Submenu – Policy Learning

The policy learning dashboard gives an overview of requests violating the current security policy (of deny and allow rules) in place. For each violating request, the request details are stored in a database. Automatically generated suggestions for preventing similar violations are offered and can be accepted with a single click from the result table.
The table itself can be filtered and allows drilling down into specific requests to investigate the root cause of the violation. This enables administrators to quickly integrate new applications by remediating false-positive blocks and learning allow list rules.

Only violations caused by Deny Rules and Allow Rules are visible in the policy learning dashboard. The set of covered violations will be continually extended.
Parameters and header values may be trimmed before storing them in the block list.
Use % as a wildcard in filter criteria.
Use ZZ as a pseudo country code wildcard to filter for country-less source IP addresses.
The state of a handled block message and the configuration change related to the accepted suggestion are stored in the current administrator session. This means all decisions can be undone by re-logging into the Configuration Center.

To learn how to use policy learning, see article Using the policy learning feature.

Option

Description

Timestamp from –
Timestamp to

To set a time window for the listed blocks.

Virtual Host –
Path – Mapping

Defines the mapping-related path of the request from which blocks are to be listed.

Virtual Host – name of the virtual host
Path – entry path on the mapping
Mapping – mapping connected to the virtual host

Request ID

Filter for the ID of the request.

Session ID

Filter ID of the session.

Authenticated sessions only

Filter to show blocks that occurred during authenticated sessions.
Blocks in the same session that i.e. occurred before authentication will be filtered out.

Source Country

Filter for a two-letter ISO country of origin of the request. This filter is not case-sensitive and allows searching for single letters.

Source IP

Filter for Request IP.

Max. Attack Types per IP

Filter based on the number of attacks of different types originating from the same IP source.
The higher the number of different types of attacks from a particular IP, the higher the probability of an attack from this specific IP.

Header Name –
Header Value

Filter for HTTP header name and value of the request.

Attack Type

Available attack type filters:

Any
Automated scanning
Cross-site scripting
Encoding exploit
Expression Language injection
Failed sanity checks
HTML injection
HTTP protocol exploit
Insecure direct object reference
LDAP injection

NoSQL injection
OGNL injection
OWScommand injection
PHP injection
SQL injection
Spring Cloud RCE
Spring Core RCE
Template injection
custom

Parameter Name –
Parameter Value

Filter for parameter name and value of the request.

Block Type

Filter to select the applying rule type for results. Can be set to Any, Allow Rule or Deny Rule.

Show log only

If threat handling on a mapping or filter is set to Log only, requests are not blocked but a notification about the potential block is written to the logs instead.
Enable this option to display requests with a log-only block notification.

Show handled blocks

Blocks already processed by accepting a generated suggestion or by ignoring the block are marked as handled.
Enable this option to display handled blocks as well. Note that for handled blocks, no further suggestions are available.

Limit results

Limits the number of listed results.
Note that applying a policy rule, i.e., accepting a Favorite Policy Suggestion, will apply to all blocks to which the policy modification applies.

Result table

Buttons and tabs	Description
	Clicking on the arrows allows for ascending or descending sorting of table columns.
	Drop down menu to show/hide table columns.
	Button to accept a single Favorite Policy Suggestion. Note that accepting a policy suggestion will apply to all blocks in the policy database covered by this policy suggestion.
	Opens a pop-up that allows direct modification of the Favorite Policy Suggestion. This can be useful if the policy should cover other/additional well-known block cases.
	Ignore the block entry for the time of the current administration session. After re-login the ignored block will show up again.
Clear blocks	This button, combined with the drop-down menu, allows bulk filtering/suppression of the results that appear during the ongoing administration session. It can be used, i.e., to reduce distraction by results that are not of interest. After re-logging in, the cleared blocks will show up again.
Accept all displayed favorite suggestions	This button will bulk-apply all suggested policy changes from the table column Favorite Policy Suggestions currently visible in the result list. Note that even though other policy suggestions than the displayed ones will not be affected, accepting a suggestion will apply to all blocks in the policy database that match the policy.

Block details from result table

By clicking on a block entry in the result table, the entry details show up on the Request Details tab. The Policy Suggestions tab is only available on deny rule triggered blocks and allows accepting and modification of the policy suggestion. For adapting allow rules, see article Tab – Allow Rules.

The details shown can be used as filter values for the result table to look closely at blocks based on specific request details.