The Monitor menu is located on the right side of the site navigation bar. From the Monitor menu, you can access the following pages:
Before you begin
Be sure you know how to access the web interface controls.
About the Events page
The Events page contains a historical record of all flagged IP addresses within the last 30 days. From the Events page, you can:
- filter events by a specific IP address, by status (Active or Expired), or by the signal the event was tagged with.
- view information about an event in the event view area. The event view area is comprised of three sections: details, timeline, and sample request.
The Details section contains detailed information about the event and associated IP address, including:
- Status: the status of the event, either Active or Expired.
- Country: the country where the request originated.
- Signal: the signal tagged to the request.
- Action: additional actions taken on the IP address while flagged.
- Host: the host where the request originated.
- User agents: the user agents seen from this IP address. This list may include web browsers, media players, and other plug-ins.
The Details section also provides controls for managing IP addresses that have been flagged. Specifically, you can:
- click the Remove flag now button to remove the IP address from the flag list.
- click the Allow IP button to create a request rule to allow the IP address.
- click the Block IP button to create a request rule to block the IP address.
The Timeline section contains a timeline illustrating the actions that occurred during the event. This includes:
- when the IP address was identified as suspicious.
- the number of requests received from the IP address before it was flagged.
- when the IP address was flagged.
- the number of requests that were blocked or logged.
- the current status of the IP address.
Sample request section
The Sample request section highlights a single request received during the event, including the request itself and the signals applied to it. Clicking the View this request link takes you to the request details page for that request. Clicking the Edit rule link in the Signals field will take you to the View page for the rule where you can edit the request rule.
About the Observed Sources page
Selecting Observed Sources from the Monitor menu displays the Observed Sources page. The Observed Sources page provides an overview of all IP addresses that have been or soon will be flagged on your site. The Observed Sources page contains three tabs: Suspicious IPs, Flagged IPs, and Rate Limited Sources.
Suspicious IPs tab
The Suspicious IPs tab shows IP addresses that had requests containing attack payloads of a concerning volume but that did not exceed the decision threshold of flagged IPs. Once the threshold is met or exceeded, an IP address will be flagged and added to the Flagged IPs list. The Suspicious IPs tab helps anticipate which IPs may soon be flagged.
The Suspicious IPs tab lists:
- the suspicious IP address
- the country of origin
- the signal for which the IP address is approaching a threshold
- the threshold being approached
- how long ago the IP address was added to the Suspicious IPs list
- if the IP was flagged by another Signal Sciences customer
Clicking on an IP address in the Suspicious IPs list will take you to the Requests page with a search for that IP address already applied.
Flagged IPs tab
The Flagged IPs tab lists:
- the flagged IP address
- the country of origin
- the signal the IP address was flagged on
- how long ago the IP address was flagged
- if the IP address is still currently flagged
Clicking on an IP address in the Flagged IPs list will take you to the Requests page with a search for that IP address already applied.
Rate Limited Sources tab
The Rate Limited Sources tab shows all sources that have been rate limited via the Advanced Rate Limiting feature. Rate limit rules are a type of rule that allow you to define arbitrary conditions and automatically begin to block or tag requests that pass a user-defined threshold.
The Rate Limited Sources tab lists:
- the source
- the signal the source was rate limited on
- when the source will stop being rate limited
The tab also provides controls for managing sources that have been rate limited, including:
- removing specific sources from the rate limited sources list.
- creating request rules to allow specific sources.
- creating request rules to block specific sources.
About the Signals Dashboard page
Selecting Signals Dashboard from the Monitor menu displays the Signals Dashboard page. A signal is a descriptive tag about a request.
From this page, you can:
- view charts that display timeseries data for signals.
- use filters to narrow down the charted signals. You can filter by corp signals, site signals, OWASP injection attacks, scanners, traffic source anomalies, request anomalies, response anomalies, and virtual patching.
- use the time menu to modify the time frame over which to display data.
- click the chart name to expand a chart and view related target and source details.
- hover your cursor over the information icon on a chart to reveal a description of the signal.