Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
F5 Big-IP Local Traffic Logs | ✅ | f5_bigip_local_traffic_logs | Key value | S3 | |||
F5 Big-IP WAF Logs | ✅ | ✅ | f5_big_ip_waf | Key value | S3 |
Overview
F5 BIG-IP log files include important diagnostic information about the events that are occurring on the BIG-IP system. Integrating BIG-IP logs into Hunters will allow ingestion of the data types into your datalake, and leveraging the data for various detection use cases.
Supported data types
F5 Big-IP Local Traffic Logs
Table name: f5_bigip_local_traffic_logs
The local traffic messages pertain specifically to the BIG-IP local traffic management events.
Learn more here.
F5 Big-IP WAF Logs
Table name: f5_big_ip_waf
BIG-IP Advanced WAF delivers a dedicated, dynamic dashboard ensuring compliance against threats listed in the OWASP Top 10, guided configurations for common WAF use cases, learning engine and customized policy building, and granular security policies for microservices and APIs.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of F5 BIG-IP logs using an intermediary AWS S3 bucket.
To connect F5 BIG-IP logs:
Route F5 BIG-IP logs into an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in KeyVal format.
F5 Big-IP Local Traffic Logs
Oct 12 2022 11:25:08 host123 warning tmm1[19847]: 01260013:4: SSL Handshake failed for TCP 14.143.185.130:34019 -> 10.100.208.20:443
Oct 12 2022 11:25:08 host123 notice tmsh[19907]: 01420002:5: AUDIT - pid=19907 user=root folder=/ module=(tmos)# status=[Command OK] cmd_data=list cm device recursive
F5 Big-IP WAF Logs
unit_hostname="tst-f5waf-mgmt.asd.ai",management_ip_address="1.2.3.4",management_ip_address_2="N/A",http_class_name="/Common/owa.app/owa",web_application_name="/Common/owa.app/owa",policy_name="/Common/owa.app/owa",policy_apply_date="2024-03-22 12:26:20",violations="Access from malicious IP address",support_id="17587647238944587925",request_status="blocked",response_code="0",ip_client="1.2.3.4",route_domain="0",method="POST",protocol="HTTPS",query_string="user=tsttsts&DeviceId=FKAWOEJGFOIAWEGA&DeviceType=iPhone&Cmd=Sync",x_forwarded_for_header_value="N/A",sig_ids="N/A",sig_names="N/A",date_time="2024-04-01 07:00:36",severity="Critical",attack_type="N/A",geo_location="CH",ip_address_intelligence="Spam Sources",username="N/A",session_id="ef3ee19fdff757d1",src_port="60936",dest_port="443",dest_ip="1.2.3.4",sub_violations="N/A",virus_name="N/A",violation_rating="3",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="N/A",staged_threat_campaign_names="N/A",blocking_exception_reason="N/A",captcha_result="not_received",microservice="N/A",tap_event_id="N/A",tap_vid="N/A",vs_name="/Common/owa_https",sig_cves="N/A",staged_sig_cves="N/A",uri="/microsoft-server-activesync",fragment="",request="POST /Microsoft-Server-ActiveSync?user=tsttsts&DeviceId=FKAWOEJGFOIAWEGA&DeviceType=iPhone&Cmd=Sync HTTP/1.1\r\nHost: webmail.asd.ai\r\nAccept: */*\r\nAuthorization: Basic asdasdsadasdasdasdasdasdsa\r\nMS-ASProtocolVersion: 16.1\r\nX-MS-PolicyKey: 2041157854\r\nAccept-Language: de-DE,de;q=0.9\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/vnd.ms-sync.wbxml\r\nContent-Length: 41\r\nUser-Agent: Apple-iPhone15C2/2105.236\r\nConnection: keep-alive\r\nCookie: TS0180a63d=013c9f7a1d06bf1fcbff2d2f3650f9d81068970da937b8688810683f1f41b3202df914ce8faa0989d2f112c96e3d2db0e5b4a0c3d1; X-BackEndCookie=S-1-5-21-198730045-181724891-114977