F5 BIG-IP ASM integration

You can integrate F5 BIG-IP ASM with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

F5 Product overview

F5 BIG-IP Application Security Manager (ASM) is a flexible web application firewall that secures web applications in traditional, virtual, and private cloud environments.

Sophos documents

• Integrate F5
• F5 case studies

What we ingest

Sample alerts we see:

• HTTP Headers Injection (Location)
• background: url() (Parameter)
• location.href (Parameter)
• download attribute (Parameter)
• document.write (Parameter)

Alerts ingested in full

We recommend that you configure the following:

• Response Logging for Illegal requests
• Report Detected Anomalies

Filtering

We filter alerts by logging format, as follows:

• Allow valid CEF.

Sample threat mappings

{"alertType": "Illegal redirection attempt", "threatId": "T1598.003", "threatName": "Spearphishing Link"}
{"alertType": "Illegal file type", "threatId": "T1204.002", "threatName": "Malicious File"}
{"alertType": "Shell command processor (ash/bash) access (Parameter)N", "threatId": "T1505.003", "threatName": "Web Shell"}
{"alertType": "Illegal URL length", "threatId": "T1190", "threatName": "Exploit Public-Facing Application"}
{"alertType": "Server-side access to disallowed host", "threatId": "T1190", "threatName": "Exploit Public-Facing Application"}

Vendor documentation

• F5 Networks BIG-IP ASM sample event messages
• Logging Application Security Events
• Overview of the Storage Format option for a remote logging profile
• F5 BIG-IP Elastic Integration