Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
F5 Big-IP Local Traffic Logs | ✅ | f5_bigip_local_traffic_logs | Key value | S3 | |||
F5 Big-IP WAF Logs | ✅ | ✅ | f5_big_ip_waf | Key value | S3 |
Overview
F5 BIG-IP log files include important diagnostic information about the events that are occurring on the BIG-IP system. Integrating BIG-IP logs into Hunters will allow ingestion of the data types into your datalake, and leveraging the data for various detection use cases.
Supported data types
F5 Big-IP Local Traffic Logs
Table name: f5_bigip_local_traffic_logs
The local traffic messages pertain specifically to the BIG-IP local traffic management events.
Learn more here.
F5 Big-IP WAF Logs
Table name: f5_big_ip_waf
BIG-IP Advanced WAF delivers a dedicated, dynamic dashboard ensuring compliance against threats listed in the OWASP Top 10, guided configurations for common WAF use cases, learning engine and customized policy building, and granular security policies for microservices and APIs.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of F5 BIG-IP logs using an intermediary AWS S3 bucket.
To connect F5 BIG-IP logs:
Route F5 BIG-IP logs into an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in KeyVal format.
F5 Big-IP Local Traffic Logs
anonymized logs:
Nov 03 2023 14:42:17 edge-gateway01 warning tmm2[45231]: 01260013:4: SSL Handshake failed for TCP 198.51.100.77:51234 -> 192.0.2.25:8443
Nov 03 2023 14:42:17 edge-gateway01 notice tmsh[45289]: 01420002:5: AUDIT - pid=45289 user=adminuser folder=/Common module=(network)# status=[Command OK] cmd_data=show net interface all-propertiesF5 Big-IP WAF Logs
anonymized log:
unit_hostname="waf-prod-01.example.net",
management_ip_address="192.0.2.10",
management_ip_address_2="N/A",
http_class_name="/Common/app_prod/app_prod",
web_application_name="/Common/app_prod/app_prod",
policy_name="/Common/app_prod/app_prod",
policy_apply_date="2024-06-10 09:15:42",
violations="Access from suspicious IP address",
support_id="98765432101234567890",
request_status="blocked",
response_code="403",
ip_client="198.51.100.45",
route_domain="0",
method="POST",
protocol="HTTPS",
query_string="user=testuser&DeviceId=ABC123XYZ789&DeviceType=Android&Cmd=Provision",
x_forwarded_for_header_value="198.51.100.77",
sig_ids="N/A",
sig_names="N/A",
date_time="2024-06-15 11:22:33",
severity="Critical",
attack_type="Brute Force",
geo_location="DE",
ip_address_intelligence="Bot Network",
username="testuser",
session_id="a1b2c3d4e5f67890123456789abcdef0",
src_port="52344",
dest_port="443",
dest_ip="203.0.113.25",
sub_violations="N/A",
virus_name="N/A",
violation_rating="4",
websocket_direction="N/A",
websocket_message_type="N/A",
device_id="device-xyz-001",
staged_sig_ids="",
staged_sig_names="",
threat_campaign_names="Credential Stuffing Campaign",
staged_threat_campaign_names="N/A",
blocking_exception_reason="N/A",
captcha_result="not_received",
microservice="auth-service",
tap_event_id="evt-112233445566",
tap_vid="vid-99887766",
vs_name="/Common/app_https_vs",
sig_cves="N/A",
staged_sig_cves="N/A",
uri="/api/v1/sync",
fragment="",
request="POST /api/v1/sync?user=testuser&DeviceId=ABC123XYZ789&DeviceType=Android&Cmd=Provision HTTP/1.1\r\nHost: api.example.net\r\nAccept: */*\r\nAuthorization: Basic dGVzdDp0ZXN0MTIz\r\nX-App-ProtocolVersion: 2.0\r\nX-Policy-Key: 987654321\r\nAccept-Language: en-US,en;q=0.9\r\nAccept-Encoding: gzip, deflate, br\r\nContent-Type: application/json\r\nContent-Length: 128\r\nUser-Agent: ExampleAndroid/14.2.1\r\nConnection: keep-alive\r\nCookie: TS01abcd12=abcdef1234567890; SESSIONID=xyz987654321; AUTHID=S-1-5-21-XXXXXXXX-XXXXXXXX-XXXXXXXX"