> For the complete documentation index, see [llms.txt](https://waf-doc.inext.checkpoint.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor.md).

# Event Advisor

### Overview

The **Event Adviser** helps you get detailed insight into CloudGuard WAF Security Events and is divided into three easy-to-read sections:

* What Happened?
* Why Was It Blocked?
* What Should You Do?

{% hint style="danger" %}
**Tech Preview Feature**\
This feature is currently is only visible with **Tech Preview** enabled. Functionality behavior could change in future releases.&#x20;
{% endhint %}

### How to Enable

* Navigate to "Monitor" Section and Enable Tech Preview on the Left Bottom side of the Menu Pane

<div align="left"><figure><img src="/files/mnkTlJZguSsWcjIjIAiq" alt=""><figcaption></figcaption></figure></div>

* Navigate to your CloudGuard WAF Security Logs.
* Right-click on any individual log entry.
* Select “Event Adviser” from the context menu.
* A panel opens on the right-hand side of the screen, showing the event analysis.

<figure><img src="/files/waOOfyHJyiblfJ7a08bS" alt=""><figcaption></figcaption></figure>

### The Adviser Output

<figure><img src="/files/Ys9ZYu98GPWhApG6KjpP" alt=""><figcaption></figcaption></figure>

#### What Happened?

This section gives a short, clear summary of the event.

* It shows the request method (GET, POST, etc.), the source IP, the destination host/path, and whether the request was blocked or detected.
* Example: “*A POST request from 192.168.0.1 to the root path of "example.com" was blocked due to missing authentication token*.”

#### Why Was It Blocked?

This section explains why CloudGuard WAF took action.

* It describes what was missing, suspicious, or malicious in the request.
* Example: “*The request contained patterns matching Java JNDI injection attempts in the URL path. The presence of 'jndi:' in the URI is a strong indicator of an attempt to exploit Log4j vulnerabilities (Log4Shell) or similar Java deserialization attacks. The request also matched XPath injection patterns. These attacks could allow remote code execution or unauthorized data access on the target system*.*”*

#### What Should You Do?

This section provides recommended next steps.

The guidance here always starts with the verdict sentence, then adds 2–3 hardening steps relevant to the detected attack type(s):

* **If malicious (blocked/detected):** No action is required.&#x20;
* **If likely a false positive (blocked/detected but looks legitimate)**:  create a narrow Custom Rule/Exception for the specific URL and parameter or click ‘Report misclassification’

#### Reporting Misclassification

If you believe the log classification is incorrect (for example, a false positive), you can click Report misclassification.&#x20;


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/getting-started/monitor-events/event-advisor.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
