How to use security reports to view protection data - Web Application Firewall

Web Application Firewall (WAF) provides security reports that include the protection details of all protection modules, such as the basic protection rule, the IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.

Prerequisites

Web services are added to WAF 3.0 as protected objects. For more information, see Protected objects and protected object groups.
Protection rules are configured for protected objects.
By default, the basic protection rule module is enabled. You do not need to configure basic protection rules. To enable other protection modules, you must configure protection rules for the modules. For more information, see Overview.

View security reports

You are directed to an interface when you log on to the WAF console based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.

On the Security Reports page, you can view the protection data and logs of resources that are added to WAF.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Security Operations > Security Reports.
On the Security Reports page, specify the report type, the protected object, and the time range to query security report data.
The following section describes the query settings:
- Protected object: By default, All is selected and the security report data of all protected objects of WAF is queried. You can also query the security report data of a specific protected object.
- Time range: By default, Today is selected and the security report data of the current day is queried. You can select Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Yesterday, Today, 7 Days, or 30 Days to query the security report data of the previous 15 minutes, previous 30 minutes, previous hour, previous 24 hours, previous day, current day, previous 7 days, or previous 30 days.
- Template name: You can specify a bot management template to view the protection details of the template.

Basic protection rule module

On the Basic Protection Rule tab, you can view the protection details of the basic protection rule module. By default, the basic protection rule module is enabled. You can view the security report of the basic protection rule module on the Security Reports page. For information about how to modify the default settings of the basic protection rule module, see Basic protection rules and rule groups.

Section	Description	Supported operation
Distribution of Attack Types	Displays the distribution of attacks by type in a pie chart.	None
Top 5 Attacker IP Addresses	Displays the top five source IP addresses of attacks and the regions where the IP addresses are located. The IP addresses are listed in descending order of the number of attacks.	None
Top 5 Attacker Areas	Displays the top five areas from which the highest number of attacks are initiated. The areas are listed in descending order of the number of attacks.	None
Protection details	Displays information about the attacks that match basic protection rules in a list. The list includes the following information: Attacker IP Address: the source IP address of the attack. Area: the area where the attacker IP address is located. Attack Time: the start time of the attack. Attack Type: the type of the attack, such as SQL injection and code execution. Attack URL: the URL of the attack. Request Method: the method that is used to initiate the attack. Request Parameter: the request parameters of the attack. Action: the action that WAF performed on the attack. The action can be Block or Monitor. The Block action blocks the attack. The Monitor action records the request but does not block the attack. Rule ID: the ID of the basic protection rule that is matched by the attack.	Filter attack events You can use the following fields to filter attack events. You can specify the fields above the attack event list. Protection type: Basic Protection Rule and Semantic-based protection are supported. Attack type: By default, All is selected. Other valid values: SQL Injection, XSS Attack, Code Execution, Local File Inclusion, Remote File Inclusion, webshell, Custom Rule, and Others. Attacker IP address: By default, this field is not specified. Rule ID: By default, this field is not specified. Rule action: By default, All is selected. Other valid values: Block and Monitor. View attack details To view the details of an attack, find the attack in the attack list and click View Details in the Actions column. In the Attack Details panel, you can obtain information about the attack and the protection rule, such as Rule Name, Rule Description, Original Request Header, and Trace ID. Manage attacks Find the attack that you want to manage in the attack list and click Ignore False Positive in the Actions column. In the Create Rule dialog box, specify a rule name and click OK. A rule template named AutoTemplate is created, and a whitelist rule is created for the template. The origin of the whitelist rule is Custom. For more information, see Configure whitelist rules to allow specific requests.

IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules

On the Security Reports page, you can view protection details on the IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, or Region Blacklist tab.

Section	Description	Supported operation
Protection Overview	Displays the trends of Total QPS, Alerts, and Blocked Requests for a protected object within a specific time range in a line chart. Total QPS indicates the total number of requests that are received by a protected object. Alerts indicates the number of requests that match protection rules in Monitor mode. Blocked Requests indicates the number of requests that are blocked by protection rules.	Move the pointer over a point in the line chart to view the data at a specific point in time.
Top 10 Rules	Displays information about the top 10 protection rules that are most frequently matched in a specific time range. The information includes Rule Name/ID, Protected Objects, and Hits. The rules are listed in descending order of the number of matches.	Click the icon in the Rule Name/ID column to copy the name or ID of a rule.
Protection Details	Displays the protection statistics on the protection module within a specific time range. Top 10 Protected Websites: displays the top 10 protected objects that match protection rules. The IP addresses are listed in descending order of the number of matches. Top 10 IP Addresses: displays the top 10 source IP addresses that match protection rules. The IP addresses are listed in descending order of the number of matches.	Click the Top 10 Protected Objects or Top 10 IP Addresses tab to view the data.

Bot management module

On the Bot Management tab of the Security Reports page, you can view the protection details of the bot management module.

Section	Description	Supported operation
Protection Overview	Displays the protection details of the bot management module in a specific time range in a line chart. The protection details include the actions that are performed on requests and the rules that are matched.	Click a specific action or rule to show or hide the line chart. Move the pointer over a point in the line chart to view data at a specific point in time.
Matched Rules	Displays the IDs of configured bot management rules, the rule templates to which the rules belong, and the number of times that rules in Monitor mode are matched.	None
Top 20 IP Addresses	Displays the top 20 source IP addresses of attacks and the number of attacks that are initiated from the IP addresses. The attacks include blocked attacks, attacks on which JavaScript validation is performed, attacks that passed JavaScript validation, attacks on which slider CAPTCHA verification is performed, and attacks that passed slider CAPTCHA verification.	None
Attack Details	Displays information about the IP addresses that match bot management rules in a specific time range. The information includes the attacker IP address, area where the attacker IP address is located, attack URL, details of the rule template that is matched, and number of requests. The details of the rule template that is matched include the template name, rule ID, rule name, and action that is specified in the rule.	Find the IP address whose attack details you want to view and click Add to Whitelist or Add to Blacklist in the Actions column. A rule template named AutoTemplate is created, and a whitelist rule or IP address blacklist rule is created for the template. For more information, see Configure whitelist rules to allow specific requests and Configure IP address blacklist rules to block specific requests.

Data leakage prevention module

On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention module.

You can view the match details of data leakage prevention rules that are configured for a protected object within a specific time range. The details include Attacker IP Address, Area, Attack Time, Attack Type, Attack URL, Request Method, Request Parameter, and Action.
If you want to view the protection details of an attacker IP address, find the IP address and click View Details in the Actions column. In the Attack Details panel, you can view the protection details.