# WAF Analytics

The **WAF Analytics Dashboard** provides visibility into malicious traffic, rule performance, and blocked requests detected by the **Web Application Firewall (WAF)**.\
You can monitor attacks in real time, identify their sources, and adjust your rules to improve detection accuracy.

{% hint style="info" %}
Analytics data is available when WAF is active in either **On** or **Monitoring Only** mode.
{% endhint %}

### Accessing the Dashboard

You can access the WAF analytics from the [**Medianova Control Panel**](https://cloud.medianova.com).\
Navigate to **Analytics → WAF**, then select the CDN Resource for which WAF is enabled.\
The dashboard displays real-time charts, tables, and logs that visualize threat activity, blocked requests, and triggered rules.

<figure><img src="/files/iq88MXpSuru7JLBQtmXT" alt="" width="563"><figcaption></figcaption></figure>

{% hint style="info" %}
Metrics update automatically at short intervals, though the refresh rate may vary depending on your resource’s traffic volume.
{% endhint %}

### Key Metrics and Visualizations

**1. Attack Histogram**

Shows the **number of attacks over time**, helping you detect spikes or recurring patterns.\
You can filter by **URL** to analyze specific endpoints under attack.

**Use it for:** spotting attack trends and determining peak hours of malicious traffic.

<figure><img src="/files/iq88MXpSuru7JLBQtmXT" alt="" width="563"><figcaption></figcaption></figure>

**2. Threats**

Displays the total number of **requests that triggered WAF rules** versus total incoming requests.\
Includes summary values such as:

* **Total:** All detected threats since activation
* **Today:** Threats detected in the last 24 hours
* **This Month / Last Month:** Periodic comparison

**Use it for:** measuring overall WAF effectiveness and identifying sudden spikes that may signal an attack.

**3. Top Client IPs**

Lists the **IP addresses triggering the most WAF rules**.\
A pie chart provides a quick visual overview of threat sources.

**Use it for:** detecting potential attackers or regions generating malicious traffic.

{% hint style="info" %}
Repeated offenders can be blocked or rate-limited via Custom Rules.
{% endhint %}

<figure><img src="/files/OZfIhvTAJNPb19Ym82l0" alt="" width="563"><figcaption></figcaption></figure>

**4. Top Request URIs**

Shows the **URLs most frequently targeted** by suspicious or blocked requests.

**Use it for:** identifying vulnerable endpoints or popular attack targets.\
If a specific path (e.g., `/login`, `/api/v1/auth`) appears repeatedly, consider applying additional rule protections.

<figure><img src="/files/OeJ77MnyN3oQuVtQ8T1w" alt="" width="563"><figcaption></figcaption></figure>

**5. Top User Agents**

Lists browsers, bots, or automated clients generating flagged requests.

**Use it for:** distinguishing legitimate traffic from malicious bots.\
Unusual or outdated User Agents may indicate automated attack tools.

**6. Rule Activity**

Displays which **WAF rules are triggered most often**, showing their frequency and relative impact.

| Column             | Description                                         |
| ------------------ | --------------------------------------------------- |
| **Rule ID / Name** | Identifier of the triggered rule.                   |
| **Triggers**       | Number of times the rule matched incoming requests. |
| **Last Triggered** | Most recent occurrence time.                        |

**Use it for:** assessing rule efficiency and identifying potential false positives.\
Frequently triggered rules may need refinement or condition adjustments.

<figure><img src="/files/0rpHhr646HNbsPxxPf3b" alt="" width="563"><figcaption></figcaption></figure>

**7. Activity Log (Last 300 Requests)**

Shows detailed information about the **most recent flagged requests**, including:

* Timestamp
* IP address
* Request URI
* User Agent
* Triggered Rule

**Use it for:** investigating incidents and validating rule accuracy.\
Regular review helps fine-tune your security posture.

<figure><img src="/files/T1NoUD5pBxU0C9HAfyGE" alt="" width="563"><figcaption></figcaption></figure>

#### Best Practices

* Review WAF analytics at least weekly to identify trends.
* Watch for repeated attacks from the same IPs or regions.
* Use the **Threats** and **Rule Activity** metrics to detect false positives or over-triggered rules.
* Adjust or refine rules based on recurring attack patterns.
* Combine analytics data with logs from your origin server for deeper context.

[<br>](https://clients.medianova.com/docs/web-application-firewall)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://clients.medianova.com/products/security/web-application-firewall-waf/waf-analytics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.