Threat Campaign Management¶
Overview¶
Threat Campaigns is a threat intelligence feature that is automatically enabled when you create a WAF policy. This protection method includes frequent update feeds containing contextual information about active attack campaigns currently being observed by F5 Threat Labs that WAF can provide protection against. As an example, without threat campaign updates WAF may detect an attack pattern in a web application form parameter, but it cannot correlate the singular attack incident as part of a more extensive and sophisticated threat campaign. Threat Campaigns’ contextual information is very specific to current attack campaigns, allowing false positives to be virtually non-existent.
Just like attack signatures, the Threat Campaign patterns are updated regularly. Unlike attack signatures, you need to install Threat Campaigns in order for the protection to take effect. Due to the highly dynamic nature of those campaigns the updates are issued far more frequently than the attack signatures. You need to install those updates close to the time they are issued in order to get the most effective protection.
Since the risk of false positive is very low, you do not need to enable or disable specific Threat Campaigns. Rather, you can disable the whole mechanism.
Prerequisites¶
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
If you have not yet installed automatic live updates, ensure you have the latest Threat Campaigns installed:
If you plan to disable Threat Campaigns, ensure the following:
Verify any attached application services to ensure proper security after changes are deployed.
How to disable Threat Campaigns¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
Use the toggle to change the Threat Campaigns setting.
Click Save to save your changes. If you would like to automatically deploy your changes to the BIG-IP Next instance, click Save & Deploy.
Resources¶
Manage using API¶
Threat Campaign management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.