# Attack Monitoring ### Overview The **Attacks** section provides visibility into malicious activities detected by the WAF.\ It helps users monitor attack sources, review blocked or allowed malicious requests, and investigate security incidents. This section includes three main views: * **Events** – summarizes attack activity grouped by source IP * **Logs** – displays every individual malicious request * **Detail View** – shows full information for a specific attack event *** ### Attacks – Events View The **Events** tab provides a high-level overview of detected attacks, grouped by attacker IP address. For each source IP, users can see: * Source IP address and country * Targeted application * Number of detected attacks * Attack duration * Time when the attack started Filtering options allow users to narrow down results by: * IP address * Domain * Port * Time range This view is useful for: * Identifying repeated attackers * Detecting large-scale or ongoing attack waves * Quickly assessing the severity of an attack source *** ### Attacks – Logs View The **Logs** tab provides request-level visibility into every detected malicious request. For each request, users can review: * Action taken by the WAF (Blocked or Allowed) * Detected attack type (e.g., XSS, SQL Injection) * Full request path containing the malicious payload * Attacker’s IP address * Timestamp of the request Logs can be filtered by: * Action (Blocked / Allowed / All) * Port * IP address * Domain * Attack type * Time range This view is commonly used for: * Deep threat investigation * Analyzing false positives * Fine-tuning WAF security rules *** ### Attack Detail The **Attack Detail** view provides full information for a single malicious request. It displays: * Full URL that triggered detection * Action taken (Blocked or Allowed) * Attack type * Attacker IP address and geolocation * Detected payload * Detection module * Timestamp * Attack ID Below the summary information, the interface shows the **raw HTTP request**, including: * HTTP method * Request headers * Request payload Depending on system configuration, a **Response** tab may also be available. This view is used for: * Verifying whether the WAF correctly detected and handled the attack * Understanding the structure and intent of malicious payloads * Collecting evidence for security incident reports * Investigating repeated or advanced attack patterns --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vngcloud.vn/vng-cloud-document/vwaf/attack-monitoring.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.