Monitor Events

CloudGuard WAF provides fours views for monitoring system events:

Graphical Dashboard - graphical view of security events with Critical & High severity.
Important Events - tabular view of security events with Critical & High severity.
All Events - tabular view of all security event including events with Medium, Low and Info severity.
Notifications - tabular view of administrative system events.
Email Reports - graphical summary sent by email to requested addresses.

Graphical Dashboards

Controls in the dashboard are clickable and will allow you to drill down and see granular event details.

WAF Dashboard

The WAF dashboard is a single-pane view of important security events.

To reach the dashboard select Monitor, then WAF Dashboard in the main menu.

Following is a description of the Dashboard sections:

Section	Description
Overall HTTP Traffic	Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers.
Malicious Activity	Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers.
Security Actions	Overall number of events that where prevented and detected.
Top Attack Sources	A chart of the top attackers by the number of events. Number of events on a time line, gives visibility to the changes in the security posture
Attacks Level	Chart of the number of attacks by severity.
Top Attack Assets	Chart of the most attacked web servers.
Asset Statistics	Table of protected web server(s) and its statistics.
Attacks Timeline	Shows a specific time period on the dashboard

Section

Description

Overall HTTP Traffic

Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers.

Malicious Activity

Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers.

Security Actions

Overall number of events that where prevented and detected.

Top Attack Sources

A chart of the top attackers by the number of events.
Number of events on a time line, gives visibility to the changes in the security posture

Attacks Level

Chart of the number of attacks by severity.

Top Attack Assets

Chart of the most attacked web servers.

Asset Statistics

Table of protected web server(s) and its statistics.

Attacks Timeline

Shows a specific time period on the dashboard

API Discovery Dashboard

The API Discovery dashboard is a single-pane view of API usage as detected by the API Discovery engine. This view allows security by visibility.

The detected schema is visible through additional views, by visiting Policy->Assets and visiting the Assets which use API discovery.

To reach the dashboard select Monitor, then API Dashboard in the main menu.

At the top of the dashboard you can filter all numbers and the APIs shown for a specific asset, endpoint combination and also if you wish to only see changed APIs.

Following is a description of the Dashboard sections:

Section	Description
General Statistics (Top of the Dashboard)	Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process.
Most Used APIs	Chart of the top APIs by request count.
Least Used APIs/Not in Use	Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the Schema Validation feature.
Top Sensitive Data Type Detected	Chart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example:
Discovery of API Changes	A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected.
API Endpoints	A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema.

Section

Description

General Statistics (Top of the Dashboard)

Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process.

Most Used APIs

Chart of the top APIs by request count.

Least Used APIs/Not in Use

Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the Schema Validation feature.

Top Sensitive Data Type Detected

Chart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example:

Discovery of API Changes

A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected.

API Endpoints

A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema.

Event Views

The Events view provides a tabular view of events with ability to select granular filter options (left pane in the image below), search queries and Time ranges.

The events are created when a protected asset is configured with a Trigger object of the type "Log" - which is also the default configuration. Log triggers setup and additional configuration options are explained in further details here:

Setup Log Triggers

Event Cards

When you double click on an event, a card shows details about the specific event.

Examples:

Event Severity Classification

Protected Web Asset Name and Policy

HTTP Transaction Information

Threat Prevention details

Time filters

You can filter events based on time ranges by clicking the time filter selector at the top left corner.

Event Query Language

CloudGuard WAF features an extensive event query language. For more details see here:

Event Query Language

Notifications

When browsing to Monitor->Notifications a specific log view is shown.

This view includes notifications to the user about an issue and a remediation action item, usually regarding detection of a configuration or environment issue CloudGuard WAF has detected around it.

The Log view includes a "Remediation" column where the instructions will be shown.

Urgent notifications, if there are any, will appear on the top bar of the application in any page, leading to this page for additional information.

Email Reports

It is possible to set up protected assets with a Trigger object of type "Report". Such an object contains a list of email addresses and a daily/weekly schedule according to which an email will be sent to the configured addresses, with an attached summary report.

For a more detailed explanation see here:

Setup Report Triggers

PreviousLinux / NGINX / Kong NextGateways & Agents

Last updated 29 days ago