Event Advisor
Overview
The Event Adviser helps you get detailed insight into CloudGuard WAF Security Events and is divided into three easy-to-read sections:
What Happened?
Why Was It Blocked?
What Should You Do?
Tech Preview Feature This feature is currently is only visible with Tech Preview enabled. Functionality behavior could change in future releases.
How to Enable
Navigate to "Monitor" Section and Enable Tech Preview on the Left Bottom side of the Menu Pane

Navigate to your CloudGuard WAF Security Logs.
Right-click on any individual log entry.
Select “Event Adviser” from the context menu.
A panel opens on the right-hand side of the screen, showing the event analysis.

The Adviser Output

What Happened?
This section gives a short, clear summary of the event.
It shows the request method (GET, POST, etc.), the source IP, the destination host/path, and whether the request was blocked or detected.
Example: “A POST request from 192.168.0.1 to the root path of "example.com" was blocked due to missing authentication token.”
Why Was It Blocked?
This section explains why CloudGuard WAF took action.
It describes what was missing, suspicious, or malicious in the request.
Example: “The request contained patterns matching Java JNDI injection attempts in the URL path. The presence of 'jndi:' in the URI is a strong indicator of an attempt to exploit Log4j vulnerabilities (Log4Shell) or similar Java deserialization attacks. The request also matched XPath injection patterns. These attacks could allow remote code execution or unauthorized data access on the target system.”
What Should You Do?
This section provides recommended next steps.
The guidance here always starts with the verdict sentence, then adds 2–3 hardening steps relevant to the detected attack type(s):
If malicious (blocked/detected): No action is required.
If likely a false positive (blocked/detected but looks legitimate): create a narrow Custom Rule/Exception for the specific URL and parameter or click ‘Report misclassification’
Reporting Misclassification
If you believe the log classification is incorrect (for example, a false positive), you can click Report misclassification.
Last updated
Was this helpful?