One of our prime features is that along with displaying you a better WAF log, we enrich the log with further data so you can make better decisions when you read, understand and make actions for your WAF traffic.
How we do it, is a complex algorithm that takes into account what has been flagged by the WAF Policy rule, the IP malicous score, its behaviour in the WAF log and we calculate a Malicious Confidence score.
In a little more detail:
- We have our own IP reputation engine that will get the Malicious score for all the IPs in the WAF log
- Then the log enrichment engine will check the block reason and will analyze if it looks like a harmful request
- Again the log enrichment engine will calculate a Malicious Confidence score for each request in the log that is between 0 and 100 (where 0 is very likely a false-positive and 100 is very likely malicious) based on other factors calculated in the previous steps