CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Graphical Dashboards
  • WAF Dashboard
  • API Discovery Dashboard
  • Event Views
  • Event Cards
  • Time filters
  • Event Query Language
  • Notifications
  • Email Reports

Was this helpful?

  1. Getting started

Monitor Events

PreviousLinux / NGINX / KongNextGateways & Agents

Last updated 10 months ago

Was this helpful?

CloudGuard WAF provides fours views for monitoring system events:

  • Graphical Dashboard - graphical view of security events with Critical & High severity.

  • Important Events - tabular view of security events with Critical & High severity.

  • All Events - tabular view of all security event including events with Medium, Low and Info severity.

  • Notifications - tabular view of administrative system events.

  • Email Reports - graphical summary sent by email to requested addresses.

Graphical Dashboards

Controls in the dashboard are clickable and will allow you to drill down and see granular event details.

WAF Dashboard

The WAF dashboard is a single-pane view of important security events.

To reach the dashboard select Monitor, then WAF Dashboard in the main menu.

Following is a description of the Dashboard sections:

Section
Description

Overall HTTP Traffic

Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers.

Malicious Activity

Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers.

Security Actions

Overall number of events that where prevented and detected.

Top Attack Sources

  • A chart of the top attackers by the number of events.

  • Number of events on a time line, gives visibility to the changes in the security posture

Attacks Level

Chart of the number of attacks by severity.

Top Attack Assets

Chart of the most attacked web servers.

Asset Statistics

Table of protected web server(s) and its statistics.

Attacks Timeline

Shows a specific time period on the dashboard

API Discovery Dashboard

The API Discovery dashboard is a single-pane view of API usage as detected by the API Discovery engine. This view allows security by visibility.

The detected schema is visible through additional views, by visiting Policy->Assets and visiting the Assets which use API discovery.

To reach the dashboard select Monitor, then API Dashboard in the main menu.

At the top of the dashboard you can filter all numbers and the APIs shown for a specific asset, endpoint combination and also if you wish to only see changed APIs.

Following is a description of the Dashboard sections:

Section
Description

General Statistics (Top of the Dashboard)

Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process.

Most Used APIs

Chart of the top APIs by request count.

Least Used APIs/Not in Use

Top Sensitive Data Type Detected

Discovery of API Changes

A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected.

API Endpoints

A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema.

Event Views

The events are created when a protected asset is configured with a Trigger object of the type "Log" - which is also the default configuration. Log triggers setup and additional configuration options are explained in further details here:

Event Cards

When you double click on an event, a card shows details about the specific event.

Examples:

Event Severity Classification

Protected Web Asset Name and Policy

HTTP Transaction Information

Threat Prevention details

Time filters

You can filter events based on time ranges by clicking the time filter selector at the top left corner.

Event Query Language

CloudGuard WAF features an extensive event query language. For more details see here:

Notifications

When browsing to Monitor->Notifications a specific log view is shown.

This view includes notifications to the user about an issue and a remediation action item, usually regarding detection of a configuration or environment issue CloudGuard WAF has detected around it.

The Log view includes a "Remediation" column where the instructions will be shown.

Urgent notifications, if there are any, will appear on the top bar of the application in any page, leading to this page for additional information.

Email Reports

It is possible to set up protected assets with a Trigger object of type "Report". Such an object contains a list of email addresses and a daily/weekly schedule according to which an email will be sent to the configured addresses, with an attached summary report.

For a more detailed explanation see here:

Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the feature.

Chart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example:

The Events view provides a tabular view of events with ability to select granular filter options (left pane in the image below), and Time ranges.

search queries
Setup Log Triggers
Event Query Language
Setup Report Triggers
Schema Validation
(In this example, the top countries are shown due to being used in example attacks from various locations, not by real attackers)