Working with false attacks¶
A false attack is a valid request erroneously identified as an attack.
After analyzing an attack, you may conclude that all requests in this attack or the part of them are false positives. To prevent the WAF node from recognizing such requests as attacks during further traffic analysis, you can mark several requests or the entire attack as a false positive.
Mark a hit as a false positive¶
To mark one request (hit) as a false positive:
Select an attack in the Events section.
Collapse the list of requests in this attack.
Define a valid request and click False in the Actions column.
Mark an attack as a false positive¶
To mark all requests (hits) in the attack as the false positives:
Select an attack with valid requests in the Events section.
Click Mark false positive.
If all the requests in the attack are marked as the false positives, then the information about that attack will look like this:
Remove a false positive mark¶
To remove a false positive mark from the hit or attack, please send a request to Wallarm technical support. Also, you can undo a false positive mark in the dialog box in the Wallarm Console within a few seconds after the mark was applied.