Log or block requests

An In-App WAF custom rule is a tool you can use to fine-tune the behavior of your app's In-App WAF.

Where a Security Automation Playbook exists to block specific actors (IP addresses or users), a custom rule enables you to log or block specific requests. You can use these rules to track or block any request that matches a pattern you specify, whether it is matching a specific value in a field, or a combination of fields, or an absence of a value in a field.

For example, you can use a custom rule to log all requests to your app that result in a 4XX response, or use it to enforce your internal best practices and block all requests that do not contain an authentication header.

Create a custom rule

  1. From your Sqreen Dashboard, navigate to Configuration > In-App WAF, then click the "Custom rulesets" tab.
  2. Create a new ruleset first, supplying a name and description, then "Add new rule".
  3. Define a name for your rule, then set the following:
    • one or more conditions such as "URL path" "has SQL injection"
    • an action, either "Log", "Block", or "Do nothing"
  4. Save the rule.
  5. Review and edit the rules in your ruleset to further fine-tune the way your In-App WAF logs and blocks requests.

Examine the output of the rule

In the "Custom rulesets" tab in the In-App WAF module, the table that displays the list of rules in the set includes a column for "Activity". The value in the column displays the number of times that activity in your app met the conditions of your custom rule. Click the value to drill deeper and examine the security activity details.

You can also examine the output of your rule(s) fom the Sqreen Dashboard. Navigate to Security Activity and review the In-App Activity that Sqreen monitored. Any activity that met the conditions of your custom rule(s) appears in the list of activities with a tag to indicate that it followed your rule.