One of the key purposes of enabling the StackPath's Web Application Firewall(WAF) is to protect your site from bad actors and automated attacks through what we call security events. Some security events require user input, such as a captcha, while others do not.
This article will walk you through the process for identifying these security events if they were triggered by a legitimate user. Please note these features are only active if you have purchased the StackPath WAF and have enabled it.
You can learn more about each possible security screen here.
What Causes Security Events
A Security Event will signal that any of the security screens have been displayed for various reasons, a few examples include:
- Their IP address has been flagged by one of the Web Application rules and is being sanctioned as a result
- Malicious activity was detected, for example, requests from an IP contained strings that can be used for SQL Injection or XSS attacks
- Automated traffic: requests are being generated by automated tools, headless browsers, or are exhibiting behavior that does not match typical human behavior
- User Agent is not valid (or is unknown)
Viewing Security Events
This information can be viewed with the following steps:
- Login to your StackPath account
- Select WAF from the lefthand menu bar
- Select the WAF site you would like to review the event information for
- Under the Overview tab, paste the Reference ID into the Security Events search bar
(This will display all requests with matching Reference IDs, to assist with finding patterns in requests)
Viewing the Event Specifics
Select the event (or events) displayed to view the following information:
Rule Name - The name of the rule that was triggered for the event in question
Action Taken - The WAF Action that was taken against this specific request (Block, Captcha, JS Validation, Etc)
This section will also include some of the specifics fo the request, including the HTTP Method, client IP, country of origin, and User Agent.
This section will include the extra user-agent information regarding the request, including the Organization of the Internet Provider and other client browser information
This section will contain all of the request headers that were passed by the client to make this request.
What you can do
It is important to know that requests are only blocked or presented the security screens if they have triggered one of the various WAF policies or Custom Rules that generate them. The Web Application Firewall has a very low false positive rate (legitimate users getting sanctioned), but if you think any requests are sanctioned by mistake, you can whitelist the requesting IP in the Firewall tab, and feel free to contact our 24/7 to report the issue for further investigation into the rule sensitivity.