Web Application Firewall (WAF) provides security reports that include the protection details of all protection modules, such as the core protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.
Prerequisites
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Protection rules are configured for protected objects. By default, the core protection rule module is enabled. You do not need to configure protection rules for the module. If you want to enable other protection modules, you must configure protection rules for the modules. For more information, see Protection configuration overview.
View security reports
When you log on to the WAF console, you are directed to an interface based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.
On the Security Reports page of the WAF console, you can view data in the following sections: Attack Trends, Attack Types, Top 5 Hits, and Logs. You can also switch between Basic Search and Advanced Search to filter data.
Basic Search | Advanced Search |
|
|
Time range (marked 1): By default, Today is selected. Valid values: Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, 7 Days, and 30 Days. | |
Custom time range (marked 3): You can specify a custom time range to view data. | |
Protected objects (marked 3): By default, All is selected. You can view the data of all protected objects that are added to WAF. You can also select specific protected objects to view data. | Filter conditions (marked 3): You can configure up to 10 conditions to filter data. |
Attacker IP Address and traceid (marked 4): You can specify custom values to filter data. | N/A. |
Attack Trends
In the Attack Trends chart, you can view the trends of alerts and blocked requests. By default, you can view the data of all protected objects. You can also configure filter conditions to refresh the chart. If you move your pointer over a specific point in time in the chart, you can view the numbers of alerts and blocked requests for the time point.
Blocked Requests: indicates the number of requests that match the Block action or failed the verification specified by the following actions: JavaScript Validation, Slider CAPTCHA, Strict Slider CAPTCHA Verification, and Dynamic Token-based Authentication.
Alerts: indicates the number of requests that match a protection rule and the Monitor action.
Attack Types
In the Attack Types chart, you can view total number of times that protection rules are matched by requests. A request can match multiple protection modules or protection rules. You can also view the number of match times for each protection module: Core Protection Rule, IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, Region Blacklist, Bot Management, Data Leakage Prevention, and Traffic Spike Throttling.
If you click Core Protection Rule, you can view a pie chart that shows the distribution of matched protection rules by attack type, such as SQL injection, cross-site scripting (XSS), and code execution.
If you click other protection modules, you can view the related pie charts.
Top 5 Hits
In the Top 5 Hits section, you can view the following charts: Attacker IP Address, Protected Objects, Rules Matched, Protection URL, Attack Source Areas, and Attack User-Agent Header.
Chart | Description | Supported operation |
Attacker IP Address | The top 5 IP addresses from which the most requests are initiated and the regions of the IP addresses. | Move the pointer over a data item and click Filter or Exclude to filter data. |
Protection URL | The top 5 request URLs that match protection rules most frequently. | |
Attack Source Areas | The top 5 regions from which the most attack requests are initiated. | |
Attack User-Agent Header | The top 5 User-Agent strings that are most frequently used in attack requests. | |
Protected Objects | The top 5 protected objects that match protection rules most frequently. | Move the pointer over a data item and click Filter or Exclude to filter data, or click View Protection Rule to view the configured protection rules for your protected object. |
Rules Matched | The IDs of top 5 protection rules that are most frequently matched. Note A request can match multiple protection rules. |
Logs
In the Logs section, you can view attack details including Attacker IP Address, Area, Protection Module, Attack Time, Host, Attack URL, Request Method, Request Parameter, Rule ID, and Actions. You can also click the 
icon in the upper-right corner to specify the columns that you want to display in the list.
Find an attack event in the list and click View Details in the Actions column. In the Attack Details panel, you can view more information about the attack event and protection rule.
If you confirm that an attack event is a false positive, click Ignore False Positive in the Actions column. In the dialog box that appears, configure parameters to create a whitelist rule and click OK.
Then, a protection template named AutoTemplate is created, and a protection rule of the whitelist module is created for the template. The origin of the protection rule is Custom.
A request can match multiple protection modules or protection rules. You can move your pointer over a value in the Rule ID column or click View Details in the Actions column to view the ID of a matched protection rule.
