Web Application Firewall (WAF) provides security reports for the domain names that you add to WAF. The security reports contain the protection results from all protection modules. The protection modules include web security, bot management, and access control and throttling. You can analyze the security of your business based on the security reports.

Prerequisites

  • Your website is added to WAF. For more information, see Tutorials.
  • Your websites are protected by WAF.

    By default, the Protection Rules Engine and HTTP Flood Protection features are enabled after you add a domain name to WAF. You must manually enable the other features. For more information, see Overview.

Go to the Security Report page

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  2. In the left-side navigation pane, choose Security Operations > Security Report.
  3. On the Security Report page, view security reports on the following tabs: Web Security, Bot Management, and Access Control/Throttling.

View security reports on the Web Security tab

The Web Security tab displays the protection results that are generated by the following features: Web Intrusion Prevention, Data Leakage Prevention, Account Security, and Positive Security Model. You can click the tab of a feature to view the protection results of the feature.
  • Web Intrusion Prevention: displays all web application attacks that are blocked by WAF. This tab consists of two sections: attack chart and attack event. In the following figure, Section 1 shows the attack charts and Section 2 shows the attack events. Web Intrusion Prevention tab
    • The attack chart section displays Attack Type Distribution, Top 5 Attack IP Addresses, and Top 5 Attack Regions.

      In the upper part of the attack chart section, you can specify a domain name and a time period to search for protection results.

    • The attack event section displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability.

      In the upper part of the attack event section, you can configure the following fields to search for protection results: protection module, attack type, attack IP address, rule ID, and protection action.

      You can perform the following operations on an attack event:
      • Find the attack event and click View Details in the Actions column to go to the Attack Detail panel.
      • If you confirm that the attack event is a normal request, click Ignore False Positives in the Actions column of the attack event.

        After you click Ignore False Positives, WAF generates a whitelist rule for web intrusion prevention based on the characteristics of the attack event. Then, web intrusion prevention does not detect requests that have the same characteristics. In the Create Rule dialog box, configure the Rule Name parameter for the whitelist rule and click Save.

        Note In rare cases, a request is blocked because multiple protection rules are triggered at the same time. However, the whitelist rule that is generated after you click Ignore False Positives allows requests with the same characteristics to skip only a specific protection rule. In this case, you can manually reconfigure the IDs of Specific Rules parameter in the whitelist rule and add the IDs of the other protection rules that you want to skip. You also need to contact customer service in the DingTalk group or submit a ticket to report the false positive.

        After the whitelist rule is created, the whitelist rule is automatically enabled. You can query, edit, and delete existing rules on the Web Intrusion Prevention - Whitelisting page. For more information, see Configure a whitelist for web intrusion prevention.

    For more information about how to configure web intrusion prevention, see Configure the protection rules engine feature.

  • Data Leakage Prevention: displays the web requests that trigger rules of data leak prevention. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can search for protection results based on a domain name and a time period.

    You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure data leak prevention, see Configure data leakage prevention.

  • Account Security: displays the risk events that occur at a specific endpoint. The endpoint is configured in account security. The following information is displayed: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can search for protection results based on a domain name, an endpoint, and a time period.

    For more information about how to configure account security, see Configure account security.

  • Positive Security Model: displays web application attacks that trigger protection rules. The protection rules are automatically generated by the positive security model. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can search for protection results based on a domain name and a time period.

    You can find a web application attack and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure the positive security model, see Configure the positive security model.

View security reports on the Bot Management tab

The Bot Management tab displays the monitoring data of the crawler requests to websites. This tab also displays the protection results that are generated based on anti-crawler rules. In the upper-left corner of the tab, you can select a domain name and specify a time range to search for protection results. WAF provides an independent security report for each scenario that you configure by using the scenario-specific configuration feature.
  • The Bot Management tab consists of Overview of Protection Effects, Scenario-specific Protection Effect and Rule Match Details. Overview of Protection Effects displays the trends in the total number of requests, the number of requests that are identified as crawler requests, and the number of crawler requests that trigger different protection rules.
  • Bot Requests indicates the number of requests that are identified as crawler requests based on multi-dimensional traffic characteristics. This allows you to view the protective effects of anti-crawler rules. If the number of blocked requests is much smaller than that of requests that are identified as crawler requests, you must modify the anti-crawler rules to improve the protective effects. If the number of requests that are blocked is close to that of requests that are identified as crawler requests, the protective effects are considered satisfied.
  • Requests Detected in Monitoring Mode indicates the number of requests that match anti-crawler rules in Monitor mode. If you set the protection mode to Block, the requests are blocked or the clients are required to pass slider CAPTCHA verification.
  • Blocked Requests indicates the number of requests that match anti-crawler rules in Block mode.

View security reports on the Access Control/Throttling tab

The Access Control/Throttling tab displays web requests that trigger the protection rules that you configure in HTTP Flood Protection, Scan Protection, and Access Control. You can search for protection results based on a domain name and a time period. You can also query logs with a few clicks
  • HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is displayed: Total QPS, Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit. This tab also displays No. of matches for different rule types. The rule types include Alerts on Custom Rule Hit, Blocking on Custom Rule Hit, and Blocking on System Rule Hit.

    You can click the value of No. of matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to HTTP flood protection. This facilitates log queries. For more information, see Query logs.

    For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

    For more information about how to customize HTTP flood protection rules, see Create a custom protection policy.

  • Scan Protection: displays the trend of scan protection. The following information is displayed: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays No. of matches for different rule types. The rule types include Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking.

    You can click the value of No. of matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements related to scan protection. This facilitates log queries. For more information, see Query logs.

    For more information about how to configure scan protection, see Configure scan protection.

  • Access Control: displays the trend of access control. The following information is displayed: Total QPS, Blocking by ACL Policy, Alerts by ACL Policy, and Blocking by Blacklisting. This tab also displays the number of times that custom rules are matched.

    You can click the ID of a custom rule. In the Edit Rule dialog box, you can view and modify the configuration of this custom rule. For more information, see Create a custom protection policy.

    You can click the value of No. of matches for a custom rule to go to the Log Service page. On the Log Service page, the system provides the log query statements related to access control. This facilitates log queries. For more information, see Query logs.

    For more information about how to configure access control, see Create a custom protection policy.

    For more information about how to configure an IP address blacklist, see Configure a blacklist.