earliest="06/06/2023:19:10:00" latest="06/06/2023:19:20:00" index=f5 AND sourcetype=f5_asm AND support_id=9216504019076316805 | rex field=_raw "User-Agent: (?.*?)\\\r\\\n" | rex field=_raw "Host: (?.*?)\\\r\\\n" | rex field=_raw "Referer: (?.*?)\\\r\\\n" | rex field=violation_details mode=sed "s#0#NUL 0 %0 0x0,#g" | rex field=violation_details mode=sed "s#1#SOH 1 %1 0x1,#g" | rex field=violation_details mode=sed "s#2#STX 2 %2 0x2,#g" | rex field=violation_details mode=sed "s#3#ETX 3 %3 0x3,#g" | rex field=violation_details mode=sed "s#4#EOT 4 %4 0x4,#g" | rex field=violation_details mode=sed "s#5#ENQ 5 %5 0x5,#g" | rex field=violation_details mode=sed "s#6#ACK 6 %6 0x6,#g" | rex field=violation_details mode=sed "s#7#BEL 7 %7 0x7,#g" | rex field=violation_details mode=sed "s#8#BS 8 %8 0x8,#g" | rex field=violation_details mode=sed "s#9#HT 9 %9 0x9,#g" | rex field=violation_details mode=sed "s#10#LF 10 %0A 0x0a,#g" | rex field=violation_details mode=sed "s#11#VT 11 %0B 0x0b,#g" | rex field=violation_details mode=sed "s#12#FF 12 %0C 0x0c,#g" | rex field=violation_details mode=sed "s#13#CR 13 %0D 0x0d,#g" | rex field=violation_details mode=sed "s#14#SO 14 %0E 0x0e,#g" | rex field=violation_details mode=sed "s#15#SI 15 %0F 0x0f,#g" | rex field=violation_details mode=sed "s#16#DLE 16 %10 0x10,#g" | rex field=violation_details mode=sed "s#17#DC1 17 %11 0x11,#g" | rex field=violation_details mode=sed "s#18#DC2 18 %12 0x12,#g" | rex field=violation_details mode=sed "s#19#DC3 19 %13 0x13,#g" | rex field=violation_details mode=sed "s#20#DC4 20 %14 0x14,#g" | rex field=violation_details mode=sed "s#21#NAK 21 %15 0x15,#g" | rex field=violation_details mode=sed "s#22#SYN 22 %16 0x16,#g" | rex field=violation_details mode=sed "s#23#ETB 23 %17 0x17,#g" | rex field=violation_details mode=sed "s#24#CAN 24 %18 0x18,#g" | rex field=violation_details mode=sed "s#25#EM 25 %19 0x19,#g" | rex field=violation_details mode=sed "s#26#SUB 26 %1A 0x1a,#g" | rex field=violation_details mode=sed "s#27#ESC 27 %1B 0x1b,#g" | rex field=violation_details mode=sed "s#28#FS 28 %1C 0x1c,#g" | rex field=violation_details mode=sed "s#29#GS 29 %1D 0x1d,#g" | rex field=violation_details mode=sed "s#30#RS 30 %1E 0x1e,#g" | rex field=violation_details mode=sed "s#31#US 31 %1F 0x1f,#g" | rex field=violation_details mode=sed "s#32#SPACE 32 %20 0x20,#g" | rex field=violation_details mode=sed "s#33#! 33 %21 0x21,#g" | rex field=violation_details mode=sed "s#34#\" 34 %22 0x22,#g" | rex field=violation_details mode=sed "s@35@# 35 %23 0x23,@g" | rex field=violation_details mode=sed "s#36#$ 36 %24 0x24,#g" | rex field=violation_details mode=sed "s#37#% 37 %25 0x25,#g" | rex field=violation_details mode=sed "s#38#\& 38 %26 0x26,#g" | rex field=violation_details mode=sed "s#39#' 39 %27 0x27,#g" | rex field=violation_details mode=sed "s#40#( 40 %28 0x28,#g" | rex field=violation_details mode=sed "s#41#) 41 %29 0x29,#g" | rex field=violation_details mode=sed "s#42#* 42 %2A 0x2a,#g" | rex field=violation_details mode=sed "s#43#+ 43 %2B 0x2b,#g" | rex field=violation_details mode=sed "s#44#, 44 %2C 0x2c,#g" | rex field=violation_details mode=sed "s#45#- 45 %2D 0x2d,#g" | rex field=violation_details mode=sed "s#46#. 46 %2E 0x2e,#g" | rex field=violation_details mode=sed "s#47#/ 47 %2F 0x2f,#g" | rex field=violation_details mode=sed "s#48#0 48 %30 0x30,#g" | rex field=violation_details mode=sed "s#49#1 49 %31 0x31,#g" | rex field=violation_details mode=sed "s#50#2 50 %32 0x32,#g" | rex field=violation_details mode=sed "s#51#3 51 %33 0x33,#g" | rex field=violation_details mode=sed "s#52#4 52 %34 0x34,#g" | rex field=violation_details mode=sed "s#53#5 53 %35 0x35,#g" | rex field=violation_details mode=sed "s#54#6 54 %36 0x36,#g" | rex field=violation_details mode=sed "s#55#7 55 %37 0x37,#g" | rex field=violation_details mode=sed "s#56#8 56 %38 0x38,#g" | rex field=violation_details mode=sed "s#57#9 57 %39 0x39,#g" | rex field=violation_details mode=sed "s#58#: 58 %3A 0x3a,#g" | rex field=violation_details mode=sed "s#59#; 59 %3B 0x3b,#g" | rex field=violation_details mode=sed "s#60#< 60 %3C 0x3c,#g" | rex field=violation_details mode=sed "s#61#= 61 %3D 0x3d,#g" | rex field=violation_details mode=sed "s#62#> 62 %3E 0x3e,#g" | rex field=violation_details mode=sed "s#63#? 63 %3F 0x3f,#g" | rex field=violation_details mode=sed "s#64#@ 64 %40 0x40,#g" | rex field=violation_details mode=sed "s#65#A 65 %41 0x41,#g" | rex field=violation_details mode=sed "s#66#B 66 %42 0x42,#g" | rex field=violation_details mode=sed "s#67#C 67 %43 0x43,#g" | rex field=violation_details mode=sed "s#68#D 68 %44 0x44,#g" | rex field=violation_details mode=sed "s#69#E 69 %45 0x45,#g" | rex field=violation_details mode=sed "s#70#F 70 %46 0x46,#g" | rex field=violation_details mode=sed "s#71#G 71 %47 0x47,#g" | rex field=violation_details mode=sed "s#72#H 72 %48 0x48,#g" | rex field=violation_details mode=sed "s#73#I 73 %49 0x49,#g" | rex field=violation_details mode=sed "s#74#J 74 %4A 0x4a,#g" | rex field=violation_details mode=sed "s#75#K 75 %4B 0x4b,#g" | rex field=violation_details mode=sed "s#76#L 76 %4C 0x4c,#g" | rex field=violation_details mode=sed "s#77#M 77 %4D 0x4d,#g" | rex field=violation_details mode=sed "s#78#N 78 %4E 0x4e,#g" | rex field=violation_details mode=sed "s#79#O 79 %4F 0x4f,#g" | rex field=violation_details mode=sed "s#80#P 80 %50 0x50,#g" | rex field=violation_details mode=sed "s#81#Q 81 %51 0x51,#g" | rex field=violation_details mode=sed "s#82#R 82 %52 0x52,#g" | rex field=violation_details mode=sed "s#83#S 83 %53 0x53,#g" | rex field=violation_details mode=sed "s#84#T 84 %54 0x54,#g" | rex field=violation_details mode=sed "s#85#U 85 %55 0x55,#g" | rex field=violation_details mode=sed "s#86#V 86 %56 0x56,#g" | rex field=violation_details mode=sed "s#87#W 87 %57 0x57,#g" | rex field=violation_details mode=sed "s#88#X 88 %58 0x58,#g" | rex field=violation_details mode=sed "s#89#Y 89 %59 0x59,#g" | rex field=violation_details mode=sed "s#90#Z 90 %5A 0x5a,#g" | rex field=violation_details mode=sed "s#91#[ 91 %5B 0x5b,#g" | rex field=violation_details mode=sed "s#92#\\\ 92 %5C 0x5c,#g" | rex field=violation_details mode=sed "s#93#] 93 %5D 0x5d,#g" | rex field=violation_details mode=sed "s#94#^94 %5E 0x5e,#g" | rex field=violation_details mode=sed "s#95#_ 95 %5F 0x5f,#g" | rex field=violation_details mode=sed "s#96#` 96 %60 0x60,#g" | rex field=violation_details mode=sed "s#97#a 97 %61 0x61,#g" | rex field=violation_details mode=sed "s#98#b 98 %62 0x62,#g" | rex field=violation_details mode=sed "s#99#c 99 %63 0x63,#g" | rex field=violation_details mode=sed "s#100#d 100 %64 0x64,#g" | rex field=violation_details mode=sed "s#101#e 101 %65 0x65,#g" | rex field=violation_details mode=sed "s#102#f 102 %66 0x66,#g" | rex field=violation_details mode=sed "s#103#g 103 %67 0x67,#g" | rex field=violation_details mode=sed "s#104#h 104 %68 0x68,#g" | rex field=violation_details mode=sed "s#105#i 105 %69 0x69,#g" | rex field=violation_details mode=sed "s#106#j 106 %6A 0x6a,#g" | rex field=violation_details mode=sed "s#107#k 107 %6B 0x6b,#g" | rex field=violation_details mode=sed "s#108#l 108 %6C 0x6c,#g" | rex field=violation_details mode=sed "s#109#m 109 %6D 0x6d,#g" | rex field=violation_details mode=sed "s#110#n 110 %6E 0x6e,#g" | rex field=violation_details mode=sed "s#111#o 111 %6F 0x6f,#g" | rex field=violation_details mode=sed "s#112#p 112 %70 0x70,#g" | rex field=violation_details mode=sed "s#113#q 113 %71 0x71,#g" | rex field=violation_details mode=sed "s#114#r 114 %72 0x72,#g" | rex field=violation_details mode=sed "s#115#s 115 %73 0x73,#g" | rex field=violation_details mode=sed "s#116#t 116 %74 0x74,#g" | rex field=violation_details mode=sed "s#117#u 117 %75 0x75,#g" | rex field=violation_details mode=sed "s#118#v 118 %76 0x76,#g" | rex field=violation_details mode=sed "s#119#w 119 %77 0x77,#g" | rex field=violation_details mode=sed "s#120#x 120 %78 0x78,#g" | rex field=violation_details mode=sed "s#121#y 121 %79 0x79,#g" | rex field=violation_details mode=sed "s#122#z 122 %7A 0x7a,#g" | rex field=violation_details mode=sed "s#123#{ 123 %7B 0x7b,#g" | rex field=violation_details mode=sed "s#124#| 124 %7C 0x7c,#g" | rex field=violation_details mode=sed "s#125#} 125 %7D 0x7d,#g" | rex field=violation_details mode=sed "s#126#~ 126 %7E 0x7e,#g" | rex field=violation_details mode=sed "s#127#DELETE 127 %7F 0x7f,#g" | replace "/Common/*" with * in policy_name | rex max_match=10 field=violation_details "(?[^<]+)" | eval buffer=mvdedup(buffer) | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?
[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?(.*?))" |rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" |rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "(?[^<]+)" | rex max_match=10 field=violation_details "total_len>(?[^<]+)" | rex max_match=10 field=violation_details "total_len_limit>(?[^<]+)" | rex max_match=10 field=violation_details "post_len>(?[^<]+)" | rex max_match=10 field=violation_details "post_len_limit>(?[^<]+)" | rex max_match=10 field=violation_details "qs_len>(?[^<]+)" | rex max_match=10 field=violation_details "qs_len_limit>(?[^<]+)" | rex max_match=10 field=violation_details "uri_len>(?[^<]+)" | rex max_match=10 field=violation_details "uri_len_limit>(?[^<]+)" | rex max_match=10 field=violation_details "actual_value_length>(?[^<]+)" | rex max_match=10 field=violation_details "expected_value_length>(?[^<]+)" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | rex max_match=1000 field=violation_details "(?P(.*?))" | eval viol_name=mvdedup(viol_name) | eval staging=mvdedup(staging) | eval vd_sigs=mvdedup(vd_sigs) | eval metachar=mvdedup(metachar) | eval blk_mask=mvdedup(blk_mask) | eval cookie_name=mvdedup(cookie_name) | eval cookie_value=mvdedup(cookie_value) | eval extension=mvdedup(extension) | eval name=mvdedup(name) | eval param_name=mvdedup(param_name) | eval object=mvdedup(object) | eval value=mvdedup(value) | eval header=mvdedup(header) | eval header_value=mvdedup(header_value) | eval param_value=mvdedup(param_value) | eval extension=mvdedup(extension) | eval wildmatch=mvdedup(wildmatch) | eval enforced=mvdedup(enforced) | replace "4" with "Staging/Passed", "6" with "Monitor/Alerted", "7" with "Deny/Blocked" in blk_mask | code field=http_sub_violation method=base64 action=decode destfield=http_sub_violation_dec | code field=buffer method=base64 action=decode destfield=buffer_dec | code field=cookie_name method=base64 action=decode destfield=cookie_name_dec | code field=cookie_value method=base64 action=decode destfield=cookie_value_dec | code field=extension method=base64 action=decode destfield=extension_dec | code field=name method=base64 action=decode destfield=name_dec | code field=param_name method=base64 action=decode destfield=param_name_dec | code field=object method=base64 action=decode destfield=object_dec | code field=value method=base64 action=decode destfield=value_dec | code field=header method=base64 action=decode destfield=header_dec | code field=header_value method=base64 action=decode destfield=header_value_dec | code field=param_value method=base64 action=decode destfield=param_value_dec | table src_ip,_time,unit_hostname,user_agent,referer,host_hdr,uri,uri_query,method,resp_code,severity,action,viol_name,violations,sub_violations,attack_type,blk_mask,staging,policy_name,vd_sigs,sig_names,staged_sig_ids,staged_sig_names,wildmatch,enforced,metachar,buffer,buffer_dec,cookie_name,cookie_name_dec,cookie_value,cookie_value_dec,extension,extension_dec,name,name_dec,param_name,param_name_dec,object,object_dec,value,value_dec,header,header_dec,header_value,header_value_dec,param_value,param_value_dec,req_len,req_limit,post_len,post_limit,qs_len,qs_limit,uri_len,uri_limit,val_len,val_limit,http_sub_violation,http_sub_violation_dec,violation_details,request,response,support_id | sort _time