AI Powered Event Adviser

Overview

The AI Powered Event Adviser helps you quickly understand CloudGuard WAF security events. Instead of digging through raw log data, the Adviser explains the event in plain language and gives you clear, actionable next steps.

Each analysis is shown directly in the Security Logs screen and is divided into three easy-to-read sections:

  • What Happened?

  • Why Was It Blocked?

  • What Should You Do?

How to Enable

  • Navigate to your CloudGuard WAF Security Logs.

  • Right-click on any individual log entry.

  • Select “AI Powered Event Adviser” from the context menu.

  • A panel opens on the right-hand side of the screen, showing the AI-generated explanation.

The Adviser Output

What Happened?

This section gives a short, clear summary of the event.

  • It shows the request method (GET, POST, etc.), the source IP, the destination host/path, and whether the request was blocked or detected.

  • Example: “A POST request from 192.168.0.1 to the root path of "example.com" was blocked due to missing authentication token.”

Why Was It Blocked?

This section explains why CloudGuard WAF took action.

  • It describes what was missing, suspicious, or malicious in the request.

  • Example: “The request contained patterns matching Java JNDI injection attempts in the URL path. The presence of 'jndi:' in the URI is a strong indicator of an attempt to exploit Log4j vulnerabilities (Log4Shell) or similar Java deserialization attacks. The request also matched XPath injection patterns. These attacks could allow remote code execution or unauthorized data access on the target system.

What Should You Do?

This section provides recommended next steps.

The guidance here always starts with the verdict sentence, then adds 2–3 hardening steps relevant to the detected attack type(s):

  • If malicious (blocked/detected): No action is required.

  • If likely a false positive (blocked/detected but looks legitimate): create a narrow Custom Rule/Exception for the specific URL and parameter or click ‘Report misclassification’

Reporting Misclassification

If you believe the log classification is incorrect (for example, a false positive), you can click Report misclassification.

Last updated

Was this helpful?