Blog

Transition Your Akamai Security Monitor Alerts to Web Security Analytics

May 11, 2020 · by Ori Kanfer ·
Categories:

If you are using the alerting functionality in Akamai Security Monitor, this post will show you how to replicate them in Web Security Analytics. Our Web Security Analytics tool enables you to create alerts so you can stay informed about notable events as well as perform incident response, analysis, and tuning for your Akamai cloud security products. 

For more background, view the blog post announcing the new alert functionality last year, Brand-New Alerting Functionality in Web Security Analytics. Documentation on the alerting functionality and how to configure and tune alerts in Web Security Analytics is available in the User Guide.

In this post, I will discuss how to emulate alert setups in Security Monitor with similar functionality in Web Security Analytics. But first, here’s a brief reminder of where Security Monitor alerts are configured. To access your Security Monitor alerts:

  1. Log in to control.akamai.com

  2. Select the proper account (if you manage more than one account)

  3. Open Security Monitor at https://control.akamai.com/apps/csi-security-monitor/ 

  4. Select the appropriate report pack in the top left corner of the page — note that each report pack is mapped to a security configuration

Once you select the report pack, access the configured alerts:

  1. Click Notifications in the top right corner

  2. Click Configure notifications, and a Notifications window opens

  3. If you have notifications configured in this report pack, they are listed — for each notification, click Show advanced options to expand the view and see the alert conditions

Now, in a separate window, access Web Security Analytics at https://control.akamai.com/apps/securitycenter/#/web-security-analytics:

  1. Select the appropriate security configuration in the top left corner of the page

  2. Click the Alerts tab right below the security configuration

  3. Click the plus (+) sign to create a new alert

  4. Select either New alert or one of the listed Akamai-provided templates

For the rest of this post, we’ll assume New alert is selected. Now, let's transition alerts from Security Monitor to Web Security Analytics.

General alert settings

Here, the fields are mapped one-to-one with the addition of the Enable alert setting in Web Security Analytics. For more information about alert settings, refer to the User Guide.

Security Monitor

Web Security Analytics

Notification Name

Settings -> Alert Name

Description

Description -> Settings.Alert Description

Priority

Settings -> Priority

Email to

Settings -> Send To

 

Enable Alert (new with Web Security Analytics) — set to Yes once you are happy with the alert definition

Alert threshold

Web Security Analytics works a bit differently than Security Monitor when counting statistics and alerts. Security Monitor counts the number of rules that triggered on a request, while Web Security Analytics counts the number of requests. Also, Security Monitor has two additional metrics:  

  • Detected rule actions that don’t impact the request flow to the origin, such as Alert, Monitor, and Allow 

  • Mitigated rule actions that do impact the request flow, such as Deny, Tarpit, Serve, and ServeAlternate

Web Security Analytics counts the total number of requests, and enables you to filter on the Action Applied. Security Monitor counts the rule actions, while Web Security Analytics counts the Action Applied on the request. 

Security Monitor

Web Security Analytics

Detected

Depending on your use case, add to the filter one or more Action Applied: Alert, Monitor, or Allow

Mitigated

Depending on your use case, add to the filter one or more Action Applied: Deny, Tarpit, Abort, or Slow — alternatively, you can apply a negative filter to exclude Alert, Monitor, and Allow

Total

To count all requests, regardless of applied action, don’t apply a filter to the Action Applied

Percentage rules mitigated

Not supported in Web Security Analytics

>

>

<, <=, >=

Not supported in Web Security Analytics

For

Add the dimensions you wish to group in the field called, “Count requests grouped by the following dimensions”

The threshold calculation is also similar in Security Monitor and Web Security Analytics. You can use one of pre-defined sensitivity templates or use a custom one:

  • To select a predefined sensitivity template, go to Threshold->Sensitivity->Predefined, and select one of Low, Medium, or High

  • To set custom sensitivity, click Advanced and select the duration in minutes and number of occurrences

Security Monitor

Web Security Analytics

During

During

Notify After

After

Note that the minimal duration supported in Web Security Analytics at the moment is 3 minutes.

If you have a threshold in Security Monitor that was set at X requests per minute, an appropriate value to set in Web Security Analytics would be X multiplied by 3.

For more information on alert threshold setting, please refer to the User Guide. For guidance on tuning an alert, please refer to the tune an alert task in the User Guide.

Alert conditions

This is the area where Security Monitor and Web Security Analytics differ the most. Security Monitor does not have the clear attack classification and categorization of Web Security Analytics. As a result, the filters typically include partial matches on tags and rules. To learn about the configuration of alert filters in Web Security Analytics, please refer to the set up an alert filter task.

The following table will help you convert the Security Monitor filters to Web Security Analytics filters.

Security Monitor

Web Security Analytics

Action (note - this is the rule action)

Action Applied (note: this is the action applied on the request)

Client IP

Connecting IP Address 

Country/Area

Connecting Country/Area 

Host Name

Hostname 

Policy ID

Policy 

Status Code

Status code 

URL

URL is not supported in Web Security Analytics for alerting, instead, use a combination of Hostname, Path, and Query filters 

Rule ID

Security Monitor

Web Security Analytics

IPBLOCK-*

ADAPTIVE_*

RATE_IDENTIFIER*

IP_USER_AGENT*

For any rate control triggers, select DoS Category = Rate.

or, filter on specific rate controls by specific DOS RULEID

DDOS

DoS Category = DoS Anomaly

Slow POST

DoS Category = Slow Post

IPBLOCK

To capture all network list traffic, filter on Attack Type = Network Firewall or filter on a specific Network List

699992

699993

699997

699998

699999

DoS Category = Other

699989

699990

699991

699994

699995

699996

Attack Group = Other

XSS-ANOMALY

1000002

Attack Group = Cross Site Scripting

CMD-INJECTION-ANOMALY

1000005

Attack Group = Command Injection

INVALID-HTTP-ANOMALY

Attack Group = Invalid HTTP

INBOUND-ANOMALY

Attack Group = Total Inbound

OUTBOUND-ANOMALY

Attack Group = Total Response Score (Outbound)

PHP-INJECTION-ANOMALY

Attack Group = PHP Injection

RFI-ANOMALY

1000004

Attack Group = Remote File Inclusion

SQL-INJECTION-ANOMALY

1000001

Attack Group = SQL Injection

TROJAN-ANOMALY

Attack Group = Trojan

API_*

Attack Group = API Request Constraints

StartsWith 6 and not with 6999

Custom - RULEID 

1000003

Attack Group = Local File Inclusion

1000006

Attack Group = Web Attack Tool

1000007

Attack Group = Web Protocol Attack

1000008

Attack Group = Web Platform Attack

IPBLOCK-PENALTY-BOX

Attack Group = Penalty

BOT-*

3991*

3990*

390*

Filter on the appropriate bots from Bot Category — for a list of Bot categories and descriptions, please check Bot Manager Detection methods 

REP_*

REP2_*

Attack Type = Reputation — for any reputation triggers

Reputation Category = select one of DoS Attackers, ScanningTools, WebAttackers, WebScrapers, or select an individual Reputation Profile

3xxxxxxx but not 3991* or 3990* or 390*

Filter on WAF - RULEID

Tag

Security Monitor

Web Security Analytics

Akamai/BOT

Attack Type = Bot

IPBLOCK/ADAPTIVE/SUMMARY

IPBLOCK/ADAPTIVE/BURST

IP_USER_AGENT_BLOCK/ADAPTIVE/SUMMARY

IP_USER_AGENT_BLOCK/ADAPTIVE/BURST

DoS Category = Rate

IPBLOCK

GEOBLOCK

To capture all network list traffic, filter on Attack Type = Network Firewall or filter on a specific Network List

AKAMAI/POLICY/CMD_INJECTION_ANOMALY

AKAMAI/WEB_ATTACK/CMD_INJECTION

AKAMAI/WEB_ATTACK/COMMAND_INJECTION

Attack Group = Command Injection

AKAMAI/POLICY/INBOUND_ANOMALY

Attack Group = Total Inbound

AKAMAI/POLICY/OUTBOUND_ANOMALY

Attack Group = Total Response Score (Outbound)

AKAMAI/POLICY/PHP_INJECTION_ANOMALY

AKAMAI/WEB_ATTACK/PHP_INJECTION

Attack Group = PHP Injection

AKAMAI/POLICY/RFI_ANOMALY

Attack Group = Remote File Inclusion

AKAMAI/POLICY/SQL_INJECTION_ANOMALY

AKAMAI/WEB_ATTACK/SQL_INJECTION

Attack Group = SQL Injection

AKAMAI/POLICY/TROJAN_ANOMALY

MALICIOUS_SOFTWARE/TROJAN

Attack Group = Trojan

AKAMAI/POLICY/XSS_ANOMALY

AKAMAI/WEB_ATTACK/XSS

Attack Group = Cross Site Scripting

 

For a full Kona ruleset, please check KONA WAF rules.

For the list of Bot Manager rules, please see Bot Manager Detection methods.