Azion Web Application Firewall (WAF) generates relevant results to maintain the security of your applications. This information can be accessed through Real-Time Events, using specific queries.

This guide includes some WAF queries available in Real-Time Events to access the data of requests blocked by WAF, to understand the reason why they were blocked, and troubleshoot false positives.

WAF queries in Real-Time Events

To find information on requests blocked by WAF in Real-Time Events, follow the steps:

1. Access Azion Console > Real-Time Events.
2. Select the HTTP Requests tab to get the logs of events from requests made to your applications and firewalls.
3. In the dropdown menu, set the desired time interval.
   • For example: requests made in the Last 15 minutes, or choose a time range.
4. In the Search field, type the search queries.

Here are two queries that can be used to find WAF blocked requests:

host='domain.com' AND waf_attack_action='$BLOCK'

host='domain.com' AND status='400' AND upstream_status='0'

In both examples, swap domain.com with the domain of your application.

• The results of these two queries should be similar, but it’s possible to find small variations between the answers.

5. Select one of the results in the list to access all the data regarding this request.

After running these queries and selecting a request, numerous data will be shown. However, in the context of WAF, you can analyze status, upstream_status, waf_attack_action, waf _block, waf_headers, waf_learning, waf_match, and waf_score.

The higher the value of the waf_score field, the more indicative of threats were found in this request. If the result is -, no indication of threat has been found. This means the stricter the sensitivity level defined in your WAF, the greater the number of low waf_score blocked requests.