View information on the WAF Overview page - View information on the WAF Overview page| Alibaba Cloud Documentation Center

After you add a website to Web Application Firewall (WAF), you can query the protection information about the website over the last 30 days on the Overview page. The information includes vulnerabilities, website traffic data, and threat events. The Overview page allows you to understand the security posture of your website workloads.

Prerequisites

The domain name of your website is added to WAF for protection. For more information, see Add websites.

Query data on the Overview page

Log on to the Web Application Firewall console.
In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
In the left-side navigation pane, click Overview.
In the upper part of the Overview page, specify a domain name and a time range that you want to query.
Settings description:
- Domain name: By default, All is displayed. WAF displays the data for all domain names that are added to WAF. You can select a specific domain name.
- Time range: By default, Today is displayed. WAF displays the data for the domain names you select on the current day. You can use one of the following methods to modify the time range:
  - Click the icon and select an interval based on which data is refreshed. Then, you can query real-time data. You can select an interval of 10 seconds, 30 seconds, 60 seconds, or 15 minutes.
  - Click Yesterday, Today, 7 Days, or 30 Days to query the data that is generated during the specified time range.
  - Click the date picker and select the start date and end date of the time range over which you want to query data. The time range cannot exceed 30 days.
The Overview page consists of the following four sections. You can click the link of each section to query the specific data and operations supported in the section.

Description of vulnerabilities

The Vulnerabilities section displays the updated protection rules that are issued by WAF to handle the latest security vulnerabilities on the Internet.

You can click a rule to open the Details of Emergency Vulnerability panel. The panel displays the domain names that are affected by the vulnerability, the details of the vulnerability, and the information about protection rules.

Description of protection result statistics

The protection result statistics section displays the number of all received requests and the numbers of requests that trigger the checks by the following modules: Web Intrusion Prevention, HTTP Flood Protection, Scan Protection, Access Control, and Blocked Bot Attacks.

You can click the number below each module to go to the Security Report page. Then, you can view attack information. For more information, see View security reports.

You can click the Show icon

icon below the protection result statistics section to view the statistics. The following list describes the details:

If you query the data of all domain names, the top 5 domain names for each module appear.
If you query the data of a specific domain name, the trend of statistical data appears.

Description of request analysis charts

The request analysis charts include the request trend, client type distribution, and request analysis ranking charts. The following list describes the details:

The request trend charts include the trend charts for Requests, QPS, Bandwidth, and Response Code.

Note The time that a trend chart of this type displays can be accurate to the minute. If you query real-time data, you can view the trend of requests at the minute level.

To view a trend chart, you can click a tab in Section 1. To hide or show the trend for a module, you can click the legend of the module in Section 2 below the trend chart.
Trend description:
- Requests: displays a trend chart for the total number of requests, the number of times that web intrusion protection is triggered, the number of times that HTTP flood protection is triggered, the number of times that scan protection is triggered, the number of times that access control is triggered, and the number of times that bot management is triggered.
- QPS: displays a trend chart for the queries per second (QPS) of all requests, QPS for web intrusion prevention, QPS for HTTP flood protection, QPS for scan protection, QPS for access control, and QPS for blocked bot attacks.
  In the upper-right corner of the trend chart, you can click Average or Peak to switch between the average QPS and peak QPS.
- Bandwidth: displays a trend chart for the inbound bandwidth and the outbound bandwidth.
- Response Code: displays trend charts for the number of abnormal response codes that are returned to clients and the number of abnormal response codes that are returned to WAF. The abnormal response codes include 5XX, 405, 499, 302, and 444.
  In the upper-right corner of the trend chart, click WAF to Client and Origin Server to WAF to view the abnormal response codes.
The Client Type Distribution chart displays the distribution of client types in a pie chart. The client types include browsers, script tools, search engines, and scanners.
To view the distribution of sub-categories under a specific client type, you can click the client type in the pie chart. For example, if you click browsers, you can view the distribution of different types of browsers.
The request analysis ranking charts include the charts for Top 10 Clients, URL Requests, and Top IP. You can click each tab to view the ranking data.
- Top 10 Clients: displays the top 10 types of clients that initiate the most requests.
- URL Requests: displays the top 10 URLs that receive the most requests.
- Top IP: displays the top 10 IP addresses that initiate the most requests.

Description of threat event analysis

The Threat Event Analysis section displays the attack events on your website and the attacks blocked by WAF. Then, you can understand the threats to your website and how to handle these threats.

You can click an event name to view the event details. The event details include threat intelligence and handling suggestions. You can also view the analysis result of the event in the Top 5 Attacks section. For example, you can click the following tabs to view specific data:

Source IP Address: displays the top 5 IP addresses that initiate the most attacks.
Target: displays the top 5 URLs that receive the most attacks.
Attack Type: displays the top 5 attack types. The attack types include SQL injections and cross-site scripting (XSS) attacks.
Attack Date: displays the top 5 dates during which the most attacks are launched.
Attack Tool: displays the top 5 attack tools that are used the most frequently to initiate attacks. The attack tools include cURL and postman-runtime.

In the Event Details panel, you can click View Log next to the event name to go to the Log Service page. You can query related logs to further analyze the event. For more information, see Enable log query.