WAAS analytics provide users a way to investigate events and rule triggers.
For container WAAS events go to
Monitor > Events > WAAS for containers
For host WAAS events go to
Monitor > Events > WAAS for hosts
For App-Embedded WAAS events go to
Monitor > Events > WAAS for App-Embedded
For serverless WAAS events go to
Monitor > Events > WAAS for Serverless
WAAS retains up to 200,000 events for each type (container, hosts, app-embedded and serverless). Once the limit is reached, oldest events will get over-written by new ones.
Similar audits are aggregated and grouped into a single event when received in close succession (less than 5 minutes apart). Audits are aggregated by a combination of IP, HTTP hostname, path, HTTP method, User-Agent and attack type.
WAAS analytics allows for the review of incidents by analyzing events across various dimensions, inspecting individual requests, and applying filtering to focus on common characteristics or trends.
Each column on the timeline graph represents a dynamic period - hover over a column to reveal its start, end and event count.
Date filter can be used to adjust the timeline scope.
Filter can be adjusted by using the filtering line:
Once set, the filters would apply on the graph and aggregation view.
The aggregation view can be altered to group audits based on various data dimensions by clicking on the button.
Users can add up to 6 dimensions to the aggregation and the Total column will be updated dynamically.
By default, aggregation view is sorted by the "Total" column. Sorting can be changed by clicking a column name.
Click on a line in the aggregation view to inspect the requests group by it.
For each request the following data points are available:
- timestamp of the audit.
- effect set by policy.
- attack type.
Container / Host / App / Function Details
- These fields include the id and name of the protected entity.
- details on what caused the rule to trigger - payload content, location and additional relevant information.
- HTTP method used in the request.
- value of the User-Agent HTTP header.
- hostname specified in the Host HTTP header or the host part of the URL.
- full request urls (host and path) shown in a URL decoded or encoded form.
- path element from the request URI.
- query string.
- list of the HTTP header names included in the request (sorted alphabetically).
- IP address from which the request originated. If an X-Forwarded-For header was included in the HTTP headers, source IP field will detail the first IP listed in the header value (true client IP).
- source country associated with the source IP.
- entire connectivity chain, including true client IP and any transparent proxies listed in the HTTP request.
Users can user the Raw button to view the HTTP request in it’s raw form: