medianova.comSupportLog in

WAF Analytics

Learn how to interpret the Web Application Firewall (WAF) dashboard and key analytics metrics in the Medianova Control Panel.

The WAF Analytics Dashboard provides visibility into malicious traffic, rule performance, and blocked requests detected by the Web Application Firewall (WAF). You can monitor attacks in real time, identify their sources, and adjust your rules to improve detection accuracy.

Analytics data is available when WAF is active in either On or Monitoring Only mode.

Accessing the Dashboard

You can access the WAF analytics from the Medianova Control Panel. Navigate to Analytics → WAF, then select the CDN Resource for which WAF is enabled. The dashboard displays real-time charts, tables, and logs that visualize threat activity, blocked requests, and triggered rules.

Metrics update automatically at short intervals, though the refresh rate may vary depending on your resource’s traffic volume.

Key Metrics and Visualizations

1. Attack Histogram

Shows the number of attacks over time, helping you detect spikes or recurring patterns. You can filter by URL to analyze specific endpoints under attack.

Use it for: spotting attack trends and determining peak hours of malicious traffic.

2. Threats

Displays the total number of requests that triggered WAF rules versus total incoming requests. Includes summary values such as:

  • Total: All detected threats since activation

  • Today: Threats detected in the last 24 hours

  • This Month / Last Month: Periodic comparison

Use it for: measuring overall WAF effectiveness and identifying sudden spikes that may signal an attack.

3. Top Client IPs

Lists the IP addresses triggering the most WAF rules. A pie chart provides a quick visual overview of threat sources.

Use it for: detecting potential attackers or regions generating malicious traffic.

Repeated offenders can be blocked or rate-limited via Custom Rules.

4. Top Request URIs

Shows the URLs most frequently targeted by suspicious or blocked requests.

Use it for: identifying vulnerable endpoints or popular attack targets. If a specific path (e.g., /login, /api/v1/auth) appears repeatedly, consider applying additional rule protections.

5. Top User Agents

Lists browsers, bots, or automated clients generating flagged requests.

Use it for: distinguishing legitimate traffic from malicious bots. Unusual or outdated User Agents may indicate automated attack tools.

6. Rule Activity

Displays which WAF rules are triggered most often, showing their frequency and relative impact.

Column
Description

Rule ID / Name

Identifier of the triggered rule.

Triggers

Number of times the rule matched incoming requests.

Last Triggered

Most recent occurrence time.

Use it for: assessing rule efficiency and identifying potential false positives. Frequently triggered rules may need refinement or condition adjustments.

7. Activity Log (Last 300 Requests)

Shows detailed information about the most recent flagged requests, including:

  • Timestamp

  • IP address

  • Request URI

  • User Agent

  • Triggered Rule

Use it for: investigating incidents and validating rule accuracy. Regular review helps fine-tune your security posture.

Best Practices

  • Review WAF analytics at least weekly to identify trends.

  • Watch for repeated attacks from the same IPs or regions.

  • Use the Threats and Rule Activity metrics to detect false positives or over-triggered rules.

  • Adjust or refine rules based on recurring attack patterns.

  • Combine analytics data with logs from your origin server for deeper context.

Last updated

Was this helpful?