Updated on 2025-05-08 GMT+08:00

Viewing Web Protection Events

You can search for security events, such as XSS attacks, SQL injection, CC attacks, and user-defined precise protection events in the event list to quickly locate attack sources or analyze attack events.

You can view event data of all protected domain names in the last 30 days.

If you switch the working mode for a website to Suspended, EdgeSec only forwards all requests to the website without inspection. It does not log any attack events neither.

  • If you have enabled enterprise projects, you can select your enterprise project from the Enterprise Project drop-down list and view protection event logs in the project.

Prerequisites

A protected website has been added. For details, see Adding a Website to EdgeSec.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Content Delivery & Edge Computing > CDN and Security.
  3. In the navigation pane on the left, choose Edge Security > Statistic. The Statistic page is displayed.
  4. Select a website from the Website drop-down list. You can view protection logs of yesterday, today, past 3 days, past 7 days, past 30 days, or a user-defined time range.

    Auto Refresh: After the function is enabled, the data is refreshed every 30 seconds.

    Figure 1 Events

  5. View the event details.

    • In the search box, select a property or enter a keyword. For details about the search conditions, see Table 1.
    • Click to select fields you want to display in the event lists.
    • You can click a rule ID to go to the corresponding protection rule page.
    • To view event details, locate the row containing the event and click Details in the Operation column.
    Table 1 Parameters in the event list

    Parameter

    Description

    Event ID

    ID of the event

    Policy ID

    Protection policy ID

    Rule ID

    Protection rule ID

    Source IP Address

    Public IP address of the web visitor/attacker

    By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.

    Rule Name

    The name is displayed only when a user-created rule is matched. For default rules, such as the built-in rules for basic web protection and bot protection, the rule names are not displayed.

    Time

    When the attack occurred

    Domain Name

    Attacked domain name

    Geolocation

    Location where the IP address of the attack originates from

    URL

    Attacked URL

    Attack type

    • Web application attack
    • Access control
    • Challenge Collapsar (CC) attack
    • Bot attack

    Incident Type

    Type of the attack.

    By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.

    Protective Action

    The options are Block, Log only, and Verification code.

    NOTE:

    If an access request matches a data masking rule, the protective action is marked as Mismatch.

    ASN

    Autonomous system number