New WAF Features: Request Query Analysis & Threat Origin Map
Our Stackpath WAF users just got a significant upgrade. We’re excited to announce our latest features: Request-Based Query Analysis, Request Tags, and the Threat Origin Map.
Let’s explore how these new features give you an even greater level of protection against DDoS attacks as you gain deeper insight into who is trying to get into your network and where these threats are coming from. With this more detailed information, your team is better able to ensure your customers access your services while keeping the bad actors at bay.
Request-Based Query Analysis
The Request-Based Query Analysis feature gives you vital information about the network passing through your website in a handy table. Before the update, you could view security events. Now, you can see requests, too.
By default, it displays data for the last 24 hours. However, if you want to see data for a custom period, you can click the calendar icon on the top right corner of the dashboard.
With the update to this feature, you get more clarity by seeing the request classification as Policy-Blocked or Custom Rule-Blocked. Policy-Blocked requests are requests blocked by StackPath’s WAF policies. In contrast, the Custom Rule blocks requests with user-generated rules. You can select each checkbox to filter out the requests in the graph, which helps administrators predict and foresee the network flow.
Another great feature introduced in our recent update allows you to filter requests by traffic type. You can choose from Policy Allowed, Custom Rule-Allowed, Passed to Origin, Policy Blocked, and Custom Rule Blocked. Multi-select checkboxes let you easily customize your results with any combination of filters.
This feature is especially useful for DevOps and SRE teams who want to dive deeper into the analysis of passed requests and blocked requests. Additionally, it simultaneously satisfies two specific use cases by providing an option to view the bots blocked by policy and bots allowed by policy. You can also use this feature to create a custom rule to allow or block network traffic.
The tags on incoming requests are visible, so you can see why StackPath blocked or allowed requests. In the Requests Table view, you can click a rule name’s tag to read more details about the request. Apart from request information and headers, this view displays tags at the bottom, which specify why StackPath blocked or allowed requests.
To view the tags on the request, click one of the rule names from the requests table.
Clicking on a rule opens the new tab where you can see the request details further divided into four sections.
The Tags section provides meta-information about why StackPath prohibited or permitted the request. For example, the request in the image was from the hosting services for the previous case, so it was unnecessary and blocked. Similarly, StackPath generates meaningful tags according to the request to get better insights into your website’s traffic.
This feature lets you perform a tag-based analysis of your network traffic to create robust and dynamic rules for the WAF. DevOps and SRE teams can use those tags to create a custom policy, like StackPath’s policy. Also, the request tags list is always growing, so you’ll always get up-to-date and more information about request tags.
Our WAF enables DevOps engineers and Site Reliability Engineers (SREs) to create an assertive action policy for incoming threats. Also, it can help enforce organization-wide custom WAF policies to mitigate and prevent threats from accessing the website’s content.
Note that enterprise customers can create WAF rules based on the tags using the API but not using a UI. This feature is currently available to enterprise customers only.
Threat Origin Map
Another fantastic feature from our recent update is the Threat Origin Map, which shows where threats originate. In the Analytics Dashboard for WAF, you can find this information under Top Threat Origins.
This map displays the list of countries along with the threat request in descending order. This is very useful for auditing and keeping a hard record. You can print the map or download it in various formats such as PDF, PNG, XLS, and CSV.
This feature is especially handy for companies with rigorous access policies that do not want users from specific countries to visit their site. Based on this data, DevOps and SREs can enforce or plan actions to restrict requests from a specific region.
Now that you have the option to dig deeper into threat origins, and the reasons why traffic was blocked, you can adjust your security efforts to better serve your own customers while protecting your network from bots and hackers. We’re looking forward to hearing how our StackPath WAF customers use all this new information and the map visualizations.
These new features complement the original features of StackPath’s WAF. If you are an existing StackPath WAF customer, you can start using our new features today, as they come without any extra cost (although creating rules based on tags is only available to enterprise users). If you’re looking for a WAF solution, consider signing up for StackPath WAF so you can gain access to these exciting new features — and so much more.