Cloud Armor - jsonPayload.enforcedSecurityPolicy.m...

Mapm · 02-06-2024 07:41 PM

Hello.

I'd like to ask about a problem that occurred while trying to control the cloud armor.

Among the logs in cloud armor, I think the only thing that can see the data in the attack payload is jsonPayload.enforcedSecurityPolicy.matchedFieldValue. (required for attack analysis)

Is there a way to lift the restrictions as the corresponding value only comes up to 16 bytes?

Thank you.

Marvin_Lucero

Hi @Mapm ,

There is no direct way to increase the length limit of the matchedFieldValue field in Cloud Armor logs, as it is a fixed-size field that can't be changed. However, you can work around this limitation by collecting detailed logs from your web server or application logs, which may contain the full attack payload data.

1. Send the logs to a log sink in Cloud Logging for analysis and monitoring.
2. Configure your web server or application to log detailed information about incoming requests and responses. This may include the full HTTP request and response headers and bodies.
3. Use Cloud Logging queries to filter and analyze the logs based on specific criteria, such as the source IP address, request path, or HTTP status code.

Let me know if this helps.

Mapm

Hi @Marvin_Lucero

Thank you for your answer.

You mentioned that you can configure a web server or application to log requests and responses, but I was wondering how to do this.

1. Are you telling me to set it up on a real web server/application with WAF or is there a service offered by the cloud?

2. Does this release the matchedFieldValue length or do I see the entire packet?

3. If the method is to use a cloud service, could you also let me know if the service name and additional costs are incurred?

Thank you.

Cloud Armor - jsonPayload.enforcedSecurityPolicy.matchedFieldValue length