Qualys Web Application Firewall
What is Discovered and Monitored
Protocol |
Information discovered |
Metrics/Logs collected |
Used for |
---|---|---|---|
Syslog | Permitted and Denied Web traffic | Log analysis and compliance |
Event Types
The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.
-
Qualys-WAF-Web-Request-Success
-
Qualys-WAF-Web-Bad-Request
-
Qualys-WAF-Web-Client-Access-Denied
-
Qualys-WAF-Web-Client-Error
-
Qualys-WAF-Web-Forbidden-Access-Denied
-
Qualys-WAF-Web-Length-Reqd-Access-Denied
-
Qualys-WAF-Web-Request
-
Qualys-WAF-Web-Request-Redirect
-
Qualys-WAF-Web-Server-Error
Rules
There are no predefined rules for this device.
Reports
Relevant reports are defined in RESOURCE > Reports > Device > Network > Web Gateway.
Configuration
FortiSIEM processes events from this device via syslog sent in JSON format. Configure the device to send syslog to FortiSIEM as directed in the device's product documentation, and FortiSIEM will parse the contents.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Qualys Web Application Firewall |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |
Example Syslog
Note that each JSON formatted syslog contains many logs.
<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf - QUALYS_WAF - {"timestamp":"2015-05-15T12:57:30.945-00:00","duration":6011,"id":"487c116c-4908-4ce3-b05c-eda5d5bb7045","clientIp":"172.27.80.170","clientPort":9073,"sensorId":"d3acc41f-d1fc-43be-af71-e7e10e9e66e2","siteId":"41db0970-8413-4648-b7e2-c50ed53cf355","connection":{"id":"bc1379fe-317e-4bae-ae30-2a382e310170","clientIp":"172.27.80.170","clientPort":9073,"serverIp":"192.168.60.203","serverPort"
:443},"request":{"method":"POST","uri":"/","protocol":"HTTP/1.1","host":"esers-test.foo.org","bandwidth":0,"headers":[{"name":"Content-Length","value":"645"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;
q=0.8"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"},{"name":"Content-Type","value":"application/x-www-form-urlencoded"},{"name":"Referer","value":"https://esers-test.ohsers.org/"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"en-US,en;q=0.8"}],"headerOrder":"HILCAUTRELO"},"response":{"protocol":"HTTP/1.1","status":"200","message":"OK","bandwidth":0,"headers":[{"name":"Content-Type","value":"text/html; charset=utf-8"},{"name":"Server","value":"Microsoft-IIS/8.5"},{"name":"Content-Length","value":"10735"}],"headerOrder":"CTXSDL"},"security":{"auditLogRef":"b02f96e9-2649-4a83-9459-6a02da1a5f05","threatLevel":60,"events":[{"tags":["qid/226015","cat/XPATHi","cat/SQLi","qid/150003","loc/req/body/txtUserId","cfg/pol/applicationSecurity"],
"type":"Alert","rule":"main/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3","message":"Condition escaping detected (SQL or XPATH injection) - txtUserId.","confidence":80,"severity":60,"id":"262845566"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Threat level exceeded blocking threshold (60).","confidence":0,"severity":0,"id":"262846018"},{"tags":["cat/correlation","qid/226016"],"type":"Observation","rule":"main/correlation/1",
"message":"Info: Blocking refused as blocking mode is disabled.","confidence":0,"severity":0,"id":"262846167"},{"tags":["cat/correlation","cat/XPATHi","qid/226015"],"type":"Alert","rule":
"main/correlation/1","message":"Detected: XPATHi.","confidence":80,"severity":60,"id":"268789851"}]}}