Enabling Active Threat Verification Globally or for Specific Endpoints ¶
Wallarm's Active Threat Verification module can be enabled either globally, affecting all endpoints where the filtering node is set up, or individually for specific endpoints. This article provides instructions on managing the module's behavior.
Enabling the module globally¶
Active Threat Verification is disabled by default. To enable it globally:
-
Ensure you have an active Advanced API Security subscription plan. The module is only available under this plan.
If you are on a different plan, please contact our sales team to transition to the required one.
-
Proceed to Wallarm Console → Vulnerabilities → Configure by following the link for the US Cloud or EU Cloud, and toggle on the Active threat verification switch.
This action enables the module for all resources where the filtering node is configured.
Controlling the module mode for specific endpoints¶
Once the module is globally enabled, you can customize its behavior for specific endpoints using the corresponding rule. Here is how:
-
Proceed to Wallarm Console → Rules → create the Set mode of active threat verification rule.
-
Fill in the rule creation form following the instructions:
- If request is specifies the endpoints to apply the rule to.
- Disable / Enable sets the mode of the module for attacks sent to the specified endpoints.
Use the Enable setting to make exceptions for a rule that disables the module (e.g., enabling for
https://example.com/module/user/create
while it is disabled forhttps://example.com/module/user/*
). -
Wait for the custom ruleset compilation to complete.
Enabling the module for specific endpoints¶
To enable the module for specific endpoints only:
-
Enable the module globally in Wallarm Console → Vulnerabilities → Configure.
-
Disable the module for all endpoints by creating the Set mode of active threat verification rule and leaving the If request is section empty.
-
Create Set mode of active threat verification rules to enable the module for specific hosts, applications, or endpoints by describing them in the If request is rule section.
Here is how the rule looks when disabling the module for all endpoints:
If the rule mentioned above is already active, the following rule would enable the module for https://example.com/module/user/create
:
Alternatively, you can disable the module by applying a rule for the URL and then enable it for specific endpoints related to that URL.
Disabling the module for specific endpoints¶
For endpoints without a staging environment, especially those that are non-idempotent or lack an authentication mechanism, it is recommended to disable attack replay. Without these safeguards, the module might inadvertently repeat harmful actions, such as processing monetary transactions multiple times or repeatedly creating new accounts.
To disable the module for specific endpoints:
-
Enable the module globally in Wallarm Console → Vulnerabilities → Configure.
-
Disable the module for the required endpoints using the Set mode of active threat verification rule. Describe these endpoints in the If request is rule section.
Consider a non-idempotent endpoint like POST https://example.com/api/purchase
on an online shopping platform that handles actions such as deducting inventory and charging user accounts. If this action is accidentally repeated by the module, it could lead to such consequences as multiple charges for a single item. Therefore, for such endpoints in a production environment, it is recommended to disable attack replay. For such an endpoint, the rule would look like this: