Security reports in Web Application Firewall (WAF) 3.0 show protection records from all enabled mitigation modules. Use the reports to:
Monitor attack trends and blocked request volumes over time
Identify which mitigation modules and rules are triggered most frequently
Investigate specific attack events and trace their details
Handle false positives by creating whitelist rules directly from log entries
Run AI-assisted analysis on individual log entries from core web protection rules
The Security Reports page has four sections: the Attack trend graph, the Attack type distribution graph, Top 5 hit statistics, and the Log list.
Prerequisites
Before you begin, make sure you have:
Web services added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups
At least one mitigation module configured. When you configure mitigation rules for protected objects, the Core Web Protection Rules module is enabled by default and does not require manual configuration. However, other modules take effect only after you configure their specific rules. For more information, see Overview of mitigation settings
View security reports
Note: When request volumes are high, security reports use a dynamic sampling and data restoration mechanism. The system automatically adjusts the sampling ratio based on the average queries per second (QPS) and restores statistical results based on this ratio. The reports show estimated full data that accurately reflects attack trends and distributions. To get complete raw logs for in-depth analysis or compliance audits, enable Simple Log Service.
WAF has control planes in China (Hangzhou) and Singapore. WAF instances in the Chinese mainland are managed by the China (Hangzhou) control plane. WAF instances outside the Chinese mainland are managed by the Singapore control plane.
Open the Web Application Firewall 3.0 console and go to the Security Reports page. Use Simple Search or Advanced Search to filter the data.
| Simple search | Advanced search |
|---|---|
 |  |
| Time range (Figure ①). Default: Today. Options: Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, Last 7 Days, Last 30 Days. | Set filter conditions (Figure ③). Add up to 10 filter conditions. |
| Custom date range (Figure ②). Select a specific time period for more precise results. | |
| Protected object (Figure ③). Default: All Objects, which queries all WAF-protected objects. Select a single object to narrow the scope. | |
| Source IP or trace ID (Figure ④). |
Attack trend graph
The attack trend graph shows the trends of alerts and blocked requests. By default, it covers all protected objects. The graph updates dynamically as you change filter conditions. Hover over any point to see the alert and blocked request counts at that time.
Blocked: Requests blocked by the Block action, or that failed security checks such as JS Challenge, Slider, Strict Slider, and Dynamic Token.
Alerts: Requests that hit a rule and triggered the Observation action.
Attack type distribution graph
This graph shows the total number of rule hits across all mitigation modules. A single request can hit multiple modules or rules.
The graph covers: Core Web Protection Rules, IP Blacklist, Custom Rules, Scan Protection, HTTP Flood Protection, Location Blacklist, Bot Protection, Data Leakage Prevention, Peak Traffic Throttling, and AI Application Protection.
Click the Core Web Protection Rules section of the pie chart to see a breakdown by attack type, such as SQL injection, XSS, and code execution.
Click any other module in the pie chart to see the proportions of rule hits for that module.
Top 5 hit statistics
This section ranks the top 5 sources, targets, and rules by hit count.
| Data type | Description | Supported operations |
|---|---|---|
| Source IP | Top 5 IPs that initiated the most attack requests, with their regions | Hover over the data type and click Filter or Exclude to generate a filter condition. |
| Protected URL | Top 5 URLs that hit rules most frequently | |
| Attack Source Area | Top 5 regions that initiated the most attack requests | |
| Attack UA | Top 5 User-Agents that initiated the most attacks | |
| Protected Object | Top 5 protected objects that triggered mitigation rules most frequently | Hover over the data type and click Filter or Exclude to generate a filter condition. Click View Mitigation Rules to go to the mitigation rules for that object. |
| Rule Hits | IDs of the top 5 most frequently hit mitigation rules. A single request can hit multiple rules. |
Log list
The log list shows detailed records for each security event.
Click the 
icon in the upper-right corner to customize the columns displayed. Available columns include: Attack IP, Region, Protected Object, Attack Time, Host, Attack URL, Protocol, Port, Request Method, Request Parameters, Rule Action, Mitigation Module, Rule ID, and AI Analysis.
The Operation column provides the following actions:
View Details: Opens the Attack Details panel with full information about the attack event and the triggered mitigation rule.
Handle False Positive: Creates a whitelist rule for a log entry you confirm is a false positive. After you confirm the whitelist rule conditions and click OK, WAF automatically creates a template named AutoTemplate and adds a whitelist rule with the rule source set to Custom.
Additional log list capabilities:
AI Analysis: Click the icon in the AI Analysis column to run a security AI assistant analysis on a single log entry. This feature currently supports only logs from core web protection rules. It does not support other log types or logs from hybrid cloud connection types.
Multiple rule hits: A single request can hit multiple mitigation modules or rules. Hover over Rule ID or click View Details to see all triggered rule IDs.
