Working with templated rules

  Last updated 2023-04-20

Templated rules are partially pre-constructed rules that can help you protect against Common Vulnerabilities and Exposures (CVE) and gain visibility into registrations, logins, and API requests. For example, you can enable the GraphQL API Query templated rule to track GraphQL API requests.

Limitations and considerations

When working with templated rules, keep the following things in mind:

  • The Templated Rules page is only included with the Premier and Professional platforms. It is not included as part of the Essential platform.

  • The Signals page is only included with the Essential platform. It is not included as part of the Premier and Professional platforms.

  • Depending on the type of templated rule, the Essential platform includes a different level of support:

    TypeSupport
    API protection rulesSome API protection signals are not supported.
    ATO protection rulesAll ATO protection signals are not supported.
    Virtual patching rulesVirtual patching rules are only supported in BLOCK mode. Threshold blocking is not supported.

  • To use the GraphQL API Query templated rule, your agents must be on version 4.33.0 or above.

Types of templated rules

There are three types of templated rules:

  • API protection rules: tags requests made to your API, allowing you to detect patterns such as repeated API requests from an unexpected user agent. API Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.

  • ATO protection rules: enable you to quickly create rules to identify account takeover (ATO) attacks, such as failed password reset attempts. With the exception of the Login and Registration groups of signals, ATO Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.

  • Virtual patching rules block or log requests matching specific vulnerabilities. These can be configured to send an alert after a threshold of matching requests.

Enabling and editing templated rules

  1. From the Site Rules menu, select Templated Rules. The templated rules menu page appears.
  2. Click View to the right of the rule you want to enable or edit. The page for that templated rule appears. This page features a graph, Event list, and list of requests tagged with the signal associated with this rule.
  3. Click Configure in the upper-right corner to enable or edit the rule. The rule builder page appears. The rule builder will feature pre-built rule conditions designed for the templated rule you selected.
  4. In the Value fields, enter values specific to your application, such as paths, response codes, and headers. It is possible to add, edit, and remove conditions in the rule as necessary for your application.
  5. Click Update Site Rule.

Enabling threshold blocking

When configuring Failed Logins or Failed Registrations, you have the additional option to block either subsequent Login Attempts or Registration Attempts respectively.

The duration for the block is customizable. Either the site default (normally 1 day), 10 minutes, 1 hour, 6 hours, or 24 hours.

Working with virtual patching rules

Virtual patching rules are partially pre-constructed rules that allow you to block, tag, and log requests that match CVEs. The rules can be configured to send an alert when a threshold of matching requests is reached.

New virtual patching rules are announced through an optional email subscription. You can subscribe to virtual patching announcements in your account settings.

Working with virtual patching rules from the Templated Rules page

For Premier and Professional platforms, you can view, enable, and edit virtual patching rules from the Templated Rules page.

Working with virtual patching rules from the Signals page

For Essential platform, you can view, enable, and edit virtual patching rules from the Signals page.

View virtual patching rules from the Signals page

To view virtual patching rules, follow these steps:

  1. Log in to the Signal Sciences console.
  2. Click the Signals tab. The Signals page appears.
  3. In the Category filter section, select CVE. The virtual patching rules are listed.

Enable virtual patching rules from the Signals page

To enable a virtual patching rule, follow these steps:

  1. On the Signals page, click View in the row of the virtual patching rule that you want to enable. An activity overview of the selected rule appears.

  2. Click the Configuration tab. Configuration options for the signal appear.

  3. Click the Alerts tab. The Alerts tab appears.

  4. Click Add alert. The Add form appears.

    Enable the CVE-2022-26134 virtual patching rule.

  5. Fill out the alert configuration fields as follows:

    • In the Signal area, verify that the virtual patching rule that you want to enable is selected.
    • In the Action area, select Block requests immediately.
    • In the Status area, set the switch to Enabled.

  6. Click the Save alert button. The virtual patching rule is enabled.

  7. Click the Detections tab. The Detections configuration tab appears.

  8. Click Add detection. The Add form appears.

    Add detection for the CVE-2022-26134 virtual patching rule.

  9. Verify the switch is set to Enabled.

  10. Click the Create detection button. Requests that match the virtual patching rule are assigned the tag associated with the rule.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.