provides security reports that include the protection results of all protection modules. The protection modules include the basic protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.

Prerequisites

  • Web services are added as protected objects in WAF 3.0. For more information, see Manage protected objects.
  • Protection rules are configured for protected objects.

    By default, the basic protection rule module is enabled. You do not need to configure basic protection rules. However, you must manually configure protection rules for other protection modules to take effect. For more information, see Protection configuration overview.

View security reports

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Security Operations > Security Reports.
  3. On the Security Reports page, specify the report type, protected object, and time range to query the security report data. You can click a protection module tab such as Basic Protection Rule, IP Address Blacklist, Custom Rule, and Scan Protection to view the security reports of different protection modules.
    Description of query settings:
    • Protected object: By default, All is selected and the security data of all protected objects in WAF is queried. You can select a specific protected object.
    • Time range: By default, Today is selected and the security data of the current day is queried. You can use one of the following methods to change the time range:
      • Click Yesterday, Today, 7 Days, or 30 Days to query the data of the previous day, the current day, the previous 7 days, or the previous 30 days.
      • Click the date and time picker and specify the start time and end time to query data within the last 30 days.

Basic protection rule module

On the Basic Protection Rule tab of the Security Reports page, you can view the protection details of the basic protection rule module. By default, the basic protection rule module is enabled. You can directly view the security report. For more information about how to modify the default settings of the basic protection rule module, see Configure the basic protection rule module.

The following table describes the security report of the basic protection rule module.

Basic protection rule
Category Description Supported operation
Attack statistical analysis (marked with 1 in the preceding figure) Displays the statistical analysis results of attack requests that are received by protected objects within a specified time range.
  • Distribution of Attack Types:

    Displays the breakdown of attacks by type in a pie chart.

  • Top 5 Attacker IP Addresses:

    Displays the top five IP addresses from which the most attack requests are sent and the areas to which the IP addresses belong. The IP addresses are listed in descending order by the number of attacks.

  • Top 5 Attacker Areas:

    Displays the top five areas from which the most attack requests are sent. The areas are listed in descending order by the number of attacks.

None.
Attack event records (marked with 2 in the preceding figure) Displays information about the attack requests that match basic protection rules in a list.
The list includes the following information:
  • Attacker IP Address: the IP address from which the attack request is sent.
  • Area: the area to which the attacker IP address belongs.
  • Attack Time: the start time of the attack.
  • Attack Type: the type of the attack, such as SQL injection and code execution.
  • Attack URL: the URL of the attack request.
  • Request Method: the HTTP method of the attack request.
  • Request Parameter: the parameters of the attack request.
  • Action: the action that WAF performed on the attack request. The action can be Block or Monitor. The Block action blocks the request. The Monitor action records the request but does not block the request.
  • Rule ID: the ID of the basic protection rule that is matched by the attack request.
  • Filter attack events
    In the upper part of the attack event list, you can use the following fields to filter attack events:
    • Protection type: Only Basic Protection Rule is supported.
    • Attack type: By default, All is selected. Other valid values: SQL Injection, XSS Attack, Code Execution, Local File Inclusion, Remote File Inclusion, webshell, Custom Rule, and Others.
    • Attacker IP Address: By default, this field is not used.
    • Rule ID: By default, this field is not used.
    • Rule action: By default, All is selected. Other valid values: Block and Monitor.
  • View attack details

    To view the details of an attack event, find the attack event and click View Details in the Actions column to go to the Attack Details panel. In the Attack Details panel, you can obtain more information about the attack event and protection rule, such as Rule Name, Rule Description, Original Request Header, and Trace ID.

IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules

On the Security Reports page, you can view the protection details on the IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, or Region Blacklist tab.

Category Description Supported operation
Protection Overview Displays the trends of Total QPS, Alerts, and Blocked Requests of a protected object within a specified time range in a line chart. Total QPS indicates the total number of requests that are received by the protected object. Alerts indicates the number of requests that match protection rules in Monitor mode. Blocked Requests indicates the number of requests that are blocked by protection rules. Move the pointer over a point in the line chart to view the data at that point in time.
Top 10 Rules Displays the information about the top 10 protection rules that are most frequently matched in a specified time range. The information includes Rule Name/ID, Protected Objects, and Hits. The rules are listed in descending order by the number of matches. Click the copy icon in the Rule Name/ID column to copy the name or ID of a rule.
Protection Details Displays the statistics of the protection results of the protection module in a specified time range.
  • Top 10 Protected Objects: displays the top 10 protected objects that match protection rules the most frequently. The IP addresses are listed in descending order by the number of matches.
  • Top 10 IP Addresses: displays the top 10 source IP addresses that match protection rules the most frequently. The IP addresses are listed in descending order by the number of matches.
Click the Top 10 Protected Objects or Top 10 IP Addresses tab to view the data.

Bot management module

On the Bot Management tab of the Security Reports page, you can view the protection details of the bot management module.

Category Description Supported operation
Protection Effect Overview Displays the trends of Total Requests,Bot Traffic, and Blocked Requests of a protected object within a specified time range in a line chart. Total Requests indicates the total number of requests that are received by the protected object. Bot Traffic indicates the number of requests that are detected by the bot management module. Blocked Requests indicates the number of requests that are blocked by the bot management module. Move the pointer over a point in the line chart to view the data at that point in time.
Scenario-specific Protection Effect
  • Bot Traffic Identified

    The number of requests that are identified as bots based on multi-dimensional traffic characteristics. This value is used to evaluate the protection effects of the current protection rule. If the number of blocked requests is much smaller than that of requests that are identified as bots, you must modify the current protection rule to improve the protective effects. If the number of requests that are blocked is close to that of requests that are identified as bots, the protective effects are considered satisfied.

  • Requests Detected in Monitor Mode

    The number of requests that trigger the protection rules in the Monitor mode. If you set the protection mode to Block, the requests are blocked or the clients are required to pass challenge-response tests such as the slider CAPTCHA.

None.
Match Details Displays the match details of the bot management protection rules configured for a protected object within a specified time range, including Rule ID, Protection Scenario and Module, Rule Name, and Matches (including Those in Monitor Mode). None.

Data leakage prevention module

On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage protection module.

  • Displays the match details of data leakage prevention rules configured for a protected object within a specified time range, including Attacker IP Address, Area, Attack Time, Attack Type, Attack URL, Request Method, Request Parameter, and Action.
  • If you want to view the protection details of an attack IP address, find the attack IP address and click View Details in the Actions column. In the Attack Details panel, you can view the protection details.