How to find the score of WAF blocked requests

Azion Web Application Firewall (WAF) generates relevant results to maintain the security of your edge applications. This information can be accessed through Real-Time Events, using specific queries.

Visit the Real-Time Events documentation for more information about this product.

This guide includes some WAF queries available in Real-Time Events to access the data of requests blocked by WAF, to understand the reason why they were blocked, and troubleshoot false positives.

WAF queries in Real-Time Events

Section titled WAF queries in Real-Time Events

To find information on requests blocked by WAF in Real-Time Events, follow the steps:

  1. Access Real-Time Manager (RTM).
  2. Open the Products menu, indicated by the three horizontal lines, and select Real-Time Events.
  3. In the Data Source field, select Edge Applications.
  4. In the dropdown menu, next to Data Source, set the desired time interval.
    • For example: requests made in the Last 15 minutes, or choose a time range.
  5. In the Filter by field, type the search queries.

Here are two queries that can be used to find WAF blocked requests:

host='' AND waf_attack_action='$BLOCK'

host='' AND status='400' AND upstream_status='0'

In both examples, swap with the domain of your edge application.

  1. Click the Search button.

The results of these two queries should be similar, but it’s possible to find small variations between the answers.

  1. Select one of the results in the list to access all the data regarding this request.

After running these queries and selecting a request, numerous data will be shown. However, in the context of WAF, you can analyze status, upstream_status, waf_attack_action, waf _block, waf_headers, waf_learning, waf_match, and waf_score. See the table below for the definition of each of these fields.

Check the Real-Time Events documentation to learn more about each field.

The higher the value of the waf_score field, the more indicative of threats were found in this request. If the result is -, no indication of threat has been found. This means the stricter the sensitivity level defined in your WAF, the greater the number of low waf_score blocked requests.

See the scores for each sensitivity level available in the Web Application Firewall documentation.

To find out if your WAF is operating in Learning or Blocking mode, you can use this same method and check the waf_learning field, or see How to check your WAF mode guide.