Skip to content

Analyzing Attacks

You can check attacks in the Events tab of the Wallarm interface.

Wallarm automatically groups associated malicious requests into one entity — an attack.

Analyze an Attack

You can get information about an attack by investigating all the table columns described in “Checking Attacks and Incidents.”

Analyze Requests in an Attack

  1. Select an attack.

  2. Click the number in the Requests column.

Clicking the number will unfold all requests in the selected attack.

Requests in the attack

Each request displays the associated information in the following columns:

  • Date: Date and time of the request.

  • Payload: Attack vector. Clicking the value in the payload column displays reference information on the attack type.

  • Source: The IP address from which the request originated. Clicking the IP address adds the IP address value into the search field. The following information is also displayed if it was found in the Wallarm databases:

    • The country in which the IP address is registered
    • Which data center the given IP addresses belong to: the AWS tag for Amazon, the GCP tag for Google, the Azure tag for Microsoft data centers, and DC for other data centers
    • The Tor tag if the attack's source is the Tor network
    • The VPN tag if IP address belongs to VPN
    • The Public proxy or Web proxy tag if the request was sent from the public or web proxy server
  • Status: The server's response status code from the request.

  • Size: The server's response size.

  • Time: The server's response time.

If the attack is happening at the current moment, the “now” label is shown under the request graph.

A currently happening attack

Analyze a Request in Raw Format

The raw format of a request is the maximum possible level of detail.

  1. Select an attack.

  2. Click the number in the Requests column.

  3. Click the arrow next to the date of the request.

The Wallarm interface will display the request in its raw format.

Raw format of the request

Sampling of requests in brute‑force attacks

Wallarm Cloud applies requests sampling to the brute‑force attacks:

  • The first 5 requests (hits) from each IP address for each hour are saved in the sample in the Wallarm Cloud

  • The rest of the hits are not saved in the sample, but their number is recorded in a separate parameter

Saved hits and the number of other hits are displayed in brute‑force attack details in the Wallarm Console. For example:

Dropped hits

Demo videos