Monitor Events

CloudGuard WAF provides fours views for monitoring system events:

  • Graphical Dashboard - graphical view of security events with Critical & High severity.

  • Important Events - tabular view of security events with Critical & High severity.

  • All Events - tabular view of all security event including events with Medium, Low and Info severity.

  • Notifications - tabular view of administrative system events.

  • Email Reports - graphical summary sent by email to requested addresses.

Graphical Dashboards

Controls in the dashboard are clickable and will allow you to drill down and see granular event details.

WAF Dashboard

The WAF dashboard is a single-pane view of important security events.

To reach the dashboard select Monitor, then WAF Dashboard in the main menu.

Following is a description of the Dashboard sections:

Section
Description

Overall HTTP Traffic

Statistics show the number of overall request for the time period and unique number of users and, or identities that use the protected web servers.

Malicious Activity

Overall statistics of the number of attackers (users and, or identities) and the number of attacks on web servers.

Security Actions

Overall number of events that where prevented and detected.

Top Attack Sources

  • A chart of the top attackers by the number of events.

  • Number of events on a time line, gives visibility to the changes in the security posture

Attacks Level

Chart of the number of attacks by severity.

Top Attack Assets

Chart of the most attacked web servers.

Asset Statistics

Table of protected web server(s) and its statistics.

Attacks Timeline

Shows a specific time period on the dashboard

API Discovery Dashboard

The API Discovery dashboard is a single-pane view of API usage as detected by the API Discovery engine. This view allows security by visibility.

The detected schema is visible through additional views, by visiting Policy->Assets and visiting the Assets which use API discovery.

To reach the dashboard select Monitor, then API Dashboard in the main menu.

At the top of the dashboard you can filter all numbers and the APIs shown for a specific asset, endpoint combination and also if you wish to only see changed APIs.

Following is a description of the Dashboard sections:

Section
Description

General Statistics (Top of the Dashboard)

Statistics show the number of overall request for the time period, number of unique sources, number of blocked API requests and remind the user regarding Suggestions by the system to fine-tune the learning process.

Most Used APIs

Chart of the top APIs by request count.

Least Used APIs/Not in Use

Chart of the least used APIs by request count. This chart can also show unused APIs if they were previously detected by API discovery in an earlier timeframe, or if they appear in the schema used by the Schema Validation feature.

Top Sensitive Data Type Detected

Chart of the top Sensitive Data Types detected by request count. By clicking on a sensitive data type to drill to events, you will be able to also see the URIs used when sending this type. Example:

Discovery of API Changes

A time-based histogram chart of the dates in which a new API schema was detected, and the number of changes it detected. How many existing APIs changed and how many new APIs were detected.

API Endpoints

A table of all current detected APIs for the different assets, based on data from the last 7 days. The table also shows which APIs were changed compared to the last detected schema.

DDoS Dashboard

The DDoS Dashboard offers centralized, real-time visibility into Distributed Denial of Service (DDoS) activity targeting your applications and APIs. It enables security teams to quickly assess the scope, behavior, and progression of ongoing and past attacks.

DDoS Protection is available for CloudGuard WAF SaaS. It is not available with other local (Gateway, Agent) editions of the product.

Following is a description of the Dashboard sections:

Section
Description

Recent Attacks

Displays a timeline of detected DDoS attacks, including start time, status (e.g., ongoing or resolved), and affected domains. Users can select an event to drill down into detailed telemetry.

Top Source IP Addresses

Lists the IPs responsible for the most traffic during an attack. This helps identify major attack sources or botnet activity. Visual bars help compare relative impact.

Top Destination URLs

Shows the application endpoints most frequently targeted by DDoS traffic, helping to pinpoint abuse patterns DDoS Dashboard

Top Referrers

Identifies external referrer domains linked to attack traffic. This can highlight misused third-party websites or coordinated bot campaigns.

Top User Agents

Displays the most common User-Agent headers observed during an attack, revealing whether bots are spoofing browser or device signatures.

Top Source Countries

Visualizes geographic origin of traffic in a chart, indicating which regions are contributing to the attack load. Useful for geolocation-based defense strategies.

See also:

DDoS Protection

Event Views

The Events view provides a tabular view of events with ability to select granular filter options (left pane in the image below), search queries and Time ranges.

The events are created when a protected asset is configured with a Trigger object of the type "Log" - which is also the default configuration. Log triggers setup and additional configuration options are explained in further details here:

Setup Log Triggers

Event Cards

When you double click on an event, a card shows details about the specific event.

Examples:

Event Severity Classification

Protected Web Asset Name and Policy

HTTP Transaction Information

Threat Prevention details

Time filters

You can filter events based on time ranges by clicking the time filter selector at the top left corner.

Event Query Language

CloudGuard WAF features an extensive event query language. For more details see here:

Event Query Language

Notifications

When browsing to Monitor->Notifications a specific log view is shown.

This view includes notifications to the user about an issue and a remediation action item, usually regarding detection of a configuration or environment issue CloudGuard WAF has detected around it.

The Log view includes a "Remediation" column where the instructions will be shown.

Urgent notifications, if there are any, will appear on the top bar of the application in any page, leading to this page for additional information.

Email Reports

It is possible to set up protected assets with a Trigger object of type "Report". Such an object contains a list of email addresses and a daily/weekly schedule according to which an email will be sent to the configured addresses, with an attached summary report.

(In this example, the top countries are shown due to being used in example attacks from various locations, not by real attackers)

For a more detailed explanation see here:

Setup Report Triggers
PreviousLinux / NGINX / KongNextWAF-as-a Service (WAF SaaS)

Last updated

Was this helpful?