Working with templated rules
Last updated 2023-04-20
Templated rules are partially pre-constructed rules that can help you protect against Common Vulnerabilities and Exposures (CVE) and gain visibility into registrations, logins, and API requests. For example, you can enable the GraphQL API Query templated rule to track GraphQL API requests.
When working with templated rules, keep the following things in mind:
The Signals page is only included with the Essential platform. It is not included as part of the Premier and Professional platforms.
Depending on the type of templated rule, the Essential platform includes a different level of support:
Type Support API protection rules Some API protection signals are not supported. ATO protection rules All ATO protection signals are not supported. Virtual patching rules Virtual patching rules are only supported in BLOCK mode. Threshold blocking is not supported.
To use the GraphQL API Query templated rule, your agents must be on version 4.33.0 or above.
There are three types of templated rules:
API protection rules: tags requests made to your API, allowing you to detect patterns such as repeated API requests from an unexpected user agent. API Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.
ATO protection rules: enable you to quickly create rules to identify account takeover (ATO) attacks, such as failed password reset attempts. With the exception of the Login and Registration groups of signals, ATO Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.
Virtual patching rules block or log requests matching specific vulnerabilities. These can be configured to send an alert after a threshold of matching requests.
- From the Site Rules menu, select Templated Rules.
- Click View to the right of the rule you want to enable or edit.
- Click Configure in the upper-right corner to enable or edit the rule.
- In the Value fields, enter values specific to your application, such as paths, response codes, and headers. It is possible to add, edit, and remove conditions in the rule as necessary for your application.
- Click Update Site Rule.
When configuring Failed Logins or Failed Registrations, you have the additional option to block either subsequent Login Attempts or Registration Attempts respectively.
The duration for the block is customizable. Either the site default (normally 1 day), 10 minutes, 1 hour, 6 hours, or 24 hours.
Virtual patching rules are partially pre-constructed rules that allow you to block, tag, and log requests that match CVEs. The rules can be configured to send an alert when a threshold of matching requests is reached.
New virtual patching rules are announced through an optional email subscription. You can subscribe to virtual patching announcements in your account settings.
For Premier and Professional platforms, you can view, enable, and edit virtual patching rules from the Templated Rules page.
For Essential platform, you can view, enable, and edit virtual patching rules from the Signals page.
To view virtual patching rules, follow these steps:
- Log in to the Next-Gen WAF console.
- Click the Signals tab.
- In the Category filter section, select CVE. The virtual patching rules are listed.
To enable a virtual patching rule, follow these steps:
On the Signals page, click View in the row of the virtual patching rule that you want to enable.
Click the Configuration tab.
Click the Alerts tab.
Click Add alert.
Fill out the alert configuration fields as follows:
- In the Signal area, verify that the virtual patching rule that you want to enable is selected.
- In the Action area, select Block requests immediately.
- In the Status area, set the switch to Enabled.
Click Save alert. The virtual patching rule is enabled.
Click the Detections tab.
Click Add detection.
Verify the switch is set to Enabled.
Click Create detection. Requests that match the virtual patching rule are assigned the tag associated with the rule.