View application security violation details

Web applications that are exposed to the internet have become vulnerable to attacks drastically. Citrix ADM enables you to visualize actionable violation details to protect applications from attacks. Navigate to Security > Security Violations for a single-pane solution to:

• Visualize applications with full visibility into the threat details associated in both security insight and bot insight

• Access the application security violations based on its categories such as Network, Bot, and WAF

• Take corrective actions to secure the applications

The Security Violations page has the following options:

• Application Overview – Displays an overview with applications that have total violations, total WAF and Bot violations, violation by country, and so on. For more information, see Application overview.

• All Violations – Displays the application security violation details. For more information, see All violations.

Setting up

To view the violations, you must:

• Select Web Transaction Settings to All

• Ensure if Metrics Collector is enabled. By default, Metrics Collector is enabled on the Citrix ADC instance. For more information, see Configure Intelligent App Analytics.

• Enable Advanced Security Analytics (applicable only for premium licensed ADC instances)

Enable Web Transaction settings

1. Navigate to Settings > Analytics Settings.

   The Analytics Settings page is displayed.

2. Click Enable Features for Analytics.

3. Under Web Transaction Settings, select All.

   

4. Click Ok.

Enable Advanced Security Analytics

1. Navigate to Infrastructure > Instances > Citrix ADC, and select the instance type. For example, MPX.

2. Select the Citrix ADC instance and from the Select Action list, select Configure Analytics.

3. Select one or more virtual servers and click Enable Analytics.

4. On the Enable Analytics window, click Advanced Security Analytics.

   

5. On the Advanced Security Analytics window:

   1. Select Create new profile.

   2. In the Advanced security profile name textbox, provide a profile name of your choice.

   3. Select the Enable profile check box.

   4. Select the behavior-based profile configuration from the list. For Excessive Client Connections, Suspicious Signup Attempts, Website Scanning and Content Scraping, Unusually large download volume, Unusually large upload volume, Unusually high upload transactions, and Unusually high download transactions violations, you can choose the sensitivity level as Low, Medium, and High.

   The following violations require additional configurations:

   Account Takeover:

   1. Method - Select the HTTP method type from the list. The available options are GET, PUSH, POST, and UPDATE.

   2. Login URL - Specify the URL of the web application.

   3. Success response code - Specify the HTTP status code (for example, 200) for which you want Citrix ADM to report the account takeover violation from bad bots.

   4. Click + to add another parameter.

      

   Website Scanning and Content Scraping:

   1. Select Website Scanning or Content Scraping or both.

   2. Session Tracking Method - Select the tracking method as Client IP, Citrix Web Application Firewall, Backend Application, or URL.

   

   For more information on the violations and configurations, see WAF violations and Bot violations.

6. Click Apply Profile.

7. Click Save.

After you create a profile:

• The profile is accessible under Use existing security profile. You can also modify an existing profile later. If you modify an existing profile, the same updates are also applied to all virtual servers using the profile.

• You can view the newly created profile name under APPSEC PROFILE by navigating to Security > Security Violations and clicking the Settings icon.

  

  In this view, you can:

  • Click the profile and view details in the read-only mode.

  • Click the profile and select the Unbind Profile option.

    

  Note

  • If you unbind the profile, you can either continue with a default profile for this application (if eligible) or add a new profile later.

  • After you unbind a profile and if it is not associated with any virtual server, the profile is automatically deleted.

Points to note:

• You can select multiple virtual servers, enable Advanced Security Analytics, and apply the same profile.

• You can delete a profile. If you delete a profile, it also gets removed immediately from all virtual servers that are using the profile.

• When you choose to enable Advanced Security Analytics, certain behavior-based violations require to enable WAF Security Violations or Bot Security Violations or Web Insight or all as a prerequisite. For such violations, the prerequisites are automatically selected.

• When a virtual server is not added with any profile, it is automatically enabled with a default profile if the following conditions are met:

• If the application or virtual server is eligible with all these conditions, then the default profile is assigned based on the priority.

• You cannot modify or delete a default profile.