Monitor Events
Last updated
Last updated
CloudGuard WAF provides fours views for monitoring system events:
Graphical Dashboard - graphical view of security events with Critical & High severity.
Important Events - tabular view of security events with Critical & High severity.
All Events - tabular view of all security event including events with Medium, Low and Info severity.
Notifications - tabular view of administrative system events.
Email Reports - graphical summary sent by email to requested addresses.
Controls in the dashboard are clickable and will allow you to drill down and see granular event details.
The WAF dashboard is a single-pane view of important security events.
To reach the dashboard select Monitor, then WAF Dashboard in the main menu.
Following is a description of the Dashboard sections:
Overall HTTP Traffic
Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers.
Malicious Activity
Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers.
Security Actions
Overall number of events that where prevented and detected.
Top Attack Sources
A chart of the top attackers by the number of events.
Number of events on a time line, gives visibility to the changes in the security posture
Attacks Level
Chart of the number of attacks by severity.
Top Attack Assets
Chart of the most attacked web servers.
Asset Statistics
Table of protected web server(s) and its statistics.
Attacks Timeline
Shows a specific time period on the dashboard
The API Discovery dashboard is a single-pane view of API usage as detected by the API Discovery engine. This view allows security by visibility.
The detected schema is visible through additional views, by visiting Policy->Assets and visiting the Assets which use API discovery.
To reach the dashboard select Monitor, then API Dashboard in the main menu.
At the top of the dashboard you can filter all numbers and the APIs shown for a specific asset, endpoint combination and also if you wish to only see changed APIs.
Following is a description of the Dashboard sections:
General Statistics (Top of the Dashboard)
Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process.
Most Used APIs
Chart of the top APIs by request count.
Least Used APIs/Not in Use
Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the Schema Validation feature.
Top Sensitive Data Type Detected
Discovery of API Changes
A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected.
API Endpoints
A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema.
The Events view provides a tabular view of events with ability to select granular filter options (left pane in the image below), search queries and Time ranges.
The events are created when a protected asset is configured with a Trigger object of the type "Log" - which is also the default configuration. Log triggers setup and additional configuration options are explained in further details here:
Setup Log TriggersWhen you double click on an event, a card shows details about the specific event.
Examples:
Event Severity Classification
Protected Web Asset Name and Policy
HTTP Transaction Information
Threat Prevention details
You can filter events based on time ranges by clicking the time filter selector at the top left corner.
CloudGuard WAF features an extensive event query language. For more details see here:
Event Query LanguageWhen browsing to Monitor->Notifications a specific log view is shown.
This view includes notifications to the user about an issue and a remediation action item, usually regarding detection of a configuration or environment issue CloudGuard WAF has detected around it.
The Log view includes a "Remediation" column where the instructions will be shown.
Urgent notifications, if there are any, will appear on the top bar of the application in any page, leading to this page for additional information.
It is possible to set up protected assets with a Trigger object of type "Report". Such an object contains a list of email addresses and a daily/weekly schedule according to which an email will be sent to the configured addresses, with an attached summary report.
For a more detailed explanation see here:
Setup Report TriggersChart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example: