ASM Policy Analyzer Rules¶
Overview¶
The ASM Policy Rules API can get details about the rules used to analyze a given security policy. The ASM Policy Analyzer API can analyze a security policy, calculate a security score, and store suggestions to improve the policy. After the policy analyzer task has completed, you can use the ASM Policy Analyzer Suggestions API and the ASM Policy Analyzer Rules API to get the policy analyzer results which can be reported to the user. You can also use the ASM Policy Difference API to compare two security policies for the purpose of distinguishing differences in security levels. The policy analyzer can be rerun after changing the policy configuration to check for improvement of the configuration.
REST Endpoint: /mgmt/cm/asm/reports/analyzer/config-analyzer-rules/{id}¶
Requests¶
GET /mgmt/cm/asm/reports/analyzer/config-analyzer-rules/{id}¶
Send a GET request to the analyzer/config-analyzer-rules/{id} endpoint to get details about the rule used to generate suggestions. The placeholder {id} represents the UUID identifying the rule. The endpoint for the GET request is the suggestionRuleReference value returned by the sub collection ASM Policy Analyzer Suggestions API.
Request Parameters¶
None
Query Parameters¶
None
Response¶
HTTP/1.1 200 OK
| Name | Type | Description |
|---|---|---|
| id | string | UUID of the policy analyzer rule |
| type | string | Type of rule |
| urls | string | Used for implementation purpose |
| ruleId | string | The unique identifier for the rule |
| category | string | The category of the suggestion generated from this rule. |
| selfLink | string | URL of the rule |
| severity | string | The severity given to the suggestion generated from this rule. For example: “Warning”. |
| isGeneric | boolean | Used for implementation purpose |
| articleLink | string | Used for implementation purpose |
| ruleCondition | string | Used for implementation purposes. For example: “if a [cookie] does not check for attack signature” |
| ruleDescription | string | Used for implementation purpose |
| text | string | Text used for implementation purpose |
| parameters | string | Array of strings |
| name | string | Name used for implementation purpose |
| ruleSuggestion | string | Suggestion or recommendation to the user to improve the policy configuration. For example: “Enable attack signature enforcement for this cookie to enforce protection against detected signatures.” |
| genericRuleData* | string | Used for implementation purpose |
| group | number | Used for implementation purpose |
| operation | string | Used for implementation purpose |
| targetValue | string | Used for implementation purpose |
| parameterName | string | Used for implementation purpose |
| parameterType | string | Used for implementation purpose |
| isMultiSuggestionRule | boolean | Used for implementation purpose |
| bigIqConfigurationDirectLink | string | Used for implementation purpose |
| selfLink | string | URL to details about the rule used to generate suggestions. |
Permissions¶
| Role | Allow |
|---|---|
| Web Application Security Manager | Yes |
| Web Application Security Editor | Yes |
| Web Application Security Viewer | Yes |
| Web Application Security Deployer | Yes |
Examples¶
GET to retrieve more details on specific suggestion¶
The following example sends a GET for more details on the specific suggestions
GET https://<BIG-IQ>/mgmt/cm/asm/reports/analyzer/config-analyzer-rules/b8c37e33-defd-351c-b91e-1e03e51657da
Response¶
The JSON in the response to the POST can look similar to the following.
HTTP/1.1 200 OK
{
"id": "b8c37e33-defd-351c-b91e-1e03e51657da",
"kind": "cm:asm:reports:analyzer:config-analyzer-rules:configanalyzerrulestate",
"type": "blockingSettings",
"urls": [
"https://localhost/mgmt/cm/asm/working-config/policies/{policy-id}/"
],
"ruleId": "1001",
"category": "General",
"selfLink": "https://localhost/mgmt/cm/asm/reports/analyzer/config-analyzer-rules/b8c37e33-defd-351c-b91e-1e03e51657da",
"severity": "Critical",
"isGeneric": true,
"generation": 1,
"articleLink": "No",
"ruleCondition": "if policy enforcement mode is not in blocking mode ",
"ruleSuggestion": "The policy's enforcement mode is not set to blocking mode, therefore the policy will not block detected attacks. To protect the application from attacks, change the policy enforcement mode to blocking.",
"genericRuleData": {
"group": 1,
"operator": "NE",
"targetValue": "blocking",
"parameterName": "enforcementMode",
"parameterType": "STR",
"isMultiSuggestionRule": false
},
"ruleDescription": {
"text": "Policy enforcement not set to block attacks"
},
"lastUpdateMicros": 1611339806930572,
"bigIqConfigurationDirectLink": "https://{bigiq-ip}/ui/configuration/security/web-application/policies/{policy-id}/properties"
}