Barracuda (WAF) Template
Using the Access Log Events
The following table shows the Access Log Events on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition (Line Matching) |
| User Activity | ||
|
Network Access |
Network Access Accepted |
.* |
Access Log Events Variable Selections and Mapping
These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
| VARIABLE | VALUE |
|---|---|
| Event Time (Source Timezone) | [Event.Event_Time_(Source_Timezone)] |
| Event timezone offset | [Event.Event_timezone_offset] |
| Complete Message | [Event.Raw_Message] |
| Operator Name | [[CEF.duser] |
| User Name | [CEF.suser] |
| Source Machine IP Address | [CEF.src] |
| Destination Machine Name | [CEF.dhost] |
| Session ID | [CEF.suid] |
| Application | [CEF.app] |
| Variable 01 | Log type: [CEF.cat] |
| Variable 02 | Service IP: [CEF.dvc] |
| Variable 03 | Service Port: [CEF.cn1] |
| Variable 04 | Client IP: [CEF.src] |
| Variable 05 | Client Port: [CEF.spt] |
| Variable 06 | Login: [CEF.suid] |
| Variable 07 | Certificate User: [CEF.suser] |
| Variable 08 | Method: [CEF.requestMethod] |
| Variable 09 | Protocol: [CEF.app] |
| Variable 10 | Host: [CEF.dhost] |
| Variable 11 | Version: [CEF.flexString1] |
| Variable 12 | HTTP status: [CEF.outcome] |
| Variable 13 | Bytes sent: [CEF.in] |
| Variable 14 | Bytes Received: [CEF.out] |
| Variable 15 | Cache Hit: [CEF.cn2] |
| Variable 16 | Time Taken (ms): [CEF.flexNumber2] |
| Variable 17 | Server IP: [CEF.dst] |
| Variable 18 | Server Port: [CEF.dpt] |
| Variable 19 | Server Time (ms): [CEF.flexNumber1] |
| Variable 20 | Session ID: [CEF.BarracudaWafSessionID] |
| Variable 21 | Response Type: [CEF.BarracudaWafResponseType] |
| Variable 22 | Profile Matched: [CEF.cs4] |
| Variable 23 | Protected: [CEF.cs2] |
| Variable 24 | WF Matched: [CEF.cs6] |
| Variable 25 | URL: [CEF.request] |
| Variable 26 | Query String: [CEF.msg] |
| Variable 27 | Referrer: [CEF.requestContext] |
| Variable 28 | Cookie: [CEF.requestCookies] |
| Variable 29 | User Agent: [CEF.requestClientApplicat |
| Variable 30 | Proxy IP: [CEF.cs3] |
| Variable 31 | Proxy Port: [CEF.cn3] |
| Variable 32 | Authenticated User: [CEF.duser] |
| Variable 33 | Custom Header 1: [CEF.BarracudaWafCustomHeader1] |
| Variable 34 | Custom Header 2: [CEF.BarracudaWafCustomHeader2] |
| Variable 35 | Custom Header 3: [CEF.BarracudaWafCustomHeader3] |
Using the Audit Logs
The following table shows the Audit Logs on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition (Line Matching) |
| System Management | ||
|
Configuration Rule Modification |
Configuration Rule Modifcation |
.*\|CONFIG\|.*outcome=SET.* |
| Configuration Rule Modification | Restore Configuration | .*\|(?:RESTORE|ROLLBACK)\|.* |
| Configuration Rule Modification | Version Modification | .*\|(?:FIRMWARE UPDATE|ENERGIZE UPDATE|FIRMWARE APPLY|FIRMWARE REVERT)\|.* |
| Configuration Rule Creation | Configuration Rule Creation | .*\|CONFIG\|.*outcome=ADD.* |
| Configuration Rule Deletion | Configuration Rule Deletion | .*\|CONFIG\|.*outcome=DELETE* |
| Object Creation | Open Support Tunnel | .*\|SUPPORT TUNNEL OPEN\|.* |
| Object Deletion | Close Support Tunnel | .*\|SUPPORT TUNNEL CLOSE\|.* |
| System Shutdown | System Shutdown | .*\|SHUTDOWN\|.* |
| System Start | System Reboot | .*\|REBOOT\|.* |
| User Activity | ||
| Logoff | Logoff | .*\|LOGOUT\|.* |
| Logon Failure | Logon Failure | .*\|UNSUCCESSFUL LOGIN\|.* |
| Successful Login | Successful Login | .*\|LOGIN\|.* |
| Network Access | Network Access Rejected | .*\|ADMIN ACCESS VIOLATION\|.* |
| User Statement | Command Execution | .*\|COMMAND\|.* |
Audit Logs Variable Selections and Mapping
These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
| VARIABLE | VALUE |
|---|---|
| Event Time (Source Timezone) | [Event.Event_Time_(Source_Timezone)] |
| Event timezone offset | [Event.Event_timezone_offset] |
| Complete Message | [Event.Raw_Message] |
| Variable 01 | Unit Name: [CEF.dvchost] |
| Variable 02 | Log Type: [CEF.cat] |
| Variable 03 | Admin Name: [CEF.duser] |
| Variable 04 | Client Type: [CEF.requestClientApplication] |
| Operator Name | [CEF.duser] |
| Source Machine IP Address | [CEF.src] |
| Event ID | [CEF.cn1] |
| Object Name | [CEF.fname] |
| Object Type | [CEF.fileType] |
| Previous Value | [CEF.cs2] |
| Current Value | [CEF.cs1] |
| Application | [CEF.deviceProcessName] |
| Variable 06 | Client Port: [CEF.spt] |
| Variable 07 | Service IP: [CEF.dst] |
| Variable 08 | Service Port: [CEF.dpt] |
| Variable 09 | Rule: [CEF.cs1] |
| Variable 17 | Additional Data: [CEF.msg] |
| Variable 10 | Change type: [CEF.outcome] |
| Variable 16 | New Value: [CEF.cs1] |
| Variable 11 | Object Type: [CEF.fileType] |
| Variable 15 | Old Value: [CEF.cs2] |
| Variable 12 | Object Name: [CEF.fname] |
| Variable 13 | URL: [CEF.request] |
| Variable 14 | Variable: [CEF.cs3] |
| Variable 05 | Transaction Type: [CEF.Name] |
Using the Network Firewall Logs
The following table shows the Network Firewall Logs on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition (Line Matching) |
| User Activity | ||
|
Network Access |
Network Access Accepted |
.*act=ALLOW.* |
| Network Access | Network Access Rejected | .*act=DENY.* |
Network Firewall Logs Variable Selections and Mapping
These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
| VARIABLE | VALUE |
|---|---|
| Event Time (Source Timezone) | [Event.Event_Time_(Source_Timezone)] |
| Event timezone offset | [Event.Event_timezone_offset] |
| Complete Message | [Event.Raw_Message] |
| Variable 01 | Unit Name: [CEF.dvchost] |
| Variable 02 | Log Type: [CEF.cat] |
| Variable 03 | Protocol: [CEF.proto] |
| Variable 04 | Source IP: [CEF.src] |
| Variable 05 | Source Port: [CEF.spt] |
| Variable 06 | Destination IP: [CEF.dst] |
| Variable 07 | Destination Port: [CEF.dpt] |
| Variable 08 | ACL Policy: [CEF.act] |
| Variable 09 | Details: [CEF.cs1] |
| Protocol | [CEF.proto] |
| Source Machine IP Address | [CEF.src] |
| Destination Machine IP Address | [CEF.dst] |
| Additional Information 1 | [CEF.cs1] |
Using the System Logs
The following table shows the System Logs on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition (Line Matching) |
| User Activity | ||
|
Network Access |
Network Access Monitored |
.*act=LOG.* |
| Network Access | Network Access Suspected | .*act=WARNING.* |
| Network Access | Network Access Rejected | .*act=DENY.* |
System Logs Variable Selections and Mapping
These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
| VARIABLE | VALUE |
|---|---|
| Event Time (Source Timezone) | [Event.Event_Time_(Source_Timezone)] |
| Event timezone offset | [Event.Event_timezone_offset] |
| Complete Message | [Event.Raw_Message] |
| Variable 01 | Unit Name: [CEF.dvchost] |
| Variable 02 | Log Type: [CEF.cat] |
| Event ID | [CEF.externalId] |
| Additional Information 1 | [CEF.msg] |
Using the Web Firewall Logs
The following table shows the Web Firewall Logs on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Condition (Line Matching) |
| User Activity | ||
|
Network Access |
Network Access Monitored |
.*act=LOG.* |
| Network Access | Network Access Suspected | .*act=WARNING.* |
| Network Access | Network Access Rejected | .*act=DENY.* |
Web Firewall Logs Variable Selections and Mapping
These fields configure how the original event fields are mapped into the normalized variables using the CEF Syslog Receiver. If you want to enrich the event using default values, leave the "Value" text box empty and the configured "Default Value" will be used instead.
| VARIABLE | VALUE | DEFAULT VALUE |
|---|---|---|
| Event Time (Source Timezone) | [Event.Event_Time_(Source_Timezone)] | |
| Event timezone offset | [Event.Event_timezone_offset] | |
| Complete Message | [Event.Raw_Message] | |
| Operator Name | [CEF.duser] | |
| Source Machine IP Address | [CEF.src] | |
| Application | [CEF.app] | |
| Variable 01 | Unit Name: [CEF.dvchost] | |
| Variable 02 | Log Type: [CEF.cat] | |
| Variable 03 | Severity: [CEF.Severity] | |
| Variable 04 | Attack type: [CEF.cs4] | |
| Variable 05 | Client IP: [CEF.src] | |
| Variable 22 | Referrer: [CEF.requestContext] | |
| Variable 20 | Authenticated User: [CEF.duser] | |
| Variable 19 | Proxy Port: [CEF.cn2] | |
| Variable 18 | Proxy IP: [CEF.cs5] | |
| Variable 17 | User Agent: [CEF.requestClientApplication] | |
| Variable 16 | Session ID: [CEF.cs6] | |
| Variable 15 | Protocol: [CEF.app] | |
| Variable 14 | URL: [CEF.request] | |
| Variable 13 | Method: [CEF.requestMethod] | |
| Variable 12 | Attack details [CEF.msg] | |
| Variable 11 | Action; [CEF.act] | |
| Variable 10 | Rule Type: [CEF.cs3] | |
| Variable 09 | Rule: [CEF.cs1] | |
| Variable 08 | Service Port: [CEF.dpt] | |
| Variable 07 | Service IP: [CEF.dst] | |
| Variable 06 | Client Port: [CEF.spt] | |
| Destination Machine IP Address | [CEF.dst] | |
| Object Name | [CEF.cs4] | |
| Object Type | Attack |