F5 Networks BIG-IP ASM sample event messages

Use these sample event messages to verify a successful integration with IBM® QRadar®.

F5 Networks BIG-IP ASM sample messages when you use the syslog protocol

Sample 1: The following sample event message shows a distributed attack event.

<134>Jul 25 11:47:52 f5networks.asm.test ASM:software_version="14.1.0",current_mitigation="alarm",unit_hostname="f5networks.asm.test",management_ip_address="10.192.138.11",management_ip_address_2="",operation_mode="Transparent",date_time="2019-07-25 11:41:38",policy_apply_date="2019-07-23 15:24:21",policy_name="/Common/extranet_sonstige",vs_name="/Common/extranet-t.qradar.example.test_443",anomaly_attack_type="Distributed Attack",uri="/qradar.example.test",attack_status="ongoing",detection_mode="Number of Failed Logins Increased",severity="Emergency",mitigated_entity_name="username",mitigated_entity_value="exnyjtgk",mitigated_ipaddr_geo="N/A",attack_id="2508639270",mitigated_entity_failed_logins="0",mitigated_entity_failed_logins_threshold="3",mitigated_entity_total_mitigations="0",mitigated_entity_passed_challenges="0",mitigated_entity_passed_captchas="0",mitigated_entity_rejected_logins="0",leaked_username_login_attempts="0",leaked_username_failed_logins="0",leaked_username_time_of_last_login_attempt="2497667872",normal_failed_logins="78",detected_failed_logins="70",failed_logins_threshold="100",normal_login_attempts="91",detected_login_attempts="78",login_attempts_matching_leaked_credentials="0",total_mitigated_login_attempts="60",total_client_side_integrity_challenges="0",total_captcha_challenges="0",total_blocking_page_challenges="0",total_passed_client_side_integrity_challenges="0",total_passed_captcha_challenges="0",total_drops="0",total_successful_mitigations="0",protocol="HTTPS",login_attempts_matching_leaked_credentials_threshold="100",login_stress="73"
Sample 2: The following sample event shows multiple violations. The event contains the following violations:
  1. Illegal URL length
  2. Illegal request length
  3. Illegal query string length
  4. Illegal meta character in parameter value
  5. Illegal file type
  6. Illegal URL
  7. Attack signature detected

When the sample event is parsed in QRadar, a separate event is created for each of the seven violations.

"Aug 18 11:16:29 f5networks.asm.test.com ASM:unit_hostname=\"3600.lab.asm.f5net.com\",management_ip_address=\"172.30.0.20\",web_application_name=\"web_app\",policy_name=\"web_app_default\",policy_apply_date=\"2009-18-08 11:14:38\",violations=\"Illegal URL length,Illegal request length,Illegal query string length,Illegal meta character in parameter value,Illegal file type,Illegal URL,Attack signature detected\",support_id=\"5268275531735896872\",request_status=\"blocked\",response_code=\"0\",ip_client=\"192.168.74.169\",method=\"GET\",protocol=\"HTTP\",uri=\"/phpauction/search.php\",request=\"GET /phpauction/search.php?=&q=%3Cscript%3E%3C%2Fscript%3E&=Go%21 HTTP/1.1\r\nHost: 172.30.0.30\r\nUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-us,en;q=0.5\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nKeep-Alive: 300\r\nConnection: keep-alive\r\nReferer: http://172.30.0.30/phpauction/search.php?=&q=&=Go%21\r\nCookie: TS2ea638=06f729a2c8f7d2c81fb76cdb434e073c543a36821980e75c4a8aef2b7b46979e7d2f9f63; PHPAUCTION_SESSION=6r1f07tgsrlhum7q9n0mg0t8km7a93vi; TS2ea638_75=a7f08552d2fc6e940f63c857254937f4:opos:Z9Zh11Py:1733471822; TS2ea638_77=true_f4ec77a26f91b0a0; TS8e2e48_75=46010be86e9787e6dd19db8aefea16eb:pprp:2N2l5F4r:1055951111; TS8e2e48=9eb461f32f3a45e199c2929420da867ba2a59adceb6547144a8aefee; TS8e2e48_77=true_47bd19fe37fe9407\r\n\r\n\",query_string=\"=&q=%3Cscript%3E%3C%2Fscript%3E&=Go%21\",x_forwarded_for_header_value=\"\",sig_ids=\"200000098,200000092\",sig_names=\"XSS script tag (Parameter),XSS script tag end (Parameter)\",date_time=\"2009-18-08 11:16:28\",severity=\"Critical\",attack_type=\"Buffer Overflow,Information Leakage,Cross Site Scripting (XSS),Forceful Browsing\",geo_location=\"N/A\",src_port=\"4715\",dest_port=\"80\",dest_ip=\"172.30.0.30\"

F5 Networks BIG-IP ASM sample messages with CEF events when you use the syslog protocol

Sample 1: The following sample event shows an automated client access wget event.

<131>Sep 19 13:53:34 f5networks.bigipasm.test ASM:CEF:0|F5|ASM|11.3.0|200021069|Automated client access \"wget\"|5|dvchost=f5networks.bigipasm.test dvc=192.168.73.34 cs1=topaz4-web4 cs1Label=policy_name cs2=/Common/topaz4-web4 cs2Label=http_class_name deviceCustomDate1=Sep 19 2012 13:49:25 deviceCustomDate1Label=policy_apply_date externalId=18205860747014045723 act=blocked cn1=0 cn1Label=src=10.4.1.101 spt=52975 dst=10.4.1.200 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=Sep 19 2012 13:53:33 deviceExternalId=0 cs4=Non-browser Client cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=86c4f8bf7349cac9 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.0\r\nUser-Agent: Wget/1.12 (linux-gnu)\r\nAccept: /\r\nHost: 10.4.1.200\r\nConnection: Keep-Alive\r\n\r\n
Table 1. Highlighted fields in the F5 Networks BIG-IP ASM event
QRadar field name Highlighted payload field name
Event ID The value in QRadar is 200021069
Source IP src
Source Port spt
Destination IP dst
Destination Port dpt

Sample 2: The following sample event shows an HTTP protocol compliance failed event.

<131>May  6 01:28:20 f5networks.bigipasm.test ASM:CEF:0|F5|ASM|11.6.1|Host header contains IP address|HTTP protocol compliance failed|5|dvchost=f5networks.bigipasm.test dvc=10.11.229.202 cs1=/Common/asmpolicy_application1 cs1Label=policy_name cs2=/Common/asmpolicy_application1 cs2Label=http_class_name deviceCustomDate1=May 06 2015 01:24:07 deviceCustomDate1Label=policy_apply_date externalId=9397100255637405701 act=blocked cn1=0 cn1Label=response_code src=10.101.90.17 spt=49160 dst=10.101.90.14 dpt=80 requestMethod=GET app=HTTP cs5=N/A cs5Label=x_forwarded_for_header_value rt=May 06 2015 01:28:19 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location c6a1= c6a1Label=device_address c6a2= c6a2Label=source_address c6a3= c6a3Label=destination_address c6a4=N/A c6a4Label=ip_address_intelligence msg=N/A suid=cf868410a228bb45 suser=N/A request=/ cs3Label=full_request cs3=GET / HTTP/1.1\r\nAccept: application/x-ms-application, image/jpeg, application/xaml+xml, imag
Table 2. Highlighted fields in the F5 Networks BIG-IP ASM event
QRadar field name Highlighted payload field name
Event ID The value in QRadar is HTTP protocol compliance failed
Source IP src
Source Port spt
Destination IP dst
Destination Port dpt

F5 Networks BIG-IP ASM sample messages with JSON events when you use the syslog protocol

The following sample event shows BOT Defense Violation event.

{"@timestamp":"2023-09-22T14:12:53.488921Z","_visitor_id":"xxxx","action":"allow","app":"test","app_type":"test-io-demo","as_number":"1234","as_org":"test b.v.","asn":"test b.v.(1234)","authority":"demo.test.net","bot_defense":{"automation_type":"Token Missing","insight":"MALICIOUS","recommendation":"Action_alert","status_code":"0"},"browser_type":"Opera","city":"city","cluster_name":"test-io","country":"NL","dcid":"xxxx-yyyy","device_type":"Other","domain":"demo.test.net","dst":"","dst_instance":"","dst_ip":"10.3.0.1","dst_port":"0","dst_site":"","hostname":"master-8","http_version":"HTTP/1.1","is_new_dcid":false,"kubernetes":{"container_name":"test","host":"master","labels":{"app":"test"},"namespace_name":"test-system","pod_id":"e358ed2d-xxxx-yyyy-zzzz-2c5610ab14fd","pod_name":"test"},"latitude":"0.0000","longitude":"0.0000","messageid":"149c116e-xxxx-yyyy-zzzz-0242ac120002","method":"GET","namespace":"demo-shop","network":"10.3.0.2","original_headers":["host","method","scheme","user-agent","cookie","x-forwarded-for","x-forwarded-proto","x-envoy-external-address","x-request-id","test-request-id"],"path":"/","region":"NL-NH","req_headers":"{\"Cookie\":\"shop_session-id=dcc83f26-xxxx-yyyy-zzzz-7486e1810932; xx=xx-yy; aa=xxxx; bb=xxxx; cc=xxxx|1|0|xxxx\",\"Host\":\"demo.test.net\",\"Method\":\"GET\",\"Scheme\":\"https\",\"User-Agent\":\"Mozilla/5.0 (Windows NT 10.0; xx) test/xx.36 (KHTML, like test) Chrome/10.3.0.4 Safari/123.36 OPR/10.3.0.5\",\"X-Envoy-External-Address\":\"10.3.0.6\",\"X-F5-Request-Id\":\"73a366d8-xxxx-yyyy-zzzz-77b3289c73f2\",\"X-Forwarded-For\":\"10.3.0.8\",\"X-Forwarded-Proto\":\"https\",\"X-Request-Id\":\"73a366d8-xxxx-yyyy-zzzz-77b3289c73f2\"}","req_headers_size":903,"req_id":"73a366d8-xxxx-yyyy-zzzz-77b3289c73f2","req_params":"","req_path":"/","req_size":"903","rsp_code":"0","rsp_code_class":"UNKNOWN","rsp_size":"11406","sec_event_name":"BOT Defense Violation","sec_event_type":"bot_defense_sec_event","severity":"info","site":"ams9-ams","sni":"demo.test.net","source":"f5xc","src":"N:public","src_instance":"NL","src_ip":"10.3.0.9","src_port":"44366","src_site":"a-ams","stream":"svcfw","tag":"test","tenant":"f5-test","time":"2023-09-22T14:12:53.488Z","tls_fingerprint":"aa","user":"Cookie-shop_session-id-dcc83f26-xxxx-yyyy-zzzz-7486e1810932","user_agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) test/537.36 (KHTML, like test) Chrome/90.0.4430.212 Safari/123.36 OPR/10.3.0.11","vh_name":"ves-io-test","vhost_id":"78c99480-xxxx-yyyy-zzzz-f4e8efe7eea6","x_forwarded_for":"10.3.0.12"}
Table 3. Highlighted fields in the F5 Networks BIG-IP ASM event
QRadar field name Highlighted payload field name
Event ID The value in QRadar is BOT Defense Violation
Source IP src_ip
Source Port src_port
Destination IP dst_ip
Destination Port dst_port