The CWAAP Violation Logs section displays a comprehensive overview of violations in direct contrast to counter measures that have been implemented to log or block specific requests that were captured for your account.
Accessing the CWAAP violation logs
To access the Violation Logs, using the left-hand navigation menu, select Analytics, then WAF, Logs, and then Violation Logs from the drop-down list.
The Applications drop-down menu allows for the selection of a custom configured asset (or all Assets) for your account. By default, the All Assets (Combined) application is selected.
The Date Range filter provides two methods of customizing the data that is displayed on the WAF Dashboard.
Custom date range
Clicking the displayed date range selection opens the pop-out calendar window, which allows you to select a beginning and end date, and selecting a custom time range as well. Clicking the calendar icon allows you to quickly navigate through months, as well as years to select the beginning and end dates. Also, you can manually type in the desired date instead of using the calendar option. The maximum number of days in the past that can be captured is 90 (90) days from the current date. Click the green checkmark icon once you have selected your custom time frame to view the results.
Quick select date range
Instead of creating a custom time frame for your dashboard results, you can use one of the pre-configured quick select date range options. By default, the Dashboard displays the results for the previous seven days (7D).
- 1H - Displays the result details for the previous hour.
- 3H - Displays the result details for the previous three hours.
- 12H - Displays the result details for the previous 12 hours.
- 1D - Displays the result details for the previous calendar day.
- 7D - Displays the result details for the previous seven calendar days (week).
- 30D - Displays the result details for the previous 30 days (calendar month).
Field and text
The Field and Enter Text options enable custom search filters to be created to display your Violation Log details.
The field drop-down menu has the following criteria options.
- Source IP
- Transaction ID
- Event ID
- The URI and User-Agent fields are case-sensitive.
- The maximum search number of characters allowed in the Search field is 90.
The Violation Logs that are currently displayed on the screen (which includes any configured filters) can be exported in either a:
- CSV file
- JSON output
Clicking either of the download options display a grayed-out cloud icon as the file is compiled. Once the cloud icon becomes clickable, the file begins to download
Violation log details
The Violation Log Details table displays a comprehensive overview of the violation that was captured, with hyperlinked content that will navigate you to the Enrichment section, for more details.
|Action Type||Response Type|
|Action||Displays the action taken for the violation. Either Logged or Blocked.|
|Timestamp||Displays the timestamp (as UTC) in which the violation was captured.|
|Application||The Application name impacted by the violation.|
|Source IP||The specific Source IP belonging to the application that was impacted by the violation.|
|Country||The country in which the traffic was originating from that triggered the violation.|
|Reason||A brief explanation about the violation, and what type of violation was triggered.|
Each Violation Log entry in the table has more features that can be selected.
The View Details feature displays a more detailed overview of the violation details. Clicking the Policy hyperlink will redirect you to the Configuration - Policies section of your account.
The blue “ i “ icon shows the full path details that might be condensed on the Violation Log Details screen due to length restrictions.
The double paper icon is a copy + paste option, as doing a manual copy and paste of the details might not work as the details might be truncated on the page.
Selecting the Add IP Filter button adds the selected IP address to the Blocked list for the account. On the pop-out window, the IP / CIDR address is listed (which can be edited), and an indicator for Blocked (selected by default), or Not Blocked. Once you click Save, the IP address filter is added to your policy (which can be found in the View Details section).
Selecting the Create Relaxation Rule adds the selected violation log entry to the allowed (or listed) list for the account. The Violation Reason will determine the possible configuration settings for the Relaxation Rule. Once you click the Save button, the Relaxation Rule is added to your configured policy (which can be found in the View Details section.