Web Application Firewall (WAF) provides security reports that include the protection details of all protection modules, such as the basic protection rule, IP address blacklist, and custom rule modules. You can analyze the security of your business based on the security reports.
Prerequisites
Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.
Protection rules are configured for protected objects.
By default, the basic protection rule module is enabled. You do not need to configure protection rules for the module. To enable other protection modules, you must configure protection rules for the modules. For more information, see Protection configuration overview.
View security reports
When you log on to the WAF console, you are directed to an interface based on the region in which your WAF instance is deployed. If your WAF instance is deployed in the Chinese mainland, you are directed to the interface in the China (Hangzhou) region. If your WAF instance is deployed outside the Chinese mainland, you are directed to the interface in the Singapore region.
On the Security Reports page, you can view the protection data and logs of resources that are added to WAF.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Security Reports page, specify the report type, the protected object, and the time range to query security report data.
The following section describes the query settings:
Protected object: By default, All is selected and the security report data of all protected objects of WAF is queried. You can also query the security report data of a specific protected object.
Time range: By default, Today is selected and the security report data of the current day is queried. Valid values: Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Yesterday, Today, 7 Days, or 30 Days.
Template name: You can specify a bot management template to view the protection details of the template.
Basic protection rule module
On the Basic Protection Rule tab, you can view the protection details of the basic protection rule module. By default, the basic protection rule module is enabled. You can view the security report of the basic protection rule module on the Security Reports page. For more information about how to modify the default settings of the basic protection rule module, see Basic protection rules and rule groups.
Section | Description | Supported operation |
Distribution of Attack Types | Displays the distribution of attacks by type in a pie chart. | None |
Top 5 Attacker IP Addresses | Displays the top five source IP addresses of attacks and the regions where the IP addresses are located. The IP addresses are listed in descending order of the number of attacks. | None |
Top 5 Attacker Areas | Displays the top five areas from which the highest number of attacks are initiated. The areas are listed in descending order of the number of attacks. | None |
Protection details | Displays information about the attacks that match basic protection rules in a list. The list includes the following information:
|
|
IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules
On the Security Reports page, you can view protection details on the IP Address Blacklist, Custom Rule, Scan Protection, HTTP Flood Protection, or Region Blacklist tab.
Section | Description | Supported operation |
Protection Overview | Displays the trends of Total QPS, Alerts, and Blocked Requests for a protected object within a specific time range in a line chart. Total QPS indicates the total number of requests that are received by a protected object. Alerts indicates the number of requests that match protection rules in Monitor mode. Blocked Requests indicates the number of requests that are blocked by protection rules. | Move the pointer over a point in the line chart to view the data at a specific point in time. |
Top 10 Rules | Displays information about the top 10 protection rules that are most frequently matched in a specific time range. The information includes Rule Name/ID, Protected Objects, and Hits. The rules are listed in descending order of the number of matches. | Click the icon in the Rule Name/ID column to copy the name or ID of a protection rule. |
Protection Details | Displays the protection statistics on the protection module within a specific time range.
| Click the Top 10 Protected Objects or Top 10 IP Addresses tab to view the data. |
The Top 10 Rules and Protection Details do not record the protection details that match protection rules in Monitor mode.
Bot management module
On the Bot Management tab of the Security Reports page, you can view the protection details of the bot management module.
Section | Description | Supported operation |
Protection Overview | Displays the protection details of the bot management module in a specific time range in a line chart. The protection details include the actions that are performed on requests and the rules that are matched. |
|
Matched Rules | Displays the IDs of protection rules configured for the bot management module, the protection templates to which the protection rules are added, and the number of times that the protection rules in Monitor mode are matched. | None |
Top 20 IP Addresses | Displays the top 20 source IP addresses of attacks and the number of attacks that are initiated from the IP addresses. The attacks include blocked attacks, attacks on which JavaScript validation is performed, attacks that passed JavaScript validation, attacks on which slider CAPTCHA verification is performed, and attacks that passed slider CAPTCHA verification. | None |
Attack Details | Displays information about the IP addresses that match the protection rules configured for the bot management module in a specific time range. The information includes the attacker IP address, area where the attacker IP address is located, attack URL, details of the matched template, and number of requests. The details of the matched template include the template name, rule ID, rule name, and action that is specified in the rule. | Find the IP address whose attack details you want to view in the attacker IP address list and click Add to Whitelist or Add to Blacklist in the Actions column. A template named AutoTemplate is created, and a whitelist rule or IP address blacklist rule is created for the template. For more information, see Configure whitelist rules to allow specific requests and Configure IP address blacklist rules to block specific requests. |
Data leakage prevention module
On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention module.
You can view the match details of protection rules configured for the data leakage prevention module for a protected object within a specific time range. The details include Attacker IP Address, Area, Attack Time, Attack Type, Attack URL, Request Method, Request Parameter, and Action.
If you want to view the protection details of an attacker IP address, find the IP address in the attacker IP address list and click View Details in the Actions column. In the Attack Details panel, you can view the protection details.