After you add a website to Web Application Firewall (WAF), you can query the protection history of the website in the last 30 days on the Overview page. Protection history includes information about vulnerabilities, website traffic, and threat events. The Overview page allows you to understand the security posture of your website workloads.

Prerequisites

The domain name of your website is added to WAF. For more information, see Add a website.

Query data on the Overview page

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, click Overview.
  4. In the upper part of the Overview page, specify a domain name and a time range to query data. Specify a domain name and a time range
    Description of query settings:
    • Domain name: By default, All is selected. In this case, WAF displays the data for all domain names that are added to WAF. You can select a specific domain name.
    • Time range: By default, Today is selected. In this case, WAF displays the data of the current day. You can use one of the following methods to change the time range:
      • Click the Refresh icon icon and select an interval based on which data is refreshed. Then, you can query data in real time. You can select an interval of 10 seconds, 30 seconds, 60 seconds, or 5 minutes.
      • Click Yesterday, Today, 7 Days, or 30 Days to query the data that is generated during the specified time range.
      • Click the date picker and select the start date and end date of the time range in which you want to query data. The time range cannot exceed 30 days. Date picker
    The Overview page consists of the following four sections. You can click the link of each section to query the specific data and operations that are supported in the section.

Description of vulnerabilities

The Vulnerabilities section displays the updated protection rules that are provided by WAF to help you handle the latest security vulnerabilities disclosed on the Internet.

You can click a rule to open the Details of Emergency Vulnerability panel. The panel displays the domain names that are affected by the vulnerability, the details of the vulnerability, and the information about protection rules.

Description of protection result statistics

The protection result statistics section displays the number of all received requests and the numbers of requests that trigger each of the following modules: Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.

Overall information

You can click the number below each module to go to the Security Report page. Then, you can view attack information. For more information, see View security reports.

You can click the Show icon icon below the protection result statistics section to view the detailed statistics.
  • If you query the data of all domain names, the top 5 domain names for each module are displayed. All domain names
  • If you query the data of a specific domain name, the trend of statistical data is displayed. Specific domain name

Description of request analysis charts

The request analysis charts include the request trend, client type distribution, and request analysis ranking charts.
  • The request trend charts include the trend charts for Requests, QPS, Bandwidth, and Response Code. Requests
    Note The time of a trend chart can be accurate to the minute. If you query data in real time, you can view the trend of request data at the minute level.

    To view a trend chart, you can click a tab in Section 1. To hide or show the trend for a specific module, you can click the legend of the module in Section 2 below the trend chart.

    Trend description:
    • Requests: displays a trend chart for the total number of requests, the number of times that web intrusion protection is triggered, the number of times that HTTP flood protection is triggered, the number of times that scan protection is triggered, the number of times that access control is triggered, and the number of times that bot management is triggered.
    • QPS: displays a trend chart for the queries per second (QPS) of all requests, QPS for web intrusion prevention, QPS for HTTP flood protection, QPS for scan protection, QPS for access control, and QPS for blocked bot attacks. The QPS values displayed on this trend chart change over time. QPS

      In the upper-right corner of the trend chart, you can click Average or Peak to switch between the average QPS and peak QPS.

    • Bandwidth: displays a trend chart for the inbound bandwidth and the outbound bandwidth. Bandwidth (bit/s)
    • Response Code: displays trend charts for the number of error codes that are returned to clients and the number of error codes that are returned to WAF. The error codes include 5XX, 405, 499, 302, and 444. Response Code

      In the upper-right corner of the trend chart, you can click WAF to Client and Origin Server to WAF to switch between the two trend charts.

  • The Traffic Analysis section includes the Percentage of Bot Traffic and Client Type Distribution charts. Client Type Distribution
    • The Percentage of Bot Traffic chart displays the traffic destined for the domain name. Traffic from browsers and applications is identified as human traffic. Traffic from other types of clients is identified as bot traffic.

      If the percentage of bot traffic is abnormally high, we recommend that you click Configure Policy. Then, you can use the Bot Management feature of WAF to prevent bot attacks. You can click View Trend to go to the Security Report page. Then, click the Bot Management tab to view the protection effects. For more information about bot management, see Configure anti-crawler rules for websites.

    • The Client Type Distribution chart displays the distribution of client types in a pie chart. The client types include browsers, script tools, search engines, and scanners. You can click the Question mark icon icon to the right of Traffic Analysis to view the definition of each client type. Traffic Analysis
      To view the distribution of subtypes for a specific client type, you can click the client type in the pie chart. For example, you can click the browser type to view the distribution of different types of browsers. Browser distribution
  • The request analysis ranking charts include the charts for Top 10 Clients, URL Requests, and Top IP. You can click each tab to view the ranking data.
    • Top 10 Clients: displays the top 10 types of clients that initiate the most requests. Top 10 Clients tab
    • URL Requests: displays the top 10 URLs that receive the most requests. URL Requests tab
    • Top IP: displays the top 10 IP addresses that initiate the most requests. TOP IP

Description of threat event analysis

The Threat Event Analysis section displays the attack events on your website and the attacks that are blocked by WAF. This helps you understand the threats to your website and handle these threats.

Threat Event Analysis section
You can click an event name to view the event details. The event details include threat intelligence and handling suggestions. You can also view the analysis result of the event in the Top 5 Attacks section. For example, you can click the following tabs to view specific data:
  • Source IP Address: displays the top 5 IP addresses that initiate the most attacks.
  • Target: displays the top 5 URLs that receive the most attacks.
  • Attack Type: displays the top 5 attack types. The attack types include SQL injections and cross-site scripting (XSS) attacks.
  • Attack Date: displays the top 5 dates at which the most attacks are launched.
  • Attack Tool: displays the top 5 attack tools that are used most frequently. The attack tools include cURL and postman-runtime.
Event details

In the Event Details panel, you can click View Log to the right of the event name to go to the Log Service page. Then, you can query logs to further analyze the event. For more information, see Enable log query.