How to find the score of WAF blocked requests

Azion Web Application Firewall (WAF) generates relevant results to maintain the security of your edge applications. This information can be accessed through Real-Time Events, using specific queries.

This guide includes some WAF queries available in Real-Time Events to access the data of requests blocked by WAF, to understand the reason why they were blocked, and troubleshoot false positives.

Go to Real-Time Events reference

WAF queries in Real-Time Events

To find information on requests blocked by WAF in Real-Time Events, follow the steps:

Access Azion Console > Real-Time Events.
Select the HTTP Requests tab to get the logs of events from requests made to your edge applications and edge firewalls.
In the dropdown menu, set the desired time interval.
- For example: requests made in the Last 15 minutes, or choose a time range.
In the Search field, type the search queries.

Here are two queries that can be used to find WAF blocked requests:

host='domain.com' AND waf_attack_action='$BLOCK'

host='domain.com' AND status='400' AND upstream_status='0'

In both examples, swap domain.com with the domain of your edge application.

The results of these two queries should be similar, but it’s possible to find small variations between the answers.

Select one of the results in the list to access all the data regarding this request.

Access Real-Time Manager (RTM).
Open the Products menu, indicated by the three horizontal lines, and select Real-Time Events.
In the Data Source field, select Edge Applications.
In the dropdown menu, next to Data Source, set the desired time interval.
- For example: requests made in the Last 15 minutes, or choose a time range.
In the Filter by field, type the search queries.

Here are two queries that can be used to find WAF blocked requests:

host='domain.com' AND waf_attack_action='$BLOCK'

host='domain.com' AND status='400' AND upstream_status='0'

In both examples, swap domain.com with the domain of your edge application.

Click the Search button.
- The results of these two queries should be similar, but it’s possible to find small variations between the answers.
Select one of the results in the list to access all the data regarding this request.

After running these queries and selecting a request, numerous data will be shown. However, in the context of WAF, you can analyze status, upstream_status, waf_attack_action, waf _block, waf_headers, waf_learning, waf_match, and waf_score.

The higher the value of the waf_score field, the more indicative of threats were found in this request. If the result is -, no indication of threat has been found. This means the stricter the sensitivity level defined in your WAF, the greater the number of low waf_score blocked requests.