Add ruleId_s to query output
Closed this issue · 3 comments
Is your feature request related to a problem? Please describe.
In order to tune the WAF (i.e. disable offending rules) the actual rule ID is needed. While this can still be found using the text of the message, it takes extra steps.
Describe the solution you'd like
Please return ruleId_s as part of the LAW queries.
Describe alternatives you have considered
I thought about adding this myself to the deployed version of the workbook I have except those changes would be lost the next time we updated to the latest official version.
Thank you @JustinGalbraith this is being reviewed by the appropriate members of the team
@JustinGalbraith Please take a look at the WAF triage workbook . This feature to dig further on the signature ID exists with a single click. I will be closing this issue, feel free to re-open it if you have additional questions.
@tobystic
By a strange coincidence, I found that workbook last week and almost immediately started including it in my automation. That workbook definitely has everything that is needed to tune for false positives.
I'm satisfied that the Triage workbook does what I need.
Thanks for the help!