Fastly CDN/WAF

Version: Fastly CDN, WAF

Fastly is a Content Delivery Network (CDN). This makes content available through users/organizations websites and Internet-accessible (hosted) application programming interfaces (APIs).

Fastly Web Application Firewall (WAF) protects your applications from malicious attacks designed to compromise web servers. The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge.

Netsurion Open XDR integrates with Fastly CDN/WAF, collects log from Fastly CDN/WAF and creates a detailed reports, alerts, dashboards and saved searches. These attributes of Netsurion Open XDR helps users to view the most critical and important information on a single platform.

Reports will contain detailed overview of activities like:

  • Fastly user login/ logout
  • Fastly login failed, user management events
  • Fastly service management events
  • devices
  • Fastly access events by success and failure.
  • URL and IP severity
  • Blocked URL and IP
  • Matched Rule ID and its message

Fastly user login/ logout will include details such as user login/logout time, their device type or user-agent, if user is an admin or not, and their user id’s.

Alerts are provided as soon as any critical event is triggered by Fastly CDN/WAF. With alerts, users will be able to get real time events such as:

  • Login failed
  • Service or service version deletion in their email services
  • Blocked URL or high severity URL
  • Visual representation/ overview of top activities being performed in Fastly CDN/WAF
  • Unauthorized user access (failed)
  • Blocked request with location
  • High severity URL detected
  • Attacks with reason
  • Count can be viewed on Netsurion ‘dashboard’

“Fastly CDN/WAF – Access events by user agent” dashlet displays the user-agents trying to access any specific domain/ URL.

“Fastly CDN/WAF – User login fail (Audit events by region)” dashlet displays the login failure occurring in Fastly account in a world map by country. Dashlets associated with WAF activity will display information such as, PHP Injections attacks, SQL injection attacks, application attack session fixation, application attack RCE (Remote code execution), etc.

Netsurion Open XDR monitors all the Fastly CDN events from services like system manager, Fastly audit and access events. They are given as below.

  • Security – User login failed, blocked URLs
  • Compliance – Service has been deleted and service version has been deleted.
  • Operation – Fastly CDN access events by success and error messages, User management, and service management, Fastly CDN has received domain access errors.

After the CyberArk Vault is configured to deliver events to the Netsurion Open XDR, the dashboards and reports can be configured into Netsurion Open XDR.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

Type Name Description
Security Fastly CDN – User login failed (Audit events) This alert is triggered when there is an unauthorized or incorrect login activity happens in Fastly.
Security Fastly WAF Blocked URLs This alert is triggered when any URL is blocked by Fastly WAF.
Operations Fastly CDN has received domain access error (Access events) This alert is triggered when an end user is trying to access the given domain, instead gets an error, such as request timeout.
Operations Fastly WAF has detected high severity URLs This alert is triggered when an WAF detects any URL having severity 0,1,2 or 3.
Compliance Fastly CDN service version has been deactivated (Audit events) This alert is triggered when any user deactivates an active version of Fastly service.
Compliance Fastly CDN service has been deleted (Audit events) This alert is triggered in event of deletion of Fastly service/s.

Reports

Type Name Description
Security Fastly CDN – Login failure (Audit events) This report includes the summary of failed login of a user via web-based user interface or via API.
Security Fastly WAF – Blocked URLs This report includes the summary of Blocked URLs with IP, WAF rule and messages.
Operations Fastly CDN – Error events (Access events) This report includes summary of the activities of URL’s which has error codes like 503, or 404, etc.
Operations Fastly CDN – Success events (Access events) This report includes summary of the activities of URL’s which has success code i.e. 302.
Operations Fastly CDN – Login success (Audit events) This report gives a detailed summary of successful user login occurrences in Fastly.
Operations Fastly WAF – OWASP Threats This report gives a detailed summary of all the WAF threat scores of URL and IP.
Operations Fastly WAF – WAF States This report gives the detailed summary of WAF rule id matched with its message for URL.
Compliance Fastly CDN – service management (Audit events) This report includes the summary of Fastly service-related activity, i.e. service create, delete, update, version activate, deactivate, etc.
Compliance Fastly CDN – User management (Audit events) This report includes the summary of Fastly user management activity, i.e. user create, delete, lock, etc.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.x or later, and Fastly CDN.

Download Integration Guide and How-to Guide for configuration instructions and more information.