Enable Spotlight Secure Attacker Fingerprints

WebApp Secure builds attacker fingerprints from characteristics of attacker web requests. This information can then be queried against the Spotlight Secure attacker database to help identify and report malicious activity. To use this service, you must enable it.

  1. In the WebApp Secure Web UI, navigate to Spotlight Secure > Attacker Fingerprints.
  2. Click the Enable button at the top of the window. To check settings or change defaults, click the Configure button to go to the Setup and Configuration window..
  3. In the Setup and Configuration window, do the following: From the Spotlight Enabled pulldown list, select True to enable the service.

    Note: Navigate to Configuration > Processors and scroll down to Tracking Processors to check that the Client Fingerprint processor is enabled. It is required for this service.

  4. Back in the Attacker Fingerprints window, in the Server Address field, select the address of the Spotlight Secure server from the pulldown list. Once you select the address, click the Test Connection to the Spotlight Cloud Service link to make sure the server can be reached.
  5. For the remaining fields (Advanced Options), it’s recommended that you use the default values.
  6. Click the Save button.

Once an attacker from another site visits a page on your site, a Spotlight profile will be created for that user. Having attackers from other sites consolidated in the Spotlight Secure window in the Web UI does allow you to keep close tabs on them. You can view the Spotlight profiles from the Spotlight Secure Attackers page. Each Spotlight Secure profile will be displayed in a row, with information such as their Local Profile name, Global (Spotlight Secure) profile name, and the first and last times seen both locally and globally.

Figure 71: Recent Attackers: Global and Local Names

Recent Attackers: Global and Local Names

You can view the Spotlight Secure attackers' activities on your system on the Sessions and Attackers page. They are displayed with the same information as local attackers, and are indicated by the Spotlight icon next to their name.

On the far left side of the Spotlight Secure Attackers table is a small icon representing the local threat of the attacker, as it pertains to your site. This is a fast way to scan through the spotlight profiles and determine which ones might pose an immediate threat to your system. The severities range from Low to High.

Note: Throughout the Web UI, you can start to see Spotlight Secure profiles, indicated by the Spotlight Secure icon next to their Profile name. You can choose to display either Local or Global (Spotlight) names (or both) through the User Preferences screen.

Figure 72: User Preferences: Select Spotlight Secure Name Preference

User Preferences: Select Spotlight Secure Name Preference

Related Documentation