "Unknown",
				"description": "The web application firewall activity in the event pertains to a 'Unknown' activity."
			},
			"1": {
				"caption": "Allow",
				"description": "The web application firewall activity in the event pertains to a 'Allow' activity."
			},
			"2": {
				"caption": "Count",
				"description": "The web application firewall activity in the event pertains to a 'Count' activity."
			},
			"3": {
				"caption": "Challenge",
				"description": "The web application firewall activity in the event pertains to a 'Challenge' activity."
			},
			"4": {
				"caption": "Block",
				"description": "The web application firewall activity in the event pertains to a 'Block' activity."
			},
			"99": {
				"caption": "Other",
				"description": "The web application firewall activity call in the event pertains to a 'Other' activity."
			}
		}
	},
	"activity_name": {
		"type": "string",
		"group": "classification",
		"requirement": "optional",
		"description": "The web application firewall activity type identifier"
	},
	"category_uid": {
		"type": "integer",
		"group": "classification",
		"requirement": "required",
		"description": "The category unique identifier of the event.\n 6 Application Activity\n Application Activity events report detailed information about the behavior of applications and services."
	},
	"category_name": {
		"type": "string",
		"group": "classification",
		"requirement": "optional",
		"description": "The event category name, as defined by category_uid value: Application Activity."
	},
	"class_uid": {
		"type": "integer",
		"group": "classification",
		"requirement": "required",
		"description": "The unique identifier of a class. A Class describes the attributes available in an event.\n 6005 Web Application Firewall Activity\n Web Application Firewall Activity events describe traffic form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service."
	},
	"class_name": {
		"type": "string",
		"group": "classification",
		"requirement": "optional",
		"description": "The event class name, as defined by class_uid value: Web Application Firewall Activity"
	},
	"type_uid": {
		"type": "integer",
		"group": "classification",
		"requirement": "optional",
		"description": "The event type ID. It identifies the event's semantics and structure. The value is calculated by the logging system as: class_uid * 100 +",
		"enum": {
			"600500": {
				"caption": "Web Application Firewall Activity: Unknown."
			},
			"600501": {
				"caption": "Web Application Firewall Activity: Allow.",
				"description": "The web application firewall allows the request to be forwarded to the protected resource for processing and response."
			},
			"600502": {
				"caption": "Web Application Firewall Activity: Count.",
				"description": "The web application firewall counts the request but does not determine wheather to allow or block it."
			},
			"600503": {
				"caption": "Web Application Firewall Activity:Challenge.",
				"description": "The web application firewall uses a challenge, CAPTCHA, or puzzle to verify that the request is not coming from a bot or illegitimate source endpoint."
			},
			"600504": {
				"caption": "Web Application Firewall Activity: Block.",
				"description": "The web application firewall blocks the request."
			},
			"600599": {
				"caption": "Web Application Firewall Activity: Other."
			}
		}
	},
	"type_name": {
		"type": "string",
		"group": "classification",
		"requirement": "optional",
		"description": "The event type name, as defined by the type_uid."
	},
	"time": {
		"type": "timestamp",
		"group": "occurrence",
		"requirement": "optional",
		"description": "The normalized event occurrence time."
	},
	"metadata": {
		"type": "metadata",
		"group": "context",
		"requirement": "required",
		"description": "The metadata associated with the event."
	},
	"src_endpoint": {
		"type": "src_endpoint",
		"group": "primary",
		"requirement": "recommended",
		"description": "Details about the source endpoint of the request."
	},
	"http_request": {
		"type": "http_request",
		"group": "context",
		"requirement": "required",
		"description": "Details about the underlying HTTP request."
	},
	"rule": {
		"type": "rule",
		"group": "primary",
		"requirement": "required",
		"description": "The rules that reported the events."
	},
	"severity": {
		"type": "string",
		"group": "classification",
		"requirement": "optional",
		"description": "The event severity, normalized to the caption of the severity_id value. In the case of 'Other', it is defined by the event source."
	},
	"severity_id": {
		"type": "integer",
		"group": "classification",
		"requirement": "optional",
		"description": "The normalized identifier of the event severity.",
		"enum": {
			"0": {
				"caption": "Unknown",
				"description": "The event severity is not known."
			},
			"1": {
				"caption": "Informational",
				"description": "Informational message. No action required."
			},
			"2": {
				"caption": "Low",
				"description": "The user decides if action is needed."
			},
			"3": {
				"caption": "Medium",
				"description": "Action is required but the situation is not serious at this time."
			},
			"4": {
				"caption": "High",
				"description": "Action is required immediately."
			},
			"4": {
				"caption": "Critical",
				"description": "Action is required immediately and the scope is broad."
			},
			"4": {
				"caption": "Fatal",
				"description": "An error occurred but it is too late to take remedial action."
			},
			"99": {
				"caption": "Other",
				"description": "The event severity is not mapped. See the severity attribute, which contains a data source specific value."
			}
		}
	},
	"http_response": {
		"type": "http_response",
		"group": "context",
		"requirement": "optional",
		"description": "The rules that reported the events."
	},
	"duration": {
		"type": "integer",
		"group": "occurrence",
		"requirement": "optional",
		"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds."
	},
	"start_time": {
		"type": "integer",
		"group": "occurrence",
		"requirement": "optional",
		"description": "he start time of a time period, or the time of the least recent event included in the aggregate event."
	},
	"end_time": {
		"type": "integer",
		"group": "occurrence",
		"requirement": "optional",
		"description": "The event duration or aggregate time, the amount of time the event covers from start_time to end_time in milliseconds."
	},
	"enrichments": {
		"type": "enrichments array",
		"group": "context",
		"requirement": "optional",
		"description": "The additional information from an external data source, which is associated with the event."
	},
	"message": {
		"type": "string",
		"group": "primary",
		"requirement": "optional",
		"description": "The observables associated with the event."
	},
	"observables": {
		"type": "observable array",
		"group": "primary",
		"requirement": "optional",
		"description": "The observables associated with the event."
	},
	"raw_data": {
		"type": "string",
		"group": "context",
		"requirement": "optional",
		"description": "The event data as received from the event source."
	},
	"timezone_offset": {
		"type": "integer",
		"group": "occurrence",
		"requirement": "optional",
		"description": "The number of minutes that the reported event time is ahead or behind UTC, in the range -1,080 to +1,080."
	},
	"unmapped": {
		"type": "object",
		"group": "context",
		"requirement": "optional",
		"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source."
	}
},
"new_rule_attributes": {
	"rule": {
		"category": {
			"type": "string",
			"requirement": "optional",
			"description": "The rule category."
		},
		"description": {
			"type": "string",
			"requirement": "optional",
			"description": "The description of the rule that generated the event."
		},
		"name": {
			"type": "recommended",
			"requirement": "optional",
			"description": "The name of the rule that generated the event."
		},
		"type": {
			"type": "string",
			"requirement": "optional",
			"description": "The rule type."
		},
		"uid": {
			"type": "recommended",
			"requirement": "optional",
			"description": "The unique identifier of the rule that generated the event."
		},
		"version": {
			"type": "string",
			"requirement": "optional",
			"description": "The rule version. For example: 1.1."
		},
		"condition": {
			"type": "string",
			"requirement": "optional",
			"description": "The rule trigger condition for the rule. For example: SQL_INJECTION."
		},
		"sensitivity": {
			"type": "string",
			"requirement": "optional",
			"description": "The location in the request where the rule matched. For example: HIGH."
		},
		"location": {
			"type": "string",
			"requirement": "optional",
			"description": "The location in the request where the rule matched. For example: HEADER."
		},
		"match_details": {
			"type": "array",
			"requirement": "optional",
			"description": "The data in a request that rule matched. For example: '[\"10\",\"and\",\"1\"]'."
		},
		"rate_limit": {
			"type": "string",
			"requirement": "optional",
			"description": "The rate limit for a rate-based rule."
		},
		"status_code": {
			"type": "string",
			"requirement": "optional",
			"description": "The event status code, as reported by the event source."
		},
		"response_time": {
			"type": "timestamp",
			"requirement": "optional",
			"description": "The rule response time, usually used for challenge completion time."
		},
		"message": {
			"type": "string",
			"requirement": "optional",
			"description": "The description of the event, as defined by the event source."
		}
	}
}

}

[rroupski]

The Firewall, along with other security products, performs various actions based on the activity it detects. Therefore, the event should include attributes that report both the original activity that triggered specific firewall rules and the subsequent actions executed by the firewall.

For instance, the proposed class does not provide a clear description of the actual activity. What exactly triggered the firewall rule? In other words, what does the 'activity_id=Allow' indicate as being allowed? Was it a new connection, data traffic, or a file download? Additionally, was the rate within acceptable limits?

While we have made considerable progress in defining activity classes, we haven't focused as much on detailing the security actions triggered by these activities. The OCSF has introduced a single profile, 'https://schema.ocsf.io/1.0.0-rc.3/profiles/security_control,' which serves as a starting point for covering the security actions resulting from normal activity events. However, due to time constraints, we were unable to fully explore and expand upon this idea. Now might be an opportune moment to delve deeper into this aspect.

[floydtree]

I see your point, however I think, our activity_ids should be focused directly on the most obvious activity of the event. A specialized source such as a L7 firewall, should have an event class with activity_ids that directly reflect that source's activities.

e.g in the case of web application firewall activity, the event class's activity_ids should be about whether the connection was allowed/blocked/etc instead of new connection, data traffic, or a file download The triggering-activity that caused the WAF to log an event, which will be a supporting contextual piece of information, can be determined based on information in the supporting attributes (in this class's case, I infer it will be rules.match_details).

[adplotzk]

This will be available within the PR when I raise it, however http_request will be a required object which addresses your aforementioned criteria. The proposal above is just to highlight the specific elements which makes this unique, and does not encompass the entire event class. For example the event you posted will map to the following under 6005 which is quite straightforward:

`{
    "activity_id": 1,
    "activity_name": "Block",
    "category_name": "Application Activity",
    "category_uid": 6,
    "class_name": "Web Application Firewall",
    "class_uid": 6005,
    "type_name": "Web Application Firewall: Block",
    "type_uid": 600503,
    "time": 1576280412771,
    "metadata": {
        "product": {
            "name": "AWS WAF",
            "vendor_name": "AWS"
        },
        "feature": {
            "uid": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE"
        },
        "log_version": "1",
        "profiles": [],
        "version": "1.0.0-rc.3",
        "labels": [
            {
                "name": "value"
            }
        ]
    },
    "src_endpoint": {
        "ip": "1.1.1.1",
        "location": {
            "country": "AU"
        }
    },
    "http_request": {
        "args": "",
        "version": "HTTP/1.1",
        "method": "GET",
        "uid": "rid",
        "user_agent": "curl/7.61.1",
        "url": {
            "hostname": "localhost:1989",
            "path": "/myUri",
            "url_string": "localhost:1989/myUri"
        },
        "headers": [
            {
                "name": "Accept",
                "value": "*/*"
            },
            {
                "name": "x-stm-test",
                "value": "10 AND 1=1"
            }
        ]
    },
    "rule_id": "STMTest_SQLi_XSS",
    "rule_type": "REGULAR",
    "rule_match_details": {
        "condition_type": "SQL_INJECTION",
        "sensitivity_level": "HIGH",
        "location": "HEADER",
        "matched_data": [
            "10",
            "AND",
            "1"
        ]
    },
    "unmapped": {
        "httpSourceName": "APIGW",
        "httpSourcId": "-"
    }
}`

@rroupski

[rroupski]

ok, what I am trying to say is that we don't need a new event, let's reuse the existing event and use a profile to add the fw specific attributes.

[floydtree]

But that goes back to the original point, if we reuse a class, we'll not have L7 firewall specific activity_ids and that would be a crucial miss. I think having a dedicated L3 firewall class would also be worthwhile.

[rroupski]

The L7 firewall specific activities will be in put in the disposition_id, and we don't lose the real user activity that triggered the event FW event.

[adplotzk]

These perspectives will be discussed in the next meeting

[adplotzk]

@pagbabian-splunk @rroupski @floydtree

{
    "activity_id": 1,
    "activity_name": "Get",
    "category_name": "Network Activity",
    "category_uid": 4,
    "class_name": "HTTP Activity",
    "class_uid": 4002,
    "type_name": "HTTP Activity: Get",
    "type_uid": 400503,
    "time": 1576280412771,
    "disposition": "Block",
    "disposition_id": "2",
    "time": 1576280412771,
    "metadata": {
	    "product": {
		    "name": "AWS WAF",
		    "vendor_name": "AWS"
	    },
	    "feature": {
		    "uid": "arn:aws:wafv2:ap-southeast-2:111122223333:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE"
	    },
	    "log_version": "1",
	    "profiles": [firewall],
	    "version": "1.0.0-rc.3",
	    "labels": [
		    {
			    "name": "value"
		    }
	    ]
    },
    "src_endpoint": {
	    "ip": "1.1.1.1",
	    "location": {
		    "country": "AU"
	    }
    },
    "http_request": {
	    "args": "",
	    "version": "HTTP/1.1",
	    "method": "GET",
	    "uid": "rid",
	    "user_agent": "curl/7.61.1",
	    "url": {
		    "hostname": "localhost:1989",
		    "path": "/myUri",
		    "url_string": "localhost:1989/myUri"
	    },
	    "headers": [
		    {
			    "name": "Accept",
			    "value": "*/*"
		    },
		    {
			    "name": "x-stm-test",
			    "value": "10 AND 1=1"
		    }
	    ]
    },
    "rule": {
	    "uid": "STMTest_SQLi_XSS",
	    "type": "REGULAR",
	    "condition": "SQL_INJECTION",
	    "sensitivity": "HIGH",
	    "location": "HEADER",
	    "matched_data": [
		    "10",
		    "AND",
		    "1"
	    ]
    },
    "unmapped": {
	    "httpSourceName": "APIGW",
	    "httpSourcId": "-"
    }
}

[adplotzk]

My PR is ready to go as soon as this is reviewed