Private App Security admins have many ways to monitor and filter the data
depending on the particular use case:
The Apps Security page in the Strata Cloud Manager
Command Center offers a comprehensive overview of Private App
Security detections. This includes insights into the sources of private
application traffic and a ranking of the top applications by the number of
attacks. The page also emphasizes high-priority policies that require
administrative action. For instance, Previewed policies with a high
hit count may indicate detected but unblocked attacks due to their current
policy status.
Policy in Action pages offer a policy-centric view of Private App
Security detections, crucial for administrators to assess if a policy's impact
aligns with expectations or requires further refinement. They also present a
sorted list of rules with the highest number of hits, organized by policy.
The App Security dashboard offers an app-centric view of all App Security
detections. Administrators can use these pages to quickly identify which
applications are experiencing the most attacks and to filter data for an
app-specific view.
App Security in Command Center
The Command CenterApps Security page provides an overview of the private app security detections,
allowing admins to easily understand the status of their environment (for example,
they can view which applications are targeted the most, attacks on the rise) and the
key areas that require action (for example, newly discovered apps that have no App
Security, recommended policies accounting for the most anomalies).
As well as the overall visibility in Private App Security, admins can start
important app security workflows from the Command Center page. For instance:
Discovered Apps provides a list of the top
applications by traffic that Private App Security is discovering. Often,
these are applications that admins might not be even aware exist in their
environment and have no Private App Security protection.
Remediating this risk by enabling, at a minimum, the Private App
Security OWASP Best Practices policy for these apps is very
straightforward. The View All link redirects the
admin to the app Discovery page, where the
applications could be defined and added to an app group that is already
associated with the OWASP Best Practices policies.
Previewed Policies provides a list of the top App Sec
policies in Preview state, sorted by the number of hits in the selected time
interval. A policy in Preview state only detects requests matching the
described criteria, but eventual attacks still go through because the policy
is not enforced. This is why highlighting Previewed
Policies with the highest number of hits gives the admin an
idea of where to focus their attention.
Admins can review the impact of previewed policies by
clicking on the policy count number. This redirects the admin to the
Policy in Action screen, where each policy has a detailed
report, including the list of affected applications, impacted sources,
ego distribution, and so on. From here the admin can decide if the
policy can be enforced or it needs further tuning to obtain a different
outcome.
Policy in Action
From the Policy in Action page (ConfigurationApplication ServicesApp SecurityRecommendedPreviewedEnforced tabs), admins can define different policy types and assign them
different priorities. There are many scenarios where admins may need to evaluate the
impact of such policies: for instance, the admin needs to impose some new app
controls but is unsure if the crafted policy has any unintended effects, such as
blocking the wrong users or impacting other apps. The admin can set the policy
status to Preview, and inspect the eventual outcome of that
policy without any impact to the current traffic.
For each policy state, the page has three different tabs listing the
Recommended, Previewed, and Enforced policies sorted by the number of hits within
the selected time interval. For instance, for the Previewed policies, the selection
is set on the top policy by number of hits and the admin can observe:
Creation Date—Time the policy was authored.
Late update—Time the policy was last changed.
Impacted users—Sources of policy hits in the selected time
interval.
Impacted apps—Targeted apps for the policy hits in the selected time
interval.
Map—Geographic distribution of the impacted users.
Alerted requests—Represent the actual app requests that were matched
against this policy. The admin can click on the View details of one
of the requests and see all the critical request fields, including IP,
headers, and request method.
For all three tabs corresponding to policy status:
If the admin observers an unintended outcome, the admin can choose to edit
the policy further.
If the admin considers that the observed policy impact is the expected one,
he can make a data-driven decision and enforce the policy with one click
directly in the policy page.
If the admin observers an unintended outcome, the admin can choose to edit
the policy further.
App Security Dashboard
Very often, admins require an app-centric view to understand which apps are
heavily used in the enterprise and experiencing the most attack attempts, or which
apps have the lowest usage but the highest number of attacks detected.
The InsightsApplication Security dashboard provides a
holistic view of all applications that are experiencing traffic in the selected time
interval. In the following image, each dot represents an app, with the X axis
position given by the amount of traffic each app generated, and the Y axis position
driven by the number of policy hits encountered (counting the requests targeting the
particular app).
The drag-and-drop function in the top graph can easily select the type of apps
that the admin intends to analyze (for example, apps with low traffic and many
attacks):
After the admin sets the context, they get a detailed view of:
The traffic variation in time destined for the selected application
Policy hits split by policy status
Outstanding policy recommendations for the selected apps
The policies associated with the selected apps that got any hits in the
selected interval
Sources of the policy hits along with direct links to the actual Private App
Security log
If the admin requires a very app specific view (for example, they intend to
evaluate the attacks and policies attempted against a critical app in the
enterprise), a similar App Specific dashboard is available when the admin clicks on
any application name.
