Web Application Firewall (WAF) provides security reports that include the protection details of all protection modules, such as the basic protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.

Prerequisites

  • Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.
  • Protection rules are configured for protected objects.

    By default, the basic protection rule module is enabled. You do not need to configure basic protection rules. However, you must configure protection rules for other protection modules to take effect. For more information, see Protection configuration overview.

View security reports

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Security Operations > Security Reports.
  3. On the Security Reports page, specify the report type, protected object, and time range to query security report data. You can click a protection module tab such as Basic Protection Rule, IP Address Blacklist, Custom Rule, and Scan Protection to view the security reports of a protection module.
    The following list describes the query settings:
    • Protected object: By default, All is selected and security report data of all protected objects of WAF is queried. You can select a specific protected object.
    • Time range: By default, Today is selected and security report data of the current day is queried. Select Yesterday, Today, 7 Days, or 30 Days to query data of the previous day, current day, previous seven days, or previous 30 days.
    • Template name: You can specify a bot management template to view the protection details of the template.

Basic protection rule module

On the Basic Protection Rule tab, you can view the protection details of the basic protection rule module. By default, the basic protection rule module is enabled. You can view the security report of the basic protection rule module on the Security Reports page. For information about how to modify the default settings of the basic protection rule module, see Configure basic protection rules and rule groups.

SectionDescriptionSupported operation
Distribution of Attack TypesDisplays the distribution of attacks by type in a pie chart. None
Top 5 Attacker IP AddressesDisplays the top five IP addresses from which the highest number of attacks are initiated and the regions where the IP addresses are located. The IP addresses are listed in descending order by the number of attacks. None
Top 5 Attacker AreasDisplays the top five areas from which the highest number of attacks are initiated. The areas are listed in descending order by the number of attacks. None
Protection DetailsDisplays information about the attacks that match basic protection rules in a list.
The list includes the following information:
  • Attacker IP Address: the IP address from which the attack request is sent.
  • Area: the area where the attacker IP address is located.
  • Attack Time: the start time of the attack.
  • Attack Type: the type of attack, such as SQL injection and code execution.
  • Attack URL: the URL of the attack.
  • Request Method: the method that is used to initiate the attack.
  • Request Parameter: the request parameters of the attack.
  • Action: the action that WAF performed on the attack. The action can be Block or Monitor. The Block action blocks the attack. The Monitor action records the request but does not block the attack.
  • Rule ID: the ID of the basic protection rule that is matched by the attack.
  • Filter attack events
    You can use the following fields to filter attack events. You can specify the fields above the attack event list.
    • Protection type: Basic Protection Rule and Semantic-based protection are supported.
    • Attack type: By default, All is selected. Other valid values: SQL Injection, XSS Attack, Code Execution, Local File Inclusion, Remote File Inclusion, webshell, Custom Rule, and Others.
    • Attacker IP Address: By default, this field is not specified.
    • Rule ID: By default, this field is not specified.
    • Rule action: By default, All is selected. Other valid values: Block and Monitor.
  • View attack details

    To view the details of an attack event, find the attack event in the attack event list and click View Details in the Actions column. In the Attack Details panel, you can obtain more information about the attack event and the protection rule, such as Rule Name, Rule Description, Original Request Header, and Trace ID.

  • Manage attack events

    Find the attack event that you want to manage and click Ignore False Positive in the Actions column. In the Create Rule dialog box, specify a rule name and click OK.

    A rule template named AutoTemplate is created and a whitelist rule is created for the template. The origin of the whitelist rule is Custom. For more information, see Configure whitelist rules to allow specific requests.

IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules

On the Security Reports page, you can view the protection details on the IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, or Region Blacklist tab.

SectionDescriptionSupported operation
Protection OverviewDisplays the trends of Total QPS, Alerts, and Blocked Requests of a protected object within a specific time range in a line chart. Total QPS indicates the total number of requests that are received by a protected object. Alerts indicates the number of requests that match protection rules in Monitor mode. Blocked Requests indicates the number of requests that are blocked by protection rules. Move the pointer over a point in the line chart to view the data at a specific point in time.
Top 10 RulesDisplays the information about the top 10 protection rules that are most frequently matched in a specific time range. The information includes Rule Name/ID, Protected Objects, and Hits. The rules are listed in descending order by the number of matches. Click the Copy icon in the Rule Name/ID column to copy the name or ID of a rule.
Protection DetailsDisplays the statistics of the protection details of the protection module in a specific time range.
  • Top 10 Protected Websites: displays the top 10 protected objects that match protection rules the highest number of times. The IP addresses are listed in descending order by the number of matches.
  • Top 10 IP Addresses: displays the top 10 source IP addresses that match protection rules the highest number of times. The IP addresses are listed in descending order by the number of matches.
Click the Top 10 Protected Objects or Top 10 IP Addresses tab to view the data.

Bot management module

On the Bot Management tab of the Security Reports page, you can view the protection details of the bot management module.

SectionDescriptionSupported operation
Protection OverviewDisplays the protection details of the bot management module in a specific time range in a line chart. The protection details include the actions that are performed on requests and the rules that are matched.
  • Click a specific action or rule to show or hide the line chart.
  • Move the pointer over a point in the line chart to view data at a specific point in time.
Matched RulesDisplays the IDs of configured bot management rules, the rule templates to which the rules belong, and the number of times that rules in Monitor mode are matched. None
Top 20 IP AddressesDisplays the top 20 IP addresses from which attacks are initiated and the number of attacks that are initiated from the IP addresses. The attacks include blocked attacks, attacks on which JavaScript validation is performed, attacks that passed JavaScript validation, attacks on which slider CAPTCHA verification is performed, and attacks that passed slider CAPTCHA verification. None
Attack DetailsDisplays information about the IP addresses that match bot management rules in a specific time range. The information includes the attacker IP address, area where the attacker IP address is located, attack URL, details of the rule template that is matched, and number of requests. The details of the rule template that is matched include the template name, rule ID, rule name, and the action that is specified in the rule. Find the IP address whose attack details you want to view and click Add to Whitelist or Add to Blacklist in the Actions column.

A rule template named AutoTemplate is created and a whitelist rule or IP address blacklist rule is created for the template. For more information, see Configure whitelist rules to allow specific requests and Configure IP address blacklist rules to block specific requests.

Data leakage prevention module

On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention module.

  • Displays the match details of data leakage prevention rules that are configured for a protected object within a specific time range, including Attacker IP Address, Area, Attack Time, Attack Type, Attack URL, Request Method, Request Parameter, and Action.
  • If you want to view the protection details of an attack IP address, find the attack IP address and click View Details in the Actions column. In the Attack Details panel, you can view the protection details.