All Products
Search
Document Center

Web Application Firewall:View security reports

Last Updated:Jan 03, 2024

Web Application Firewall (WAF) provides security reports that contain the protection details of protection modules. The protection modules include web security, bot management, and access control and throttling. You can analyze the security of your business based on the security reports.

Prerequisites

  • Your website is added to WAF. For more information, see Tutorial.

  • WAF protection is enabled.

    By default, the Protection Rules Engine and HTTP Flood Protection features are enabled after you add a domain name to WAF. You must manually enable the other features. For more information, see Overview.

View security reports

You are directed to an interface when you log on to the WAF console based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.

On the Security Reports page, you can view the protection data and logs of resources that are added to WAF.

  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Security Operations > Security Report.

  3. On the Security Report page, you can view security reports on the following tabs: Web Security, Bot Management, and Access Control/Throttling.

View security reports on the Web Security tab

The Web Security tab displays the protection details of the following features: Web Intrusion Prevention, Data Leakage Prevention, Account Security, and Positive Security Model. You can click the tab of a feature to view the protection details of the feature.

  • Web Intrusion Prevention: displays all web application attacks that are blocked by WAF. This tab consists of two sections: attack chart and attack event. In the following figure, Section 1 shows the attack charts and Section 2 shows the attack events. web应用攻击

    • The attack chart section displays Attack Type Distribution, Top 5 Attack IP Addresses, and Top 5 Attack Regions.

      In the upper part of the attack chart section, you can specify a domain name and a time range to search for protection details.

    • The attack event section displays the following information: Attack IP, Region, Time Attacked, Attack Type, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability.

      In the upper part of the attack event section, you can configure the following fields to search for protection details: protection module, attack type, attack IP address, rule ID, and protection action.

      You can perform the following operations on an attack event:

      • View attack details: Find the attack event whose details you want to view and click View Details in the Actions column.

      • Ignore false positives: If you confirm that the attack event is a normal request, click Ignore False Positives in the Actions column of the attack event.

        After you click Ignore False Positives, WAF generates a whitelist rule for web intrusion prevention based on the characteristics of the attack event. Then, web intrusion prevention does not detect requests that have the same characteristics. In the Create Rule dialog box, configure the Rule Name parameter for the whitelist rule and click Save.

        Note

        In rare cases, a request is blocked because multiple protection rules are triggered at the same time. However, the whitelist rule that is generated after you click Ignore False Positives allows requests that have the same characteristics to skip only a specific protection rule. In this case, you can manually reconfigure the IDs of the Specific Rules parameter in the whitelist rule and add the IDs of the other protection rules that you want to skip.

        After the whitelist rule is created, the whitelist rule is automatically enabled. You can query, modify, and delete existing rules on the Web Intrusion Prevention - Whitelisting page. For more information, see Configure a whitelist for web intrusion prevention.

    For more information about how to configure web intrusion prevention, see Configure the protection rules engine feature.

  • Data Leakage Prevention: displays the web requests that trigger the rules of data leakage prevention. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Parameter, Rule Action, Rule ID, and Attack Probability. You can search for protection details based on a domain name and a time range.

    You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure data leak prevention, see Configure data leakage prevention.

  • Account Security: displays the risk events that occur at a specific endpoint. The endpoint is configured in account security. The following information is displayed: Domain, Endpoint, Malicious Requests Occurred During, Blocked Requests/Total Requests, and Alert Triggered By. You can search for protection details based on a domain name, an endpoint, and a time range.

    For more information about how to configure account security, see Configure account security.

  • Positive Security Model: displays web application attacks that trigger protection rules. The protection rules are automatically generated by the positive security model. The following information is displayed: Attack IP, Region, Time Attacked, Attacked URL, Method, Rule Action, Rule ID, and Attack Probability. You can search for protection details based on a domain name and a time range.

    You can find a web request and click View Details in the Actions column to go to the Attack Detail panel.

    For more information about how to configure the positive security model, see Configure the positive security model.

View security reports on the Bot Management tab

The Bot Management tab displays the monitoring data of the crawler requests to websites. This tab also displays the protection details of anti-crawler rules. In the upper-left corner of the tab, you can select a domain name and specify a time range to search for protection details. WAF provides an independent security report for each scenario that you configure by using the scenario-specific configuration feature.

  • The Bot Management tab consists of Overview of Protection Effects and Scenario-specific Protection Effect. Overview of Protection Effects displays the trends in the total number of requests, the number of requests that are identified as crawler requests, and the number of crawler requests that trigger different protection rules.

  • Bot Requests indicates the number of requests that are identified as crawler requests based on multi-dimensional traffic characteristics. This allows you to view the protection performance of anti-crawler rules. If the number of blocked requests is significantly less than that of requests that are identified as crawler requests, you must modify the anti-crawler rules to improve the protection performance. If the number of requests that are blocked is close to that of requests that are identified as crawler requests, the protection performance is considered satisfied.

  • Requests Detected in Monitoring Mode indicates the number of requests that match anti-crawler rules in Monitor mode. If you set the protection mode to Block, the requests are blocked or the clients are required to pass slider CAPTCHA verification.

  • Blocked Requests indicates the number of requests that match anti-crawler rules in Block mode.

View security reports on the Access Control/Throttling tab

The Access Control/Throttling tab displays web requests that trigger HTTP flood protection, scan protection, and access control rules that you configured. You can search for protection details based on a domain name and a time range. You can also query logs with a few clicks.

  • HTTP Flood Protection: displays the trend of HTTP flood protection. The following information is displayed: Total QPS, Alert Rule of Custom HTTP Flood Protection, Block Rule of Custom HTTP Flood Protection, and Block Rule of Default HTTP Flood Protection. This tab also displays Number of Matches for different rule types. The rule types include Alert Rule of Custom HTTP Flood Protection, Block Rule of Custom HTTP Flood Protection, and Block Rule of Default HTTP Flood Protection.CC攻击

    You can click the value of Number of Matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to HTTP flood protection. This facilitates log queries. For more information, see Query logs. CC安全防护日志

    For more information about how to configure HTTP flood protection, see Configure HTTP flood protection.

    For more information about how to configure custom HTTP flood protection rules, see Create a custom protection policy.

  • Scan Protection: displays the trend of scan protection. The following information is displayed: Total QPS, Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking. This tab also displays Number of Matches for different rule types. The rule types include Directory Traversal Protection, Collaborative Protection, High-frequency Web Attack Protection, and Scan Tool-based Blocking.扫描防护

    You can click the value of Number of Matches for a rule type to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to scan protection. This facilitates log queries. For more information, see Query logs.扫描防护日志

    For more information about how to configure scan protection, see Configure scan protection.

  • Access Control: displays the trend of access control. The following information is displayed: Total QPS, Block Rules of ACL, Alert Rules of ACL, and Blacklist. This tab also displays the number of times that custom rules are matched.ACL访问控制

    You can click the ID of a custom rule. In the Edit Rule dialog box, you can view and modify the configuration of this custom rule. For more information, see Create a custom protection policy.

    You can click the value of Number of Matches for a custom rule to go to the Log Service page. On the Log Service page, the system provides the log query statements that are related to access control. This facilitates log queries. For more information, see Query logs. 访问控制日志

    For information about how to configure access control rules, see Create a custom protection policy.

    For information about how to configure an IP address blacklist, see Configure a blacklist.