Analyze Attack Events

Attack Events is used to review and assess the effectiveness of your protection measures and to investigate false positives. This module provides a centralized display of all event details identified and processed by security protection policies (such as DDoS protection, WAF, etc.), including actioned or flagged requests. By analyzing these requests that have been identified as threats, you can effectively evaluate the effectiveness of your current protection strategies and timely optimize protection policies.

Go to Attack Events

1. Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
2. Go to Analysis & Logs > Security Analysis > Attack Events.

Evaluating Protection Effectiveness Process

Step 1: Select Analysis Target

When evaluating protection effectiveness or analyzing false positives, the affected hostnames to be analyzed are usually clearly defined, enabling you to quickly pinpoint the target and directly view related event details.

1. Add Attacked Hostname

Security Analysis feature specializes in in-depth analysis of a single hostname. Therefore, after entering the page, please select the hostname you wish to analyze. Once selected, the page will display the traffic of this hostname in the past 24 hours by default.

Step 2: Locate and Analyze

1. Identify the Analysis Scope Using Statistical Trends

The Statistical Trends section displays the overall trend of attack events. You can use it to understand the overall security attack landscape and assess the effectiveness of global protections. Additionally, you can use this view as an efficient tool for event identification and troubleshooting.

• View current protection status: By default, this chart shows trends in the distribution of Policy Types triggered under the current hostname, allowing you to clearly assess which types of security policies are providing protection. Additionally, switching to the Security Action dimension lets you view fluctuations in requests for actions such as deny and challenge, which helps identify periods of abnormal activity. Combining both dimensions, you can further narrow the analysis scope by filtering for suspicious periods and the corresponding policy types.

• View attack event trends across different dimensions: This chart allows you to select various statistical dimensions, displaying the top 5 ranked values for attack events within the chosen dimension, along with their trends and distribution over time. Optional dimensions include attack request features such as Host, client IP, Country/Region; and detailed rules for triggered attack policies, such as DDoS Protection Rule Name, WAF Rule Type, etc.

2. Identify attack event characteristics using Top Statistics

The Top Statistics section visualizes the core concentration distribution of attack events by displaying the ranking of key request characteristics that trigger security policies. This allows you not only to identify the sources of attacks, such as frequently occurring Client IPs; but also to gain deeper insights into attack methods and characteristics, such as common malicious User Agents, typical attack Paths, or suspicious Referers. As a result, this gives you a clear picture of “who’s attacking,” “how,” and “where”. The dimensions of attack features provided are as follows:

• Attack sources: Client IP, Country/Region
• Attack characteristics: User Agent, Referer, Security Action, Security Policy Type, WAF Rule Name, DDoS Rule Name, Custom Rule Name
• Attack targets: Host, Path

3. Adjust the Analysis Scope Using Filters

During analysis, you can flexibly adjust the scope of the dashboard statistics in the following two ways to focus on specific traffic:

• Manually Add Filter Conditions:

1. Select the time range you want to focus your analysis on.
2. Click the filter icon. In the input field, you can manually add fields, operators, and values to customize Filter or Exclude specific data dimensions. For example, to filter logs by client IP, select Client IP, choose the equals operator, and enter the IP address.

• Quick Filtering by Chart Legend: When you hover your mouse over the legend in the chart, the Filter and Exclude buttons will appear. Click the corresponding button to instantly filter or exclude data based on the field value represented by that legend item.

Note: The relationship between multiple values for the same query field is “OR”, while the relationship between multiple query fields is “AND”. For example, the conditions Client IP equals 127.0.0.1 AND Status Code equals 403 OR 404 search for data that matches both the client IP 127.0.0.1 and the status code 403 or 404.

Step 3: Verify Analysis Results

1. View Sample Logs

After completing the identification of attack characteristics, you can view the detailed field information for each attack event in the Sample Logs section on the page. This allows you to further review the specific details and determine whether the incident constitutes a real attack.