Tencent Cloud WAF¶
Tencent Cloud Web Application Firewall (WAF) is an AI-based one-stop solution for web business operational risk protection. The displayed Metrics include WAF operational status, attack count, attack traffic, attack IP count, attack domain count, attack port count, attack type distribution, attack source distribution, attack time distribution, attack trend, etc. These Metrics reflect the operational status and attack situation of WAF.
Configuration¶
Install Func¶
It is recommended to activate TrueWatch Integration - Extensions - DataFlux Func (Automata): All prerequisites are automatically installed. Please continue with the script installation.
If you want to deploy Func manually, refer to Manual Deployment of Func
Install WAF Collection Script¶
Note: Please prepare the Tencent Cloud AK that meets the requirements in advance (for simplicity, you can directly grant global read-only permission
ReadOnlyAccess)
To synchronize the monitoring data of WAF, we install the corresponding collection script: "TrueWatch Integration (Tencent Cloud-WAF)" (ID: integration_tencentcloud_waf)
After clicking [Install], enter the corresponding parameters: Tencent Cloud AK, Tencent Cloud account name.
Click [Deploy Startup Script], and the system will automatically create the Startup script set and configure the corresponding startup script.
After enabling, you can see the corresponding automatic trigger configuration in "Management / Automatic Trigger Configuration". Click [Execute] to execute it immediately without waiting for the scheduled time. After a while, you can view the execution task records and corresponding logs.
Verification¶
- In "Management / Automatic Trigger Configuration", confirm whether the corresponding task has the automatic trigger configuration, and you can also check the corresponding task records and logs for any exceptions.
- In TrueWatch, check whether asset information exists in "Infrastructure / Custom".
- In TrueWatch, check whether there is corresponding monitoring data in "Metrics".
Metrics¶
After configuring Tencent Cloud Cloud Monitoring, the default Measurement is as follows. You can collect more Metrics through configuration Tencent Cloud Cloud Monitoring Metrics Details
| Metric English Name | Metric Chinese Name | Description | Unit | Dimensions | Statistics |
|---|---|---|---|---|---|
| 4xx | Total 4XX Access Requests | Total 4XX Access Requests | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| 4xxNew | Total 4XX Access Requests | Total 4XX Access Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| 5xx | Total 5XX Access Requests | Total 5XX Access Requests | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| 5xxNew | Total 5XX Access Requests | Total 5XX Access Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| Access | Total WAF Access Count | Total WAF Access Count | Count | domain, edition | [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| AccessNew | Total WAF Access Count | Total WAF Access Count | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| Attack | Total WAF Attack Count | Total WAF Attack Count | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| AttackNew | Total WAF Attack Count | Total WAF Attack Count | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| Bot | Total BOT Requests | Total BOT Requests | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| BotNew | Total BOT Requests | Total BOT Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| Bw | Total IP Blacklist Attacks | Total IP Blacklist Attacks | Count | domain, edition | [10s, sum], [60s, sum], [300s, sum] |
| Cc | Total CC Attack Count | Total CC Attack Count | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| CcNew | Total CC Attack Count | Total CC Attack Count | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| Down | Total Downstream Bandwidth | Total Downstream Bandwidth | Bytes | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| DownNew | Total Downstream Bandwidth | Total Downstream Bandwidth | Bytes | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| InBandwidth | Inbound Bandwidth | Inbound Bandwidth | MBytes | domain, edition | [60s, expr], [300s, sum], [3600s, sum], [86400s, sum] |
| InBandwidthNew | Inbound Bandwidth | Inbound Bandwidth | Bytes | instance | [60s, expr], [300s, sum], [3600s, sum], [86400s, sum] |
| Leak | Total Sensitive Information Leakage Protection Attacks | Total Sensitive Information Leakage Protection Attacks | Count | domain, edition | [10s, sum], [60s, sum], [300s, sum] |
| MetricnameCustomSecurity | Custom Policy Attacks | Custom Policy Attack Count | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| MetricnameCustomSecurityNew | Custom Policy Attacks | Custom Policy Attacks | Count | instance | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| OutBandwidth | Outbound Bandwidth | Outbound Bandwidth | MBytes | edition, domain | [60s, expr], [300s, sum], [3600s, sum], [86400s, sum] |
| OutBandwidthNew | Outbound Bandwidth | Outbound Bandwidth | MBytes | instance | [60s, expr], [300s, sum], [3600s, sum], [86400s, sum] |
| Qps | Requests Per Second | Requests Per Second | Count/s | edition, domain | [10s, expr], [60s, max], [300s, max], [3600s, max], [86400s, max] |
| QpsNew | Requests Per Second | Requests Per Second | Count/s | instance | [10s, expr], [60s, max], [300s, max], [3600s, max], [86400s, max] |
| Ratio4xx | 4XX Status Code Percentage | 4XX Status Code Percentage | % | domain, edition | [60s, expr], [300s, expr] |
| Ratio4xxNew | 4XX Status Code Percentage | 4XX Status Code Percentage | % | instance | [60s, expr], [300s, expr] |
| Ratio5xx | 5XX Request Percentage | 5XX Request Percentage | % | domain, edition | [60s, expr], [300s, expr] |
| Ratio5xxNew | 5XX Request Percentage | 5XX Request Percentage | % | instance | [60s, expr], [300s, expr] |
| RatioAttack | WEB Attack Percentage | WEB Attack Percentage | % | domain, edition | [60s, expr], [300s, expr] |
| RatioAttackNew | WEB Attack Percentage | WEB Attack Percentage | % | instance | [60s, expr], [300s, expr] |
| RatioBot | BOT Attack Percentage | BOT Attack Percentage | % | domain, edition | [60s, expr], [300s, expr] |
| RatioBotNew | BOT Attack Percentage | BOT Attack Percentage | % | instance | [60s, expr], [300s, expr] |
| RatioCc | CC Attack Percentage | CC Attack Percentage | % | domain, edition | [60s, expr], [300s, expr] |
| RatioCcNew | CC Attack Percentage | CC Attack Percentage | % | instance | [60s, expr], [300s, expr] |
| RatioInBandwidth | Instance Inbound Bandwidth Utilization | Instance Inbound Bandwidth Utilization | % | instance | [60s, expr] |
| RatioOutBandwidth | Instance Outbound Bandwidth Utilization | Instance Outbound Bandwidth Utilization | % | instance | [60s, expr] |
| RatioQps | Instance QPS Utilization | Instance QPS Utilization | % | instance | [60s, expr] |
| Tamper | Total Page Tampering Protection Attacks | Total Page Tampering Protection Attacks | Count | domain, edition | [10s, sum], [60s, sum], [300s, sum] |
| U4xx | Total Upstream 4XX Requests | Total Upstream 4XX Requests | Count | edition, domain | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| U4xxNew | Total Upstream 4XX Requests | Total Upstream 4XX Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum] |
| U5xx | Total Upstream 5XX Requests | Total Upstream 5XX Requests | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| U5xxNew | Total Upstream 5XX Requests | Total Upstream 5XX Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum] |
| Up | Total Upstream Bandwidth | Total Upstream Bandwidth | Bytes | edition, domain | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| UpNew | Total Upstream Bandwidth | Total Upstream Bandwidth | Bytes | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum] |
| Upstream | Total Upstream Origin Requests | Total Upstream Origin Requests | Count | domain, edition | [60s, sum], [300s, sum], [3600s, sum], [86400s, sum] |
| UpstreamNew | Total Upstream Origin Requests | Total Upstream Origin Requests | Count | instance | [5s, sum], [10s, sum], [60s, sum], [300s, sum] |
Note When pulling Web Application Firewall Metrics data, please select the "Guangzhou" region uniformly.
Overview of Parameters Corresponding to Each Dimension¶
| Parameter Name | Dimension Name | Dimension Description | Format |
|---|---|---|---|
| Instances.N.Dimensions.0.Name | domain | Domain dimension name of client attack | Enter String type dimension name: domain |
| Instances.N.Dimensions.0.Value | domain | Specific domain of client attack | Enter the specific domain of client attack, for example: www.cloud.tencent.com |
| Instances.N.Dimensions.1.Name | edition | Web Application Firewall instance type dimension name | Enter String type dimension name: edition |
| Instances.N.Dimensions.1.Value | edition | Specific type of Web Application Firewall instance | Enter the specific type of Web Application Firewall instance, for example: SaaS WAF (input value is 0) or CLB WAF (input value is 1) |
| Instances.N.Dimensions.2.Name | instance | Web Application Firewall instance dimension name | Enter String type dimension name: instance |
| Instances.N.Dimensions.2.Value | instance | Specific name of Web Application Firewall instance | Enter the specific name of Web Application Firewall instance, for example: waf_2kxtpo960i9y7i05 |
Object¶
The collected Tencent Cloud WAF object data structure can be seen in "Infrastructure-Custom"
{
"time": 1749782297000,
"AppId": "1311317185",
"CCList": "[]",
"ClsStatus": "0",
"Cname": "15bfb3de8de69192de22b581c2a66571.qcloudwzgj.com",
"CreateTime": "2025-06-09T14:47:48+08:00",
"Domain": "",
"DomainId": "13f6c2f0def0558e9f5234270434d1b0",
"Edition": "sparta-waf",
"EditionNum": "0",
"Engine": "1",
"InstanceId": "waf_2l12weqc17ldfpop",
"InstanceName": "gz-Default",
"Level": "2",
"LoadBalancerSet": "[]",
"Ports": "[{\"NginxServerId\": 408141, \"Port\": \"80\", \"Protocol\": \"http\", \"UpstreamPort\": \"80\", \"UpstreamProtocol\": \"http\"}]",
"Region": "gz",
"RegionId": "",
"RsList": "[\"134.175.221.0/24\"]",
"SrcList": "[]",
"State": "1",
"Status": "1",
"__docid": "CO_fcaf33c5dcca7aca4735e6b5d9857f2e",
"__namespace": "custom_object",
"__update_time": 1749782297000,
"account_name": "",
"class": "tencentcloud_waf",
"cloud_provider": "tencentcloud",
"create_time": 1749782297797,
"date": 1749782297000,
"date_ns": 1749782297000000000,
"last_update_time": 1749782297797,
"message": "{\"AccessStatus\": 1, \"AlbType\": \"\", \"ApiStatus\": 0, \"AppId\": 1311317185, \"BotStatus\": 0, \"CCList\": [], \"CdcClusters\": \"\", \"CloudType\": \"\", \"ClsStatus\": 0, \"Cname\": \"15bfb3de8de69192de22b581c2a66571.qcloudwzgj.com\", \"CreateTime\": \"2025-06-09T14:47:48+08:00\", \"Domain\": \"xxxxx.com\", \"DomainId\": \"13f6c2f0def0558e9f5234270434d1b0\", \"Edition\": \"sparta-waf\", \"EditionNum\": 0, \"Engine\": 1, \"FlowMode\": 0, \"InstanceId\": \"waf_2l12weqc17ldfpop\", \"InstanceName\": \"gz-Default\", \"Ipv6Status\": 0, \"Labels\": [\"\"], \"Level\": 2, \"LoadBalancerSet\": [], \"Mode\": 1, \"Note\": \"\", \"Ports\": [{\"NginxServerId\": 408141, \"Port\": \"80\", \"Protocol\": \"http\", \"UpstreamPort\": \"80\", \"UpstreamProtocol\": \"http\"}], \"PostCKafkaStatus\": 0, \"PostCLSStatus\": 0, \"Region\": \"gz\", \"RegionId\": \"ap-guangzhou\", \"RsList\": [\"134.175.221.0/24\"], \"SgDetail\": \"\", \"SgID\": \"\", \"SgState\": 0, \"SrcList\": [], \"State\": 1, \"Status\": 1, \"UpstreamDomainList\": [\"www.xxxxx.com\"]}",
"name": "13f6c2f0def0558e9f5234270434d1b0",
"time_us": 1749782297000000,
"__searches": []
}
Note: The fields in
tags,fieldsmay change with subsequent updates