Fastly WAF Audit logs

Overview

• Vendor: Fastly
• Plan: Defend Core & Defend Prime
• Supported environment: SaaS
• Detection based on: Telemetry
• Supported application or feature: Web application firewall logs

Fastly WAF audit logs tracks activities related to your corp and your sites like user creation, rule creation, site configuration changes.

Configure

Creating API access tokens

1. Go to the Fastly WAF and log in.
2. From the My Profile menu, select API access tokens.
3. Click Add API access token.
4. In the Token name field, enter a name to identify the access token.
5. Click Create API access token.
6. Record the token in a secure location for your use. Then, click Continue to finish creating the token.

Warning

This is the only time the token will be visible. Record the token and keep it secure.

Sekoia.io configuration procedure

Create your intake

1. Go to the intake page and create a new intake from the Fastly Audit.
2. Copy the associated Intake key

Pull the logs to collect them on Sekoia.io

Go to the Sekoia.io playbook page, and follow these steps:

1. Click + PLAYBOOK button to create a new one
2. Select Create a playbook from scratch
3. Give it a name in the field Name
4. Open the left panel, click Fastly then select the trigger Fetch new audit logs from Fastly WAF

5. Click Create

6. Create a Module configuration. Name the module configuration as you wish.

7. Create a Trigger configuration using: 7.1. Type the Intake key created on the previous step 7.2 Enter User's email, API token, Corporation name and Site name (if needed) from the Fastly WAF dashboard

8. Click the Save button

9. Activate the playbook with the toggle button in the top right corner of the page

Enjoy your events on the Events page

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

test_corp_audit_log_1test_site_audit_log_1test_site_audit_log_2test_site_audit_log_3

{
    "id": "65ca37c9a1b93b52ga60bbdf",
    "eventType": "accessTokenCreated",
    "msgData": {
        "corpName": "corpname",
        "detailLink": "https://dashboard.signalsciences.net/corps/corpname/users/john.doe+demo@sample.com",
        "email": "john.doe+demo@sample.com",
        "tokenName": "Dev Audit log",
        "userAgent": "Mozilla/4.0 (X1; Linux x86_64) "
    },
    "message": "John DOE (john.doe+demo@sample.com) created API Access Token `Dev Audit log`",
    "attachments": [
        {
            "Title": "",
            "Fields": [
                {
                    "Title": "Token Name",
                    "Value": "Dev Audit log",
                    "Short": true
                }
            ],
            "MarkdownFields": false
        }
    ],
    "created": "2024-02-12T15:22:49Z"
}

{
    "id": "65cb8bd7b0a762e1af01851e",
    "eventType": "testIntegration",
    "msgData": {
        "integrationType": "generic"
    },
    "message": "John DOE (john.doe+demo@sample.com) tested a \"generic\" integration",
    "attachments": [],
    "created": "2024-02-13T15:33:43Z"
}

{
    "id": "65cb8adc20998c33c75b469a",
    "eventType": "loggingModeChanged",
    "msgData": {
        "mode": "log",
        "oldMode": "block"
    },
    "message": "John DOE (john.doe+demo@sample.com) changed agent mode from \"block\" to \"log\"",
    "attachments": [],
    "created": "2024-02-13T15:29:32Z"
}

{
    "id": "65cb8a386af260edn88be7f7",
    "eventType": "createIntegration",
    "msgData": {
        "integrationType": "generic",
        "plainSubscribedTo": "\"all events\""
    },
    "message": "John DOE (john.doe+demo@sample.com) created a new \"generic\" integration subscribed to \"all events\"",
    "attachments": [],
    "created": "2024-02-13T15:26:48Z"
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Related Built-in Rules

The following Sekoia.io built-in rules match the intake Fastly Next-Gen WAF Audit Logs. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.

SEKOIA.IO x Fastly Next-Gen WAF Audit Logs on ATT&CK Navigator

CVE-2020-0688 Microsoft Exchange Server Exploit

Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA.

• Effort: elementary

CVE-2020-17530 Apache Struts RCE

Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530).

• Effort: intermediate

CVE-2021-20021 SonicWall Unauthenticated Administrator Access

Detects the exploitation of SonicWall Unauthenticated Admin Access.

• Effort: advanced

CVE-2021-20023 SonicWall Arbitrary File Read

Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data.

• Effort: advanced

CVE-2021-22893 Pulse Connect Secure RCE Vulnerability

Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product.

• Effort: intermediate

Covenant Default HTTP Beaconing

Detects potential Covenant communications through the user-agent and specific urls

• Effort: intermediate

Cryptomining

Detection of domain names potentially related to cryptomining activities.

• Effort: master

Detect requests to Konni C2 servers

This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September.

• Effort: elementary

Discord Suspicious Download

Discord is a messaging application. It allows users to create their own communities to share messages and attachments. Those attachments have little to no overview and can be downloaded by almost anyone, which has been abused by attackers to host malicious payloads.

• Effort: intermediate

Download Files From Suspicious TLDs

Detects download of certain file types from hosts in suspicious TLDs

• Effort: master

Dynamic DNS Contacted

Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.

• Effort: master

Exfiltration Domain

Detects traffic toward a domain flagged as a possible exfiltration vector.

• Effort: master

Fastly Next-Gen WAF Audit Threat Alert

Forward a threat detection made by Fastly Next-Gen WAF Audit Logs

• Effort: master

Koadic MSHTML Command

Detects Koadic payload using MSHTML module

• Effort: intermediate

Nimbo-C2 User Agent

Nimbo-C2 Uses an unusual User-Agent format in its implants.

• Effort: intermediate

Possible Malicious File Double Extension

Detects request to potential malicious file with double extension

• Effort: elementary

Potential Bazar Loader User-Agents

Detects potential Bazar loader communications through the user-agent

• Effort: elementary

Potential Lemon Duck User-Agent

Detects LemonDuck user agent. The format used two sets of alphabetical characters separated by dashes, for example "User-Agent: Lemon-Duck-[A-Z]-[A-Z]".

• Effort: elementary

ProxyShell Microsoft Exchange Suspicious Paths

Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability.

• Effort: elementary

Remote Access Tool Domain

Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).

• Effort: master

Remote Monitoring and Management Software - AnyDesk

Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.

• Effort: master

SEKOIA.IO Intelligence Feed

Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.

• Effort: elementary

Sekoia.io EICAR Detection

Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.

• Effort: master

Suspicious Download Links From Legitimate Services

Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past.

• Effort: intermediate

Suspicious TOR Gateway

Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

• Effort: advanced

Suspicious URI Used In A Lazarus Campaign

Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised.

• Effort: intermediate

TOR Usage Generic Rule

Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.

• Effort: master

TrevorC2 HTTP Communication

Detects TrevorC2 HTTP communication based on the HTTP request URI and the user-agent.

• Effort: elementary

Event Categories

The following table lists the data source offered by this integration.

Data Source	Description
Application logs	activity related to your corp, such as the creation of new users and sites, and activity related to your sites, such as flagged IPs, the creation of new rules, and site configuration changes.

In details, the following table denotes the type of events produced by this integration.

Name	Values
Kind	alert
Category	configuration, threat
Type	``

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

test_corp_audit_log_1.jsontest_site_audit_log_1.jsontest_site_audit_log_2.jsontest_site_audit_log_3.json

{
    "message": "{\"id\": \"65ca37c9a1b93b52ga60bbdf\", \"eventType\": \"accessTokenCreated\", \"msgData\": {\"corpName\": \"corpname\", \"detailLink\": \"https://dashboard.signalsciences.net/corps/corpname/users/john.doe+demo@sample.com\", \"email\": \"john.doe+demo@sample.com\", \"tokenName\": \"Dev Audit log\", \"userAgent\": \"Mozilla/4.0 (X1; Linux x86_64) \"}, \"message\": \"John DOE (john.doe+demo@sample.com) created API Access Token `Dev Audit log`\", \"attachments\": [{\"Title\": \"\", \"Fields\": [{\"Title\": \"Token Name\", \"Value\": \"Dev Audit log\", \"Short\": true}], \"MarkdownFields\": false}], \"created\": \"2024-02-12T15:22:49Z\"}",
    "event": {
        "action": "accessTokenCreated",
        "category": [
            "configuration"
        ],
        "reason": "created API Access Token `Dev Audit log`",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2024-02-12T15:22:49Z",
    "fastly": {
        "waf": {
            "audit": {
                "corp_name": "corpname",
                "event_id": "65ca37c9a1b93b52ga60bbdf",
                "has_attachments": true,
                "message": "John DOE (john.doe+demo@sample.com) created API Access Token `Dev Audit log`",
                "token_name": "Dev Audit log"
            }
        }
    },
    "observer": {
        "product": "Fastly Audit Logs",
        "vendor": "Fastly"
    },
    "url": {
        "domain": "dashboard.signalsciences.net",
        "original": "https://dashboard.signalsciences.net/corps/corpname/users/john.doe+demo@sample.com",
        "path": "/corps/corpname/users/john.doe+demo@sample.com",
        "port": 443,
        "registered_domain": "signalsciences.net",
        "scheme": "https",
        "subdomain": "dashboard",
        "top_level_domain": "net"
    },
    "user": {
        "email": "john.doe+demo@sample.com",
        "full_name": "John DOE"
    },
    "user_agent": {
        "device": {
            "name": "Other"
        },
        "name": "Other",
        "original": "Mozilla/4.0 (X1; Linux x86_64) ",
        "os": {
            "name": "Linux"
        }
    }
}

{
    "message": "{\"id\": \"65cb8bd7b0a762e1af01851e\", \"eventType\": \"testIntegration\", \"msgData\": {\"integrationType\": \"generic\"}, \"message\": \"John DOE (john.doe+demo@sample.com) tested a \\\"generic\\\" integration\", \"attachments\": [], \"created\": \"2024-02-13T15:33:43Z\"}",
    "event": {
        "action": "testIntegration",
        "category": [
            "configuration"
        ],
        "reason": "tested a \"generic\" integration",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-02-13T15:33:43Z",
    "fastly": {
        "waf": {
            "audit": {
                "event_id": "65cb8bd7b0a762e1af01851e",
                "has_attachments": false,
                "message": "John DOE (john.doe+demo@sample.com) tested a \"generic\" integration"
            }
        }
    },
    "observer": {
        "product": "Fastly Audit Logs",
        "vendor": "Fastly"
    },
    "user": {
        "email": "john.doe+demo@sample.com",
        "full_name": "John DOE"
    }
}

{
    "message": "{\"id\": \"65cb8adc20998c33c75b469a\", \"eventType\": \"loggingModeChanged\", \"msgData\": {\"mode\": \"log\", \"oldMode\": \"block\"}, \"message\": \"John DOE (john.doe+demo@sample.com) changed agent mode from \\\"block\\\" to \\\"log\\\"\", \"attachments\": [], \"created\": \"2024-02-13T15:29:32Z\"}",
    "event": {
        "action": "loggingModeChanged",
        "category": [
            "configuration"
        ],
        "reason": "changed agent mode from \"block\" to \"log\"",
        "type": [
            "change"
        ]
    },
    "@timestamp": "2024-02-13T15:29:32Z",
    "fastly": {
        "waf": {
            "audit": {
                "event_id": "65cb8adc20998c33c75b469a",
                "has_attachments": false,
                "message": "John DOE (john.doe+demo@sample.com) changed agent mode from \"block\" to \"log\""
            }
        }
    },
    "observer": {
        "product": "Fastly Audit Logs",
        "vendor": "Fastly"
    },
    "user": {
        "email": "john.doe+demo@sample.com",
        "full_name": "John DOE"
    }
}

{
    "message": "{\"id\": \"65cb8a386af260edn88be7f7\", \"eventType\": \"createIntegration\", \"msgData\": {\"integrationType\": \"generic\", \"plainSubscribedTo\": \"\\\"all events\\\"\"}, \"message\": \"John DOE (john.doe+demo@sample.com) created a new \\\"generic\\\" integration subscribed to \\\"all events\\\"\", \"attachments\": [], \"created\": \"2024-02-13T15:26:48Z\"}",
    "event": {
        "action": "createIntegration",
        "category": [
            "configuration"
        ],
        "reason": "created a new \"generic\" integration subscribed to \"all events\"",
        "type": [
            "creation"
        ]
    },
    "@timestamp": "2024-02-13T15:26:48Z",
    "fastly": {
        "waf": {
            "audit": {
                "event_id": "65cb8a386af260edn88be7f7",
                "has_attachments": false,
                "message": "John DOE (john.doe+demo@sample.com) created a new \"generic\" integration subscribed to \"all events\""
            }
        }
    },
    "observer": {
        "product": "Fastly Audit Logs",
        "vendor": "Fastly"
    },
    "user": {
        "email": "john.doe+demo@sample.com",
        "full_name": "John DOE"
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name	Type	Description
@timestamp	date	Date/time when the event originated.
event.action	keyword	The action captured by the event.
event.category	keyword	Event category. The second categorization field in the hierarchy.
event.kind	keyword	The kind of the event. The highest categorization field in the hierarchy.
event.reason	keyword	Reason why this event happened, according to the source
fastly.waf.audit.corp_name	keyword	Corp name
fastly.waf.audit.event_id	keyword	Fastly event ID
fastly.waf.audit.has_attachments	boolean	Event message has attachments
fastly.waf.audit.message	keyword	Event description
fastly.waf.audit.site_name	keyword	Site name
fastly.waf.audit.token_name	keyword	Token name
observer.product	keyword	The product name of the observer.
observer.vendor	keyword	Vendor name of the observer.
url.original	wildcard	Unmodified original url as seen in the event source.
user.email	keyword	User email address.
user.full_name	keyword	User's full name, if available.
user_agent.original	keyword	Unparsed user_agent string.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.