How to Detect a False-Positive Request from WAF Logs?

Step > 1

First, navigate to "Monitor Mode > Related vService > Logs > WAF Logs". On the opened screen, requests blocked by WAF are displayed. Select a blocked request and review it in the panel that appears on the right. While searching within logs, "Line limit" and "Time Range" are important parameters. Filtering makes it easier to find specific logs. For example, filters can be applied using information like "Unique ID" or "Attacker IP".

Step > 2

When a request is clicked, all related information is displayed on the right side of the screen. At the bottom of this panel, details explaining why the request was blocked are shown.

Step > 3

Assuming this request is a false positive, select all detected attacks and click the "Learn Attack" button.

This way, similar requests with the same structure coming from different clients will no longer be blocked by WAF.