Using the Advanced Threat Reporting screen

The Advanced Threat Reporting screen can be accessed by selecting "Threats" tab and then selecting "Advanced" on the next screen:

 You will be asked to enter your credentials again:

After entering your credentials, you will see a screen with several tabs: "Attack Type", "GeoIP Map", "Denial of Service and Bot Traffic" and "Search":

In order to see any information you will need to select appropriate filters (for example "Attack Type" screen requires to select "Web Application", "Request status" and "Attack Type") and click "Submit". If you are not sure what to select, you can pick "All":

This will give you an overview of all available information.

In addition to that, you can select Time Range, by default "Last 7 days" is selected.

We have further documentation detailing the various Attack Types that may be seen.

Each of the tabs in Advanced Reporting screen provide information on a different subject:

  • "Attack Type" tab allows you to see various statistics related to attacks performed against your websites:
    • "Attack types" graph shows you the types of attacks that are being performed against your website
    • "Attacks per Hostname" graph shows you how many attacks are performed against each host. Only the top 10 hosts are shown.
    • "Blocked vs Alerted" graph shows how many requests have been blocked and how many requests have generated alerts. The alerts are generated when your security policy is in "transparent" mode, once the policy is changed to "blocking" these alerted requests are going to be blocked.
    • "Top signatures" graph shows the top attack signatures used against your websites.
    • "Top Source IPs" table shows top attacker IPs that have been performing attacks against your website.
    • "Top URIs" table shows the URLs  that attackers have been targeting the most on your websites
  • "GeoIP Map" tab provides information about geographical location of the attacks.
    • "Blocked Attacks by Country" interactive map provides information on where the attacks are originating from. The size of each pie chart indicates the volume of attacks from that country.
    • "Source Country" graph shows you attack traffic trends from top 10 countries with most attacks.
    • "Attacker IP" graph shows the attacker IPs that have performed the most attacks against your website
    • "Blocked Attacks by Country" table provides additional information about countries where the attacks are originating from. 
  • "Denial of Services and Bot Traffic" tab provides information about Denial of Service (DoS) attacks against your website.
    • "Application DoS attacks" graph shows DoS attack trend against most attacked websites
    • "DoS - Top Attacked URIs" pie chart shows the URIs that are being targeted by the attackers the most.
    • "DoS - HTTP Method" and "DoS - Protocol" pie charts show the most attacked HTTP method and most attacked protocols
    • "Non-Browser Traffic" graph shows the trends of traffic generated by automated tools, scanning engines and other non-browser user agents.
    • "User Agent Traffic" chart shows user agents that are used to perform DoS attacks.
    • "Application DoS - Attack Technique" chart shows the attack techniques that were used to perform DoS attacks against your websites
  • "Search" tab allows you to search for log entries for blocked or alerted requests. One of the most useful features of this tab is that it allows you to search by "Support ID" shown on the blocking page:

    You can enter this support ID in the "Keyword" box, select "all" from "Web Application" dropdown, pick appropriate Time Range and click Submit. This will search the log database and show you the log entry. These log entries are in syslog format and will contain information related to the blocked request, such as the client IP address, the Request that has been blocked, signatures that caused the request to be blocked, etc:
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request