Threat Analysis (WAF Dashboard)

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

The dashboard provides an avenue through which a historical analysis of recent threats to site traffic may be performed. This type of an analysis provides the means through which you may:

Visualize the time periods during which site traffic is most heavily targeted.
Understand the variety, frequency, and severity of illegitimate traffic.
Identify the countries from which illegitimate traffic originates.
Identify key individual offenders by their IP address.
Learn detailed information on the types of attack being mounted against your site.

This article describes how to use:

Chart view.
Event log view.
Filters.

Usage

The dashboard contains two different views through which threat analysis may be performed, which are:

Chart
Event Log

To view the WAF Dashboard

Navigate to the chart view of the WAF Dashboard page. How?From the main menu, navigate to Defend | WAF Essential | Dashboard.

The dashboard will display a chart showing recent violations of your security policy.
Optional. View event log data by clicking Event Logs from the side navigation bar.

Chart View

Chart view is a useful tool for detecting patterns for objectionable traffic directed to your origin servers. This view consists of two basic components:

Component	Description
Chart	A chart or line graph displays the number of malicious threats detected over a given time period. By default, a single line on the graph represents all malicious traffic. Alternatively, categorize malicious traffic by selecting the desired categorization criteria from the option that appears directly above the graph. A line will be drawn on the chart for each unique value. For example, if you select Profile Type and requests were screened by a production and audit profile, then the graph will contain a line for audit and another one for production. By default, graphing malicious traffic by type will include up to the 10 most popular entries. Customize this limit through the Max Top Number option. This option also affects the maximum number of unique entries that may be listed for each type of statistic listed under the graph.
Statistics	Statistics on the malicious threats detected over a given time period are displayed directly below the chart. Statistics are broken down by category. View category definitions. By default, statistics for up to the 10 most popular entries may be displayed for each category. Customize this limit through the Max Top Number option. This option also affects the maximum number of lines that may be graphed. The following information is displayed for each category: Value: Groups malicious threats by the request's value for the current category. The following illustration shows a partial listing of valuesSpecifically, it shows "Blacklist Country Match" and "Detects MySQL comment-/space-obfuscated injections and backtick termination." for the "Rule Message" category. %: Indicates the percentage of detected threats over a given time period that belong to the group identified by the Value field. Events: Indicates the number of detected threats that belong to the group identified by the Value field. Percentages are calculated on the total threats detected during the given time period. Since there is a limit of 10 entries per category, the sum of the percentages for larger categories will not add up to 100%.

Component

Description

Chart

A chart or line graph displays the number of malicious threats detected over a given time period.

By default, a single line on the graph represents all malicious traffic. Alternatively, categorize malicious traffic by selecting the desired categorization criteria from the option that appears directly above the graph. A line will be drawn on the chart for each unique value. For example, if you select Profile Type and requests were screened by a production and audit profile, then the graph will contain a line for audit and another one for production.

By default, graphing malicious traffic by type will include up to the 10 most popular entries. Customize this limit through the Max Top Number option. This option also affects the maximum number of unique entries that may be listed for each type of statistic listed under the graph.

Statistics

Statistics on the malicious threats detected over a given time period are displayed directly below the chart. Statistics are broken down by category.

View category definitions.

By default, statistics for up to the 10 most popular entries may be displayed for each category. Customize this limit through the Max Top Number option. This option also affects the maximum number of lines that may be graphed.

The following information is displayed for each category:

Value: Groups malicious threats by the request's value for the current category.

The following illustration shows a partial listing of valuesSpecifically, it shows "Blacklist Country Match" and "Detects MySQL comment-/space-obfuscated injections and backtick termination." for the "Rule Message" category.
%: Indicates the percentage of detected threats over a given time period that belong to the group identified by the Value field.
Events: Indicates the number of detected threats that belong to the group identified by the Value field.

Percentages are calculated on the total threats detected during the given time period. Since there is a limit of 10 entries per category, the sum of the percentages for larger categories will not add up to 100%.

Key information:

By default, a chart includes all rule violations within the last seven days.
- The chart may be filtered by the criteria listed directly below it. Additional filters are available when viewing an individual alert from the event log.
- The time period being charted may be adjusted through the Time Range option.
  - This option is displayed directly to the left of the chart.
  - The unit associated with the selected time period determines whether events will be graphed by minute, hour, or day.
A timeline, which appears directly below the chart, displays a mini-chart for the time period defined by the Time Range option. Use this timeline to update the chart to only display data for either of the following time periods:
- Custom Time Period: Click and drag anywhere in the timeline to update the chart to only display the selected time period.
- Entire Time Period: Click anywhere in the timeline to clear the selection. After which, the chart will now display the entire time period defined by the Time Range option.
Hovering over the line graph will indicate the exact number of warnings that took place during that time slot.

Event Log View

This view provides the means to delve into the details of an illegitimate request. The information derived from this view provides a deeper understanding as to why a request was deemed objectionable and the type of attacks being mounted on an origin server.

The event log contains a list of recent rule violations. The header bar for each violation uses the syntax described below.

Syntax:

Anomaly Score Threshold Exceeded, Total Score:

Example:

Anomaly Score Threshold Exceeded, Total Score: 5 10s ago 15:01:23.45 UTC

Field Definitions

Clicking on a rule violation will expand that entry and display detailed information about it. A brief description for each field used to describe rule violations is provided below.

Field	Description
Action Type	Indicates the type of action that was taken in response to the rule violation. Valid values are: BLOCK_REQUEST: Indicates that the request that violated a rule was blocked. NOP: Indicates that an alert was generated in response to the rule violation. REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field. CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.
Client IP	Identifies the IP address of the client from which the request originated.
Country Name	Identifies the country from which the request originated by its name.
Instance Name	Indicates the name of the instance that activated the profile containing the rule that the requested violated.
Profile Name	Indicates the name of the profile that the request violated.
Profile Type	Indicates whether the request was screened as a result of an instance’s production or audit profile.
Referer	Indicates the request’s referrer as defined by the Referer request header.
Rule ID	Indicates the ID for the rule that the request violated. This field indicates that the rule met or exceeded the maximum anomaly score. Please refer to the Sub Event(s) section, which contains a sub event for each rule violated by a request, to find out why the request was flagged or blocked. Each sub event indicates the rule that was violated and the data used to identify the violation. Learn more.
Rule Message	Provides a description of the rule that the request violated. Syntax: Inbound Anomaly Score Exceeded (Total Score: 3, SQLi=0, XSS=0): Last Matched Message: Rule MessageThis term represents the message for the last rule that the request violated. This field indicates the request's anomaly score and the last rule that it violated. Please refer to the Sub Event(s) section, which contains a sub event for each rule violated by a request, to find out why the request was flagged or blocked. Each sub event indicates the rule that was violated and the data used to identify the violation. Learn more.
Timestamp	Indicates the date and time (UTC) at which the rule violation occurred. Format:YYYY-MM-DD hh:mm:ss.millisecondsIdentifies a date and time (UTC/GMT) using a 24 hour format (e.g., 2021-07-08 15:00:22.123).
URL	Indicates the URL of the request that triggered the rule violation.
User Agent	Indicates the user agent that submitted the request that triggered the rule violation. This information is derived from the User-Agent request header.

Sub Events

In addition to the core set of fields described above, a sub event for each rule that was violated by the request will be reported. The syntax for the header bar associated with each sub event is described below.

Anomaly Score Threshold Exceeded, Total Score: #

Each sub event contains the following fields:

Field	Description
Matched Data	This field has been deprecated. Indicates the client-side data that triggered the violation.
Matched On	Indicates a variable that identifies where the violation was found.
Matched Value	Indicates the value of the variable defined by the Matched On field. Standard security practices dictate that measures should be taken to prevent sensitive data (e.g., credit card information or passwords) from being passed as clear text from the client to your origin server. Another incentive for encrypting sensitive data is that it will be logged by our system when an alert is triggered as a result of this data. If sensitive data cannot be encrypted or obfuscated, then it is strongly recommended to contact our technical customer support to disable logging for the Matched Value field.
Operator Name	Identifies a rule parameter that was violated.
Operator Parameter	Indicates the value assigned to the rule parameter that was violated.
Rule ID	Indicates the ID for the rule that the request violated.
Rule Message	Provides a description of the rule that the request violated.
Rule Tags	Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated. Naming convention: Rule Set/CategoryIdentifies whether the request violated a rule, an access control, or the delivery profile./Subcategory View sample values that identify a policy. OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ OWASP_CRS/WEB_ATTACK/SQL_INJECTION View sample values that identify a blacklist criterion. BLACKLIST/IP BLACKLIST/COUNTRY BLACKLIST/REFERRER BLACKLIST/URL View a sample value that identifies a setting. OWASP_CRS/POLICY/SIZE_LIMIT
Total Anomaly Score	Indicates the anomaly score assigned to the request. This score is determined by the number of rules that were violated and their severity.

Filters

Both the chart and the event log will be filtered by the time at which the violation occurred. Use the Time Range option to define the relative time period from the present (e.g., Last 12 hours or Last 7 Days) for which data will be reported in the dashboard.

Events will be reported using the selected time unit (i.e., events per minute, hour, or day).

Additionally, events may be filtered using one or more of the following criteria:

Filter	Description
Action Type	Filters requests by the manner in which the violation was handled. Valid values are: BLOCK_REQUEST: Indicates that the request that violated a rule was blocked. NOP: Indicates that an alert was generated in response to the rule violation. REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field. CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.
Client IP	Filters requests by the IP address of the client from which it originated.
Country Code	Filters requests by country of origin. Identify a country by its country code.
Instance Name	Filters requests by the instance that triggered the violation. An instance is identified by its name.
Profile Type	Filters requests by the type of profile (i.e., production or audit) that triggered the violation. A production and an audit profile may be defined for each instance. This configuration determines the value that will be reported by this field.
Rule ID Rule Message	Filters requests by the type of rule that was violated. Filter the dashboard by rule by clicking on the desired rule message or ID. Filtering by rule message or ID will include all related rule messages/ID.
URL	Filters requests by the request URL.
User Agent	Filters requests by user agent.

Key information:

Most filters may be applied by simply clicking on the desired entry. After which, the icon will be displayed next to it. This icon indicates that the dashboard is being filtered by that entry.
- Chart: Look for the statistics shown under the graph and then click on the desired value to filter for all requests that match it.
- Event Log: Expand a rule violation and then click on the desired field value.
Blue font indicates a field value that may be applied as a filter to the dashboard.

Filtering by rule message or ID will filter for the selected rule and all other rules that contributed to the violation of the anomaly score threshold.
The Time Range option is different from other filters in that it is mandatory. Specify the time period by which the chart and the event log will be filtered.
The Filters section, which appears on the left-hand side of the dashboard, displays a list of active filters. It also allows a filter to be cleared by clicking on the icon displayed next to it.