Events

The Events screen displays lists of the security events that have occurred over the selected time period.

There are two tabbed views: Aggregates, which shows events grouped by the values in the Group By filter above (IP Address, ASN, Country, Hostname, URL, User Agent, Status Code, Rule ID, Browser, Device OS, or Device Type) in descending order of number of hits:

and Raw Events, which shows all events in descending chronological order:

The Raw Events list shows summary information in tabular form.

Click the small triangle at the left to expand a given event and view all available information. The detailed information is divided up under several tabs: Request, Response, Client, Event Details, and WAF Details:

Clicking on an event displays a large amount of data about that event

You can filter events for both the Aggregates and Raw Events views by clicking Show Filters:

Events in both the Aggregates and Raw Events views can be filtered by time, event type, severity, action, and more

You can

  • filter by Time Period
  • group by (Aggregates view only): IP Address, ASN, Country, Hostname, URL, User Agent, Status Code, Rule ID, Browser, Device OS, or Device Type
  • filter by Event Type: WAF, Rate Limit, Custom, or All
  • filter by Severity: All, High, Medium, Low, or Info
  • filter by Response Action: All, Block, Warn

Filters set in either the Aggregates or Raw Events view affect both views.

For filtering by Time Period, you can choose 1 day, 2 day, or 3 day. A calendar widget enables you to specify the specific day or days. The time graph shows events over the selected time period and provides a draggable time slider control, which enables you zoom into to a specific subrange of time to see peaks of interest and focus on a specific span of hours:

Security event filter time span selection
Additional Filters enables you to filter further on specific data. Select the type of data you want to filter on in the Additional Filters pulldown list, then specify the criteria and value. Click + to add another filter; click X to delete that filter.

You can add additional security event filters to the standard set

The values of Additional Filter Criteria depend on the type of data you are filtering on. For example, Protocol has only two possible values – HTTP and HTTPS – the criteria available are equals and does not equal, and the Additional FIlter Value will be a pulldown with only these two values available to choose from. For data that has a string value, the criteria are equals, does not equal, contains, or does not contain, and the Additional FIlter Value will be a text field. This enables you to filter for substrings in these items as well as exact matches.

For example, let's say you start at the aggregate view and note the top IP address with the largest count of events. You can then filter on this address by checking the Add to FIlters box at the right side, then switch to the Raw Events view and see what that particular IP was trying to do. You might then want to boil down the list to see those where this IP address attempted to POST something by selecting Method from the Additional FIlters list, equals as the Additional Filter Criteria, and POST as the Additional Field Value:

Additional filters for security events page

Click Apply Changes to engage the selected filters.

List of Additional Filters possibilities

GroupFilterCriteriaPossible values
Request



Protocolequals | does not equalHTTP, HTTPS

Methodequals | does not equalDELETE, GET, HEAD, POST, PUT, CONNECT

Propertyequals | does not equal

Select from the pulldown list of properties within this account


Domain

equals | does not equal
contains | does not contain

Valid string or substring

Pathequals | does not equal
contains | does not contain

Valid string or substring


Query Stringequals | does not equal
contains | does not contain
Valid string or substring

User-Agentequals | does not equal
contains | does not contain
Valid string or substring

Refererequals | does not equal
contains | does not contain

Valid string or substring


Request Headerscontains | does not containValid request header name and value
For example:
accept-encoding:gzip, deflate, br

Request IDequals | does not equal
contains | does not contain
Valid string or substring
Response



HTTP Status Codeequals | does not equalValid 3-digit HTTP status code

Response Headerscontains | does not containValid response header name and value
For example:
vary:Accept-Encoding,Cookie,Authorization
Client



ASNequals | does not equal
contains | does not contain

Valid string or substring of an officially registered autonomous system number


IPequals | does not equalValid IPv4 address

Countryequals | does not equal

Valid country name (from pulldown list)


Device Type

equals | does not equal

Valid device type (from pulldown list)

Device OS

equals | does not equal

Valid device OS name (from pulldown list)

Browserequals | does not equalValid browser name (from pulldown list)

IP Reputation Score

equals | does not equalValid IP Reputation Score (one or two digits in the range 1-20)

IP Threat Category

equals | does not equal

PoPequals | does not equalThe name of the point of presence that handled this request
Rule Details



Rule ID

equals | does not equalValid rule ID string

Rule Description

equals | does not equal
contains | does not contain
String or substring occurring in the rule description field