Threat Analysis (Threats Dashboard)

The Threats dashboard provides an avenue through which a historical analysis of recent threats to site traffic may be performed. This type of an analysis provides the means through which you may:

Log data is retained for 30 days for most WAF solutions. The exception is WAF Insights which only retains data for 7 days.

This article describes how to use:

Usage

The dashboard contains two different views through which threat analysis may be performed, which are:

To view the Threats dashboard

  1. Navigate to the Overview of the Threats dashboard page. ClosedHow?From the main menu, navigate to MoreWAF | WAF Tier | Dashboard.

    The dashboard will display a chart showing recent violations of your security policy.

  2. Optional. View event log data by clicking Event Logs from the side navigation bar.

Overview

Use the Overview to detect patterns for objectionable traffic directed at your applications and web servers. This view consists of two basic components:

Component Description

Chart

A chart or line graph displays the number of threats detected over a given time period.

By default, a single line on the graph represents all threats. Alternatively, categorize threats by selecting the desired categorization criteria from the option that appears directly above the graph. A line will be drawn on the chart for each unique value. For example, if you select Profile Type and requests were screened by production and audit rules, then the graph will contain a line for audit and another one for production.

By default, graphing threats by type will include up to the 10 most popular entries. Customize this limit through the Max Top Number option. This option also affects the maximum number of unique entries that may be listed for each type of statistic listed under the graph.

Statistics

Statistics on the threats detected over a given time period are displayed directly below the chart. Statistics are broken down by category.

View category definitions.

By default, statistics for up to the 10 most popular entries may be displayed for each category. Customize this limit through the Max Top Number option. This option also affects the maximum number of lines that may be graphed.

The following information is displayed for each category:

Percentages are calculated on the total threats detected during the given time period. Since there is a limit of 10 entries per category, the sum of the percentages for larger categories will not add up to 100%.

Key information:

Event Log View

This view provides the means to delve into the details of an illegitimate request. The information derived from this view provides a deeper understanding as to why a request was deemed objectionable and the type of attacks being mounted on an origin server.

The event log contains a list of recent rule violations. The header bar for each violation uses the syntax described below.

Syntax:

Example:

Anomaly Score Threshold Exceeded, Total Score: 5 10s ago 15:01:23.45 UTC

Field Definitions

Clicking on a rule violation will expand that entry and display detailed information about it. A brief description for each field used to describe rule violations is provided below.

Field Description

Action Type

Indicates the type of action that was taken in response to the rule violation. Valid values are:

  • BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
  • ALERT: Indicates that an alert was generated in response to the rule violation.
  • REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field.
  • CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.

Client IP

Identifies the IP address of the client from which the request originated.

Country Name

Identifies the country from which the request originated by its name.

Profile Type

Indicates whether the request was screened as a result of a production or audit rule.

Referer

Indicates the request’s referrer as defined by the Referer request header.

Rule ID

Indicates the ID for the rule that the request violated.

This field indicates that the rule met or exceeded the maximum anomaly score. Please refer to the Sub Event(s) section, which contains a sub event for each rule violated by a request, to find out why the request was flagged or blocked. Each sub event indicates the rule that was violated and the data used to identify the violation.
Learn more.

Rule Message

Provides a description of the rule that the request violated.

Syntax:

Inbound Anomaly Score Exceeded (Total Score: 3, SQLi=0, XSS=0): Last Matched Message: Rule MessageThis term represents the message for the last rule that the request violated.

This field indicates the request's anomaly score and the last rule that it violated. Please refer to the Sub Event(s) section, which contains a sub event for each rule violated by a request, to find out why the request was flagged or blocked. Each sub event indicates the rule that was violated and the data used to identify the violation.
Learn more.

Timestamp

Indicates the date and time (UTC) at which the rule violation occurred.

Format: YYYY-MM-DD hh:mm:ss.millisecondsIdentifies a date and time (UTC/GMT) using a 24 hour format (e.g., 2021-07-08 15:00:22.123).

URL

Indicates the URL of the request that triggered the rule violation.

User Agent

Indicates the user agent that submitted the request that triggered the rule violation. This information is derived from the User-Agent request header.

Sub Events

In addition to the core set of fields described above, a sub event for each rule that was violated by the request will be reported. The syntax for the header bar associated with each sub event is described below.

Each sub event contains the following fields:

Field Description

Matched On

Indicates a variable that identifies where the violation was found.

Matched Value

Indicates the value of the variable defined by the Matched On field.

Standard security practices dictate that measures should be taken to prevent sensitive data (e.g., credit card information or passwords) from being passed as clear text from the client to your origin server. Another incentive for encrypting sensitive data is that it will be logged by our system when an alert is triggered as a result of this data. If sensitive data cannot be encrypted or obfuscated, then it is strongly recommended to contact our technical customer support to disable logging for the Matched Value field.

Operator Name

Indicates how the system interpreted the comparison between the Operator Parameter and the Matched Value fields. Common operators are:

  • BEGINSWITH: Begins with. Identifies a match due to a request element that started with the specified match value.
  • CONTAINS: Contains. Identifies a match due to a request element that contained the specified match value.
  • ENDSWITH: Ends with. Identifies a match due to a request element that ended with the specified match value.
  • STREQ: Exact match. Identifies a match due to a request element that was an exact match to the specified match value.
  • RX: Regex. Identifies a match due to a request element that satisfied the regular expression defined in the match value.
  • EQ: Value match. Identifies a match due to a request element that occurred the exact number of times defined in your custom rule.
  • IPMATCH: IP Address. Identifies a match due to the request's IP address either being contained within an IP block or that was an exact match to an IP address defined in your custom rule.

Operator Parameter

Indicates the source or the value that was compared against the Matched Value field.

Rule ID

Indicates the ID for the rule that the request violated.

Rule Message

Provides a description of the rule that the request violated.

Rule Tags

Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.

Naming convention:

Total Anomaly Score

Indicates the anomaly score assigned to the request. This score is determined by the number of rules that were violated and their severity.

Filters

Both the Overview and the Event Log will be filtered by the time at which the violation occurred. Use the Time Range option to define the relative time period from the present (e.g., Last 12 hours or Last 7 Days) for which data will be reported in the dashboard.

Events will be reported using the selected time unit (i.e., events per minute, hour, or day).

Additionally, events may be filtered using one or more of the following criteria:

Filter Description

Action Type

Filters requests by the manner in which the violation was handled. Valid values are:

  • BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
  • ALERT: Indicates that an alert was generated in response to the rule violation.
  • REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field.
  • CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.

Client IP

Filters requests by the IP address of the client from which it originated.

Country Code

Filters requests by country of origin. Identify a country by its country code.

Profile Type

Filters requests by the mode (i.e., production or audit) that triggered the violation.

Rule ID

Rule Message

Filters requests by the type of rule that was violated.

Filter the dashboard by rule by clicking on the desired rule message or ID.

Filtering by rule message or ID will include all related rule messages/ID.

URL

Filters requests by the request URL.

User Agent

Filters requests by user agent.

Key information: