Overview
You can use this document to learn how to locate, understand, and filter WAF data for incoming requests.
View WAF Data
- In the StackPath Control Portal, in the left-side navigation, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click Analytics.
- Click WAF. The screen will display the following tables and graphs. Click on the title to learn more:
Tables and graphs Description Web Application Firewall Requests This graph displays recent requests as plots, which includes good and bad requests.
Requests This table displays the latest requests, which includes good and bad requests.
Top Threat Actions This table displays the most commonly triggered actions.
Most Active Rules This table display displays the most commonly triggered rules.
Top Threat Origins This map and table display the origin location of bad requests (threats).
Web Application Firewall Requests
The Web Application Firewall Requests graph displays as a plot:
- Requests based on the selected filters in the graph
- Potential security threats based on a triggered rule
Review the following filter options:
| Filter option | Description |
| Policy - Blocked | This filter displays requests that were blocked because of a triggered, default StackPath rule. |
| Custom Rule - Blocked | This filter displays requests that were blocked because of a triggered, custom rule created in your account. |
| DDoS L7 - Blocked |
This filter displays requests that were blocked because of a triggered, default StackPath rule relating to DDoS.
|
| Passed to Origin | This filter displays requests that successfully reached the origin. |
Review the following notes:
- When you can click on a specific plot on the graph, the Requests table below will also filter data for that particular selection, which includes the date and time, as well as the corresponding Traffic Type.
- When you click on a filter option in the graph, such as Policy - Blocked, this action will also filter the Requests table to include the same filter; however, if you update a filter on the Requests table, this action will not change the data displayed in the Web Application Firewall Requests graph.
- By default, this table displays the latest requests from the previous 24 hours; however, you can select the calendar icon in the top, right corner to change the displayed time frame.
Requests Table
Review the following table to understand the data displayed in the Requests table.
By default, this table displays the latest good and bad requests from the previous 24 hours; however, you can select the calendar icon to change the displayed time frame. Request history is retained for 30 days.
| Column | Description |
| Date | This column displays the date and time when the rule was triggered. |
| IP |
This column displays the origin IP address of the client. |
| Country | This column displays the origin location of the request. |
| Rule Name |
This column displays the default or custom rule name that the request triggered. You can click on the rule name to view detailed information about the rule and the triggered request.
|
| Action |
This column displays the action that was taken against the request.
|
| Result |
This column displays the end result of the request based on the action. For example, if a request was presented with a Captcha action, and the request did not pass, then the result is Blocked. |
| Create Rule |
This column displays a button that you can select to create a custom rule for the request. To learn more, see Create Custom WAF Rules and Allow or Block IP Address With WAF Rules. |
Review the following table to understand how to filter the Requests table:
| Filter option | Description |
| Search by IP |
You can search for a specific request based on the origin IP address of the client. |
|
Search by Reference ID |
When a bot blocks your user or when a security screen is presented to your user, a Reference ID is displayed. You can use this ID to search for the request in the portal. To learn more, see Troubleshoot WAF-Blocked users. |
| Actions |
You can select an action type that was taken against a request. If you select multiple filter types, then the table will display requests that meet one of the filter types; the table will not filter requests that meet every selected filter type. For example, if you select Captcha and Block, then the table will display requests that were presented with a Captcha challenge or that were blocked. The table will not display requests that were presented with a Captcha challenge and were blocked.
|
| Traffic Type |
To filter requests that triggered StackPath's default rules, select Policy - Blocked or Policy Allowed. To filter requests that triggered custom rules created by users on your account, select Custom Rule - Blocked or Custom Rule - Allowed. To filter requests that successfully reached your origin, select Passed to Origin. Requests are filtered by Policy - Blocked and Custom Rule - Blocked by default.
|
When you select a filter in the Web Application Firewall Requests graph, the Requests table will also filter for the same data. However, when you select a filter in the Requests table, the Web Application Firewall Events graph will not filter for the same data.
Top Threat Actions
This table displays the most commonly triggered actions from the last 24 hours.
| Column | Description |
| Action | This column displays the most commonly triggered default StackPath rules. |
| Times Triggered | This column displays the number of times the default rule was triggered within the last 24 hours. |
Most Active Rules
This table display displays the most commonly triggered custom rules from the last 24 hours.
| Column | Description |
| Rule Set | This column displays the most commonly triggered custom rules. |
| Times Triggered | This column displays the number of times the custom rule was triggered within the last 24 hours. |
Top Threat Origins
This map and table display the origin location of bad requests (threats) from the last 24 hours.
| Column | Description |
| Country |
This column displays the origin location of bad requests (threats). |
| Requests | This column displays the number of requests from the corresponding origin location. |
Related Documentation
To learn more about custom WAF rules and how to create a custom rule, see our WAF Rules article.
To learn how to allow or block specific IP addresses, see Allowing or Blocking IP Addresses.