Security Insights

Overview

StackPath provides WAF Professional and Enterprise customers with enhanced visibility into potential security threats through system-generated Insights and Recommendations within Security Insights. 

Insights are pieces of information that help you to understand any potential security threats such as site misconfigurations, mismanagement of rules, and more. Each Insight StackPath generates is paired with a Recommendation, which will instruct you on how to resolve the issue highlighted by the Insight.

Access your Insights by clicking on the Security Insights tab on the left-side navigation menu.

This guide will further explain what Security Insights are and how to interact with them.

Insight Types

Security Insights are categorized by the following Insight types: Attack on Disabled Policy and Allowed High Risk IP:

Each Insight type will contain the following fields:

• Description - High-level description of the Insight type
• Recommendation -Text that informs the user how to mitigate the Insight

The Security Insights feature provides you with a Portal view of unique Insights and when they were first seen and last seen on your site. 

Further details on the fields associated with each Insight type are listed in our Security Insights Glossary. As StackPath's list of Security Insights is ever expanding, users can refer to the Security Insights Glossary for a full, up-to-date accounting of all Security Insight types. 

Status

Insights can be filtered based on their status:

1. Unread - A new Insight that came into the system has not been acknowledged
2. Read - An Insight that was viewed by the user, but they want to keep the Insight in their Inbox to action on it
3. Closed - The Insight will be dealt with by the user, and will be deleted from the system 30 days after closure date. When an Insight is Closed, the system will not generate further notifications of that Insight until the Insight is deleted. Closed Insights can be reopened prior to their deletion date if needed. 

Silencing Rules

StackPath provides the option to "silence" an Insight. Silencing an Insight means that you are aware of the Insight and its Recommendation, but you neither want to take any action towards it yet, nor do you want to close it. Silencing an Insight will pause notifications temporarily.

You are able to choose which parameters of an Insight you would like to silence. For example, a typical Insight would appear in your inbox as follows:

A request originated from a high-risk IP: "1.2.3.4", but it was allowed by rule: "Allow all requests from AWS  (id:14)"

Here are some ways in which you can silence different parts of this particular Insight:

1. Silence any Insight of type “High-risk IP Allowed” where IP: "1.2.3.4" is allowed by any rule

2. Silence any Insight of type “High-risk IP Allowed” where any IP is allowed by the rule "Allow all requests from AWS (id:14)"

3. Silence any Insight type of "High-risk IP Allowed"

You can disable the Silence function and reinstate notifications for an Insight via the Manage Silence Rules gear on the top right of your Security Insights page.

To edit or delete an existing Silence Rule, navigate to the Manage Silence Rules menu, then click the three dots button under the Action column.

From here, you can manage when you would like to receive notifications again.

If you do not want to receive any Insights, then silence both Insight Types (Attack on Disabled Policy and Allowed High Risk IP).

Enabling the Feature

If you are a StackPath WAF Professional or Enterprise customer, you are entitled to receive Security Insights at no additional cost. To enable this on your site, please contact Support. Note that this feature needs to be enabled for each site, so be sure to reach out to Support when onboarding new WAF sites onto your StackPath account. 

Once enabled, it may take up to one hour to start receiving Insights.