False Positive Details

You can view all attack logs currently marked as false positives for a domain, as well as query details of the attack log or cancel the false positive identification.

The false positive function is designed to adapt to a variety of Web business situations, allowing UWAF’s default rules to not affect normal operations. The logs that are marked as false positives actually cancel the rules triggered by the corresponding attack request in the log, rather than whitelisting the URL or other HTTP protocol content. After being marked as a false positive, the rule will not be judged subsequently.

Marking False Positives for Business

After a business is connected to UWAF, it is recommended to first enable the alarm mode and observe whether any attack logs are generated. After a while, if the business traffic passes through UWAF without attack logs or only few attack logs which are real attacks rather than normal business, you can enable blocking mode.

If there are lots of attack logs and most of them are triggered by normal business operations, you can preferentially mark the same URLs in the attack logs as false positives. The same URL only needs to be marked once. Wait five minutes, set the time range to the most recent five minutes, and observe the newly generated attack logs. Repeat this process until no attack logs are generated or all the attack logs are real attacks.