Web Application Firewall (WAF) security reports display protection records from mitigation rules in different WAF modules. You can use these reports to view protection data from enabled core web protection rules, IP blacklist rules, custom rules, and more for business security analytics.
Prerequisites
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
When you configure mitigation rules for protected objects, the Core Web Protection Rules module is enabled by default and does not require manual configuration. However, other mitigation modules take effect only after you configure their specific rules. For more information, see Overview of Mitigation Settings.
View security reports
When request volumes are high, security reports use a dynamic sampling and data restoration mechanism. The system automatically adjusts the sampling ratio based on the average queries per second (QPS) and restores the statistical results based on this ratio. The reports show estimated full data that accurately reflects attack trends and distributions. To obtain complete raw logs for in-depth analysis or compliance audits, you can enable Simple Log Service.
WAF has control planes in China (Hangzhou) and Singapore. WAF instances in the Chinese mainland are managed by the control plane in China (Hangzhou). WAF instances outside the Chinese mainland are managed by the control plane in Singapore.
The Security Reports page in the Web Application Firewall 3.0 console displays information in four sections: the Attack Trend graph, the Attack Type Distribution graph, Top 5 Hit Statistics, and the Log List. You can use Simple Search or Advanced Search to set filter conditions and retrieve security report data.
Simple search | Advanced search |
|
|
Time range (Figure ①). By default, data for Today is displayed. You can query data from the Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, Last 7 Days, or Last 30 Days. | |
Custom date range (Figure ②). Select a specific time period as needed to view security report data more precisely. | |
Protected object (Figure ③). By default, All Objects is selected, which queries data for all objects protected by WAF. You can also query data for a single object. | Set filter conditions (Figure ③). You can add multiple filter conditions, up to a maximum of 10. |
Enter a source IP or trace ID (Figure ④). | \ |
Attack trend graph
In the attack trend graph, you can view the trends of alerts and blocked requests. By default, it shows data for all protected objects. The graph updates dynamically based on the filter conditions you set. You can hover your mouse over any point on the trend graph to display the number of alerts and blocked requests at that time.
Blocked: Requests that were blocked by the Block action or that failed security checks such as JS Challenge, Slider, Strict Slider, and Dynamic Token.
Alerts: Records requests that hit a rule and trigger the Observation action.
Attack type distribution graph
This graph shows the total number of rule hits. A single request can hit multiple mitigation modules or rules. You can view hits for Core Web Protection Rules, IP Blacklist, Custom Rules, Scan Protection, HTTP Flood Protection, Location Blacklist, Bot Protection, Data Leakage Prevention, Peak Traffic Throttling, and AI Application Protection.
Click the Core Web Protection Rules section of the pie chart to view another pie chart showing the distribution of attack types, such as SQL injection, XSS, and code execution.
You can click other mitigation modules in the pie chart to view a pie chart that shows the proportions of rule hits.
TOP 5 hit statistics
You can view hit statistics for Source IP, Protected Object, Rule Hits, Protected URL, Attack Source Area, and Attack UA.
Data Type | Description | Supported Operations |
Source IP | The top 5 IPs that initiated the most attack requests and their regions. | Hover your mouse over the target data type and click Filter or Exclude to directly generate the corresponding filter condition. |
Protected URL | The top 5 URLs that hit rules most frequently. | |
Attack Source Area | The top 5 regions that initiated the most attack requests. | |
Attack UA | The top 5 User-Agents that initiated the most attacks. | |
Protected Object | The top 5 protected objects that triggered mitigation rules most frequently. | Hover your mouse over the target data type and click Filter or Exclude to directly generate the corresponding filter condition. Click View Mitigation Rules to go to the specific mitigation rules for that protected object. |
Rule Hits | The IDs of the top 5 mitigation rules that were hit most frequently. Note A single request can hit multiple rules. |
Log list
You can view details for Attack IP, Region, Protected Object, Attack Time, Host, Attack URL, Protocol, Port, Request Method, Request Parameters, Rule Action, Mitigation Module, Rule ID, and AI Analysis. Click the 
icon in the upper-right corner to customize the information displayed in the list.
In the Operation column for an attack event, you can click View Details to see the Attack Details and view more information about the attack event and mitigation rule.
If you confirm that a log entry is a false positive, you can click Handle False Positive in the Operation column for that attack event. After you confirm the whitelist rule conditions, click OK.
After you create the rule, WAF automatically creates a template named AutoTemplate and adds a whitelist rule. The rule source is set to Custom.
You can click the icon in the AI Analysis column to perform a security AI assistant analysis on a single log entry. This feature currently supports only logs generated by core web protection rules. It does not support other log types or log analysis for hybrid cloud connection types.
A single request can hit multiple mitigation modules or rules. You can hover your mouse over the Rule ID or click View Details to see the specific IDs of the rules that were hit.
