The Web Application Firewall (WAF) security reports show protection data from various WAF protection modules. These reports help you analyze your service security by presenting data from enabled rules, such as core protection rules, IP address blacklists, and custom rules.
Prerequisites
-
You have added your web services to WAF 3.0 as protected objects and protected object groups.
You must manually configure other protection modules for the rules to take effect. By default, the Core Protection Rule module is enabled without manual configuration. For more information, see Protection configuration overview.
View security reports
During high-traffic periods, security reports use a dynamic sampling and data restoration mechanism. The system automatically adjusts the sampling ratio based on the average requests per second (QPS) and uses this ratio to estimate the total traffic data. The reports display this estimated total data, which accurately reflects attack trends and distributions. Enable Log Service to obtain complete, raw logs for in-depth analysis or compliance audits.
WAF control planes are in China (Hangzhou) and Singapore. The China (Hangzhou) control plane manages instances in the Chinese mainland, while the Singapore control plane manages instances in all other regions.
On the Security Reports page of the WAF console, report data is organized into four main sections: Attack trends, Attack types, Top 5 hits, and Logs. You can use Basic Search or Advanced Search to set filter conditions and query security report data.
Basic search | Advanced search |
|
|
Time range (Figure ①): By default, data for Today is displayed. You can query data from the Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, Last 7 days, or Last 30 days. | |
Custom date range (Figure ②): You can select a specific period to view security report data more precisely. | |
Protected objects (Figure ③): By default, All is selected, which queries data for all protected objects added to WAF. You can also query data for a specific object. | Set filter conditions (Figure ③): You can add up to 10 filter conditions. |
Enter an attacker IP address or trace ID (Figure ④). | N/A |
Attack trends
In the Attack trends chart, you can view the trends of alerts and blocked requests. By default, the chart displays data for all protected objects, and it refreshes dynamically based on your filter conditions. Hover over any point on the chart to see the number of alerts and blocked requests at that point in time.
Blocked Requests: Includes requests stopped by the Block action or requests that failed security checks such as JavaScript validation, slider CAPTCHA, strict slider CAPTCHA, and dynamic token.
Alerts: Includes requests that match a rule and trigger the Monitor action.
Attack types
This chart shows the total number of protection rule matches. A single request can match multiple protection modules or rules. You can view data for Core Protection Rule, IP Address Blacklist, Custom Rule, Scanning Protection, HTTP Flood Protection, Geo-blocking, Bot Management, Data Leakage Prevention, Peak Traffic Throttling, and AI Application Protection.
Click the Core Protection Rule section of the pie chart to view the distribution of attack types (such as SQL injection, XSS, and code execution) within the core rules.
Click other protection modules in the pie chart to view the distribution of their attack rules.
Top 5 hits
View hit statistics for Attacker IP Address, Protected Objects, Rules Matched, Protection URL, Attack Source Areas, and Attack User-Agent Header.
Type | Description | Actions |
Attacker IP Address | The top 5 IP addresses that initiated the most attack requests and their geographic areas. | Hover over a data item and click Filter or Exclude to create a filter condition. |
Protection URL | The top 5 URLs that most frequently matched protection rules. | |
Attack Source Areas | The top 5 geographic areas that initiated the most attack requests. | |
Attack User-Agent Header | The top 5 User-Agent headers that initiated the most attack requests. | |
Protected Objects | The top 5 protected objects that most frequently triggered protection rules. | Hover over a data item and click Filter or Exclude to create a filter condition. Click View Protection Rule to see the specific protection rules for that object. |
Rules Matched | The IDs of the top 5 most frequently matched protection rules. Note A single request can match multiple rules. |
Logs
View detailed information for Attacker IP Address, Area, Protected Objects, Attack Time, host, Attack URL, Protocol, Port, Request Method, Request Parameter, Rule Action, Protection Module, Rule ID, and AI Analysis. Click the 
icon in the upper-right corner to customize the displayed columns.
Find an attack event and click View Details in the Actions column to view the Attack Details panel, which provides details about the attack and the matched rule.
If you confirm that a log entry is a false positive, click Suppress False Positive in the Actions column for that event. After you confirm the conditions for the whitelist rule, click OK.
After the rule is created, WAF automatically creates a rule template named AutoTemplate and adds a whitelist rule. The source of this rule is Custom.
Click the icon in the AI Analysis column to analyze a single log entry with the AI assistant. This feature is currently available only for logs generated by core protection rules. It does not support other log types or logs from hybrid cloud deployments.
A single request can match multiple protection modules or rules. You can hover over a value in the Rule ID column or click View Details to see the matched rule IDs.
