How to Investigate Firewall Events¶

This guide explains how to use the Firewall Events page to monitor, analyze, and respond to security threats detected by Peakhour.

Accessing Firewall Events¶

Navigate to your Domain Dashboard.
In the main navigation, under Analytics & Logs > Events, click on Firewall Events.

Understanding the Interface¶

The Firewall Events page provides a powerful interface for investigating security incidents.

Timeline Graph: A visual representation of event volume over time, broken down by the type of security block (e.g., WAF, Blocklist, Rate Limit).
Filters: Controls to narrow down the events you are viewing by date range, event type, and how the data is grouped.
Events Table: A detailed list of aggregated security events based on your selected filters.

Filtering and Grouping Events¶

To effectively investigate, you need to filter the data to find what you're looking for.

Set the Time Range¶

Use the Date Range picker to select a time period. You can choose a quick interval like "Last 24 hours" or select a custom start and end date.

Filter by Event Type¶

Use the Event Type dropdown to focus on specific kinds of threats:

All: View all security events.
WAF: Events triggered by the Web Application Firewall (e.g., SQL injection attempts).
Access List: Blocks from your custom IP, Country, or ASN lists.
Blocklist: Blocks from Peakhour's IP reputation lists.
Rate Limit: Requests blocked due to exceeding rate limits.
Fake Crawler: Traffic identified as a malicious or fake bot.

Group Data for Analysis¶

The Group By dropdown changes how events are aggregated in the table, which is key for identifying patterns. - URL: See which pages on your site are being targeted most often. - IP: Identify the top attacking IP addresses. - Country: Find out which countries are the source of the most threats. - ASN: Group threats by the network provider (e.g., "Amazon AWS", "Google Cloud"). - WAF Rule: See which specific WAF rules are being triggered the most.

Analyzing the Events Table¶

The table provides a summarized view of threats. Key columns include:

When: The time of the last event in that group.
Group By Column: The item being grouped (e.g., the specific IP address or URL).
By: The type of security system that triggered the block.
Action: The action taken (e.g., block, challenge).
Hits: The total number of events in that group.
Count By: The number of unique items in the secondary dimension (e.g., if grouping by IP, this shows the number of unique URLs that IP attacked).

Drilling Down into Details¶

To get more information about a group of events:

Expand a Row: Click the caret icon (>) at the beginning of a row. This will open a sub-table showing individual events that make up that group.
View in Log Explorer: Click the Search icon in the "Actions" column. This will take you to the Log Explorer, pre-filtered to show the raw logs corresponding to that group of events. This is the most powerful tool for deep investigation.

Diagnosing a Specific Request¶

For a highly detailed, automated analysis of a single security event:

Expand a row to see the sub-table of individual events.
In the sub-table, click the Stethoscope icon next to a specific event.
A Request Diagnosis modal will appear. This provides a human-readable summary of why the request was blocked, what rules it matched, and other contextual information about the request. This is the fastest way to understand a specific block.

Common Investigation Workflows¶

Investigating a WAF Attack¶

Set Event Type to WAF.
Set Group By to WAF Rule to see which attacks are most common.
Expand a rule to see which IPs are using that attack.
Click the Search icon to view the raw logs and see the exact malicious payloads in the requests.

Finding Top Attacking IPs¶

Set Group By to IP.
The table will show the most active malicious IP addresses.
Expand a row to see all the different URLs that IP has attacked.
Use this information to create a permanent block in your Firewall Access Rules if necessary.