Querying a Protection Event

WAF sorts out the attacks, the ten websites attacked the most, ten attack source IP addresses that launched the most attacks, and the ten URLs attacked the most for a selected time range. You can view the blocked or logged events on the Events page. You can view details of events generated by WAF, including the occurrence time, attack source IP address, geographic location of the attack source IP address, malicious load, and hit rule for an event.

Prerequisites

You have connected the website you want to protect to WAF.

Constraints

On the WAF console, you can view the event data for all protected domain names over the last 30 days. You can authorize LTS to log WAF activities so that you can view attack and access logs and store all logs for a long time. For more details, see Using LTS to Log WAF Activities.
If you switch the WAF working mode for a website to Suspended, WAF only forwards all requests to the website without inspection. It does not log any attack events neither.
If an attack is detected, it takes 2 to 3 minutes for the system to display it on the Events page.

Viewing Protection Event Logs

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Web Application Firewall under Security & Compliance.
In the navigation pane on the left, click Events.
If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
On the Search tab, view the statistical charts and event details.

This area displays the event trends and top 10 events for a specified protected domain name, instance, and time range.

Figure 1 Tables and Charts

Set search criteria.
- Domain name (① in Figure 1): You can select a specific domain name, multiple domain names, or all domain names to view the security statistics.
- Instance (② in Figure 1): You can select a specific instance or all instances to view security statistics.
- Query time (③ in Figure 1): You can view bot protection statistics for yesterday, today, past 3 days, past 7 days, past 30 days, or any time range within 30 days.

View the statistical charts.

Function Module	Description	Related Operation
Events over Time (④ in Figure 1)	Displays the WAF protection status for the selected website within a specified period.	--
Top Tens (⑤ in Figure 1)	Displays statistics on top 10 most attacked websites, including attacks, attacked objects, attack source IP addresses, and attacked URLs, within a specified time range.	You can click next to Attacks, Top Attacked Objects, Attack Source IP Addresses, or Attacked URLs to copy the data in the statistical charts. You can click a domain name, source IP address, or URL listed in Top Attacked Objects, Attack Source IP Addresses, or Attacked URLs charts to make a quick search in the event list, as WAF automatically adds filter criteria to the event search box after you click an object.

A maximum of 10,000 logs are displayed on the console. To query more logs, specify a time range or transfer logs to Log Tank Service (LTS).

Figure 2 Events

Set matching conditions (① in Figure 2) based on filter condition fields. The matching conditions you set will be displayed above the event list. For details about the condition fields, see Table 1.

**Table 1** Filter condition fields
Parameter	Description
Source IP Address	Public IP address of the web visitor/attacker. By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.
host	Attacked domain name.
Rule ID	ID of a built-in protection rule in WAF basic web protection.
URL	Attacked URL.
Event Type	Type of the attack. By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.
Protective Action	The options are Block, Log only, Verification code, and Mismatch. Verification code: In CC attack protection rules, you can set Protective Action to Verification code. If a visitor sends too many requests, with the request quantity exceeding the rate limit specified by the CC attack protection rule used, a message is displayed to ask the visitor to provide a verification code. Visitor's requests will be blocked unless they enter a valid verification code. Mismatch: If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.
Status Code	HTTP status code returned on the block page.
Event ID	ID of the event.

Click

(② in Figure 2) in the upper right corner of the event list to set the fields to be displayed in the event list. For details about the fields, see Table 2.

**Table 2** Parameters in the event list
Parameter	Description	Example Value
Time	When the attack occurred.	2021/02/04 13:20:04
Source IP Address	Public IP address of the web visitor/attacker. Click in the Source IP Address column to sort the event list in ascending or descending order.	-
host	Attacked domain name.	www.example.com
Geolocation	Location where the IP address of the attack originates from.	-
Rule ID	ID of a built-in protection rule in WAF basic web protection.	-
URL	Attacked URL.	/admin
Event Type	Type of attack.	SQL injection
Application Component	Application component that was attacked.	pgAdmin4
Protective Action	Protective actions configured in the rule. The options are Block, Log only, and Verification code. NOTE: If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.	Block
Status Code	HTTP status code returned on the block page.	418
Malicious Load	Location or part of the attack that causes damage or the number of times that the URL was accessed. NOTE: In a CC attack, the malicious load indicates the number of times that the URL was accessed. For blacklist protection events, the malicious load is left blank.	id=1 and 1='1
Enterprise Project	Enterprise project your websites belong to. Click in the Enterprise Project column to sort the event list in ascending or descending order.	default

After the preceding configurations are complete, as shown in Figure 2, you can view the events that meet the search criteria in the event list.

Locate the target event and click Details in the Operation column (③ in Figure 2) to view details about the event. You can check the event overview, malicious payloads, response details, and request details.

You need to submit a service ticket to enable the response details function, and configure the length of the response body to be logged. In this way, WAF can display the response details and record the response body based on specified length.

Related Operations

Handling protection events
- Handle events as false alarms: Locate the target event and click Handle as False Alarm in the Operation column. For more information, see Handling False Alarms.
- Add source IP addresses to an address group: Locate the target event and click Add to Address Group in the Operation column. In the Add to Address Group dialog box displayed, add the attack source IP address to an address group. You can either select an existing address group or create a new one in this step. For more information, see Adding an IP Address Group.
- Add source IP addresses to a blacklist or whitelist rule: Locate the target event and choose More > Add to Blacklist/Whitelist in the Operation column. In the Add to Blacklist/Whitelist dialog box displayed, add the attack source IP address to a whitelist or blacklist rule. You can either select an existing blacklist or whitelist rule or create a blacklist or whitelist rule in this step. For more information, see Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses.
Exporting protection events
In the upper left corner of the event list, click Export to export events. If the number of events is less than 200, the events are exported to your local PC.