{
"timeStamp": "2019-04-15T16:13:00.045Z",
"collectionIntervalInMinutes": "1",
"node": "node-host",
"wafSummary": {
"requestScannerDetection": [
],
"requestProtocolEnforcement": [
],
"requestProtocolAttack": [
],
"requestApplicationAttackLfi": [
],
"requestApplicationAttackRfi": [
],
"requestApplicationAttackRce": [
],
"requestApplicationAttackPhp": [
],
"requestApplicationAttackXss": [
],
"requestApplicationAttackSqli": [
],
"requestApplicationAttackSessionFixation": [
],
"requestSidPiiCore": [{
"ruleId": "600100",
"count": 1
}],
"requestSidPiiEnhanced": [
],
"requestSidPci": [
],
"requestSidPhi": [
],
"responseDataLeakages": [
],
"responseDataLeakagesSql": [
],
"responseDataLeakagesJava": [
],
"responseDataLeakagesPhp": [
],
"responseDataLeakagesIis": [
],
"responseSidPiiCore": [
],
"responseSidPiiEnhanced": [
],
"responseSidPci": [
],
"responseSidPhi": [
]
}
}
Sensitive Information Detection
Sensitive Information Detection (SID) allows you to identify where you have potential leakage of sensitive information.
WAF Security Policy Summary Log
When you apply a WAF policy to Runtime Fabric, and select the Detect sensitive information option in the WAF policy configuration, requests and responses will be inspected for leakage of sensitive information. Using a one minute collection interval the rtfWafSecurityPolicySummary
message reports a list of SID rules violated and the count of requests and responses violating the rules to the log.
The rtfWafSecurityPolicySummary
log contains the WAF categories and also shows the SID related categories. If any rules within the SID related categories are triggered, you see the rule ID and the count for the number of times the violation was detected. The count is a count of the number of requests and responses that violate a particular rule during the collection interval.
This is an example of the log, which shows that SID rule ID 600100
(TAXID) was detected one time in this payload during the collection interval, which triggered the requestSidPiiCore
category:
SID Summary Log
When you apply the WAF policy to Runtime Fabric and select the Detect sensitive information option, a rtfSidSummary
log is generated. The summary log contains a list of rule instances (rule ID, API, method, direction, and count) where at least one trigger occurred during the one-minute collection interval.
The count applies only to messages (request or response) and is how many messages in the collection interval triggered the rule instance.
For example, if the request is for a birth certificate application, and only one request occurred in the last minute, and the request contained:
DOB of Mother SSN of Mother DOB of Father SSN of Father DOB of Father DOB of Baby CCN to pay for the application
The summary message would contain three items—one for each rule violated (DOB, SSN, and CCN). In other words, every rule violation in one message is counted only once, even if there are multiple violations of the same rule in one message.
This is an example of the rtfSidSummary
log for a request where sensitive information (SSN) was detected in the payload.
{
"timeStamp": "2019-05-03T20:28:00.493Z",
"collectionIntervalInMinutes": "1",
"node": "node-host",
"sidSummary": [{
"api": "myapi",
"envId": "a2f87a26-6ee9-4843-a145-bf258e630aa8",
"method": "POST",
"rule": "Social Security Number key value pair",
"direction": "Request",
"count": 1
}]
}
Supported Content Types
SID rules match the following content-types for sensitive data tags and values:
-
Request Types:
-
text/plain
-
application/json
-
-
Response Types:
-
text/plain
-
application/json
-
Rule Categories
Sensitive information detection rules belong to rule categories, which include:
-
PII: Personally identifiable information, such as date of birth, social security number, passport number, and so on.
-
PCI: Payment card information, such as a Visa or Mastercard number.
-
PHI: Protected health information.
View SID Rules and Rule IDs in RAML
You can view the SID rules and rule IDs in the Anypoint Security Policies RAML.
-
Go to the public MuleSoft developer portal, and search for "Anypoint Security Policies API".
-
Download the RAML and extract the ZIP files.
-
Navigate to
<Download_location>/anypoint-security-policies-api-<version>-raml/dataTypes/policies/WafRules/Rulesets.json
. -
Search for "MULESOFT_SID", to see the SID rules and their details, including the name (
msg
) andid
.
This is an example of the RAML file content:
{ "id": 600780, "ver": "", "rev": "1", "phase": "response", "severity": "WARNING", "accuracy": "5", "maturity": "1", "taglist": ["MULESOFT_SID"], "msg": "VISA CARD", "variables": "RESPONSE_BODY", "operator": "UkVTUE9OU0VfQk9EWSAoPzwhWy5cdy1dKTRbMC05XXszfShbIC1dPylbMC05XXs0fVwxWzAtOV17NH1cMVswLTldezR9KD8hWy5cdy1dKQo=", "paranoia": 1, "chain": "no" }