Using tmsh to Get a Specific ASM Chart

Question

Hi,&nbsp;
We're running some F5s on 11.4.1 in our environment with the ASM module enabled for which I have some policies in place.  &nbsp;
Via the web GUI I'm able to view a really useful chart by drilling down through the "Top violations with critical severity" pre-defined chart and I want to schedule this specific chart to run and dump out regularly (ideally as a .csv file to a network location but e-mail is also fine).&nbsp;
The chart in question is:&nbsp;
Severity: Critical &gt;&gt; Violation: Attack signature detected &gt;&gt; Security Policy: /my_partition/my_vs&nbsp;
Is there a way I can configure this using TMSH?  I've had a read through the "Traffic Management Shell Reference Guide" but I can't seem to put the correct pieces together.&nbsp;
Appreciate any help/guidance please!&nbsp;
Thanks,
Rich&nbsp;

richkingly_1410 · Answer

Right, I know how to get the report that I need now and send it to myself by e-mail. I'll just work on how to schedule it next. Thanks for your help, here's the code that was required:
&nbsp;
send-mail analytics application-security report view-by attack-type  measures {  } drilldown { { entity policy values { "/my_partition/vs-mysite" } } { entity severity values { Critical } } { entity violation values { "Attack signature detected" } } } range now-1w format pdf email-addresses { me@company.com }

&nbsp;
It produces something that shows the attack signatures detected against your virtual server over the past week:

I'm hoping to use the info, in csv format, to pump into our BI environment and trend over time.

boneyard · Answer

don't think you can do that via tmsh, but you can schedule charts and email them via the GUI:&nbsp;
Security  ››  Reporting : Application : Charts Scheduler&nbsp;
would that work for you?&nbsp;

richkingly_1410 · Answer

Thanks boneyard, I can get it to send out reports via the GUI (pre-defined ones and multi-level ones) but not that specific report unfortunately.&nbsp;
I was hoping I could use tmsh syntax along the lines of:&nbsp;
show analytics application-security report view-by violation drilldown {
{ entity severity values { Error } } }&nbsp;
But I can't quite work out how to put the syntax together for the specific chart I'm after&nbsp;

boneyard · Answer

ok, got the hang of the syntax, this works for me:
&nbsp;
root@(bigip-01)(cfg-sync Standalone)(Active)(/Common)(tmos) show analytics application-security report view-by violation drilldown { { entity severity values { Critical } } }
--------------------------------------------------------------
Analytics query result
--------------------------------------------------------------
Time range: 12/24/2014:13:10 (CET) ---&gt; 12/24/2014:14:10 (CET)
--------------------------------------------------------------
name                          | occurences
--------------------------------------------------------------
Illegal meta character in URL | 1
Evasion technique detected    | 1

&nbsp;
now what exactly do you want? still not 100% clear to me.

richkingly_1410 · Answer

Happy New Year - sorry for the late reply, I've been away for the winter break.&nbsp;
The exact report I'm trying to get via TMSH is:&nbsp;
For a given Policy (e.g "my_asm_policy") I want a chart of the Violations where "Attack Signature Detected" and the severity is "Critical"&nbsp;
Looking at your example above I'm wondering if I can specify a second entity of "Attack Signature Detected" - I'll have a play now.&nbsp;

Forum Discussion

Using tmsh to Get a Specific ASM Chart

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Scatter Charting Response Times

check the utilization on specific node

Load balancing method specific decision

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: DNS Sinkholing