AWS WAF metrics and dimensions - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS WAF metrics and dimensions

AWS WAF reports metrics once a minute. AWS WAF provides metrics and dimensions in the AWS/WAFV2 namespace.

You can see summary information for AWS WAF metrics through the AWS WAF console, in the web ACL's traffic overview tab. For more information, go to the console or see Web ACL traffic overview dashboards.

You can see the following metrics for web ACLs, rules, rule groups, and labels.

  • Your rules – Metrics are grouped by the rule action. For example, when you test a rule in Count mode, its matches are listed as Count metrics for the web ACL.

  • Your rule groups – The metrics for your rule groups are listed under the rule group metrics.

  • Rule groups owned by another account – Rule group metrics are generally visible only to the rule group owner. However, if you override the rule action for a rule, the metrics for that rule will be listed under your web ACL metrics. Additionally, labels added by any rule group are listed in your web ACL metrics

    Rule groups in this category are AWS Managed Rules for AWS WAF, AWS Marketplace managed rule groups, Rule groups provided by other services, and rule groups that are shared with you by another account.

  • Labels - Labels that were added to a web request during evaluation are listed in the web ACL label metrics. You can access the metrics for all labels, regardless of whether they were added by your rules and rule groups or by rules in a rule group that another account owns.

Web ACL, rule group, and rule metrics and dimensions

Web ACL, rule group, and rule metrics
Metric Description

AllowedRequests

The number of allowed web requests.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

BlockedRequests

The number of blocked web requests.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CountedRequests

The number of counted web requests.

Reporting criteria: There is a nonzero value.

A counted web request is one that matches at least one of the rules. Request counting is typically used for testing.

Valid statistics: Sum

CaptchaRequests

The number of web requests that had CAPTCHA controls applied.

Reporting criteria: There is a nonzero value.

A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether they have a valid CAPTCHA token.

Valid statistics: Sum

RequestsWithValidCaptchaToken

The number of web requests that had CAPTCHA controls applied and that had a valid CAPTCHA token.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CaptchasAttempted

The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CaptchasSolved

The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ChallengeRequests

The number of web requests that had challenge controls applied.

Reporting criteria: There is a nonzero value.

A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether they have a valid challenge token.

Valid statistics: Sum

RequestsWithValidChallengeToken

The number of web requests that had challenge controls applied and that had a valid challenge token.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

PassedRequests

The number of passed requests. This is only used for requests that go through a rule group evaluation without matching any of the rule group rules.

Reporting criteria: There is a nonzero value.

Passed requests are requests that don't match any of the rules in the rule group.

Valid statistics: Sum

Web ACL, rule group, and rule dimensions
Dimension Description

Region

Required for all protected resource types except for Amazon CloudFront distributions.

Rule

One of the following:

  • The metric name of the Rule.

  • ALL, which represents all rules within a WebACL or RuleGroup.

  • Default_Action (only when combined with the WebACL dimension), which represents the action assigned to any request whose evaluation wasn't terminated by the action of a rule in the web ACL.

RuleGroup

The metric name of the RuleGroup.

WebACL

The metric name of the WebACL.

Country

The country of origin of the request. This is the two-character designation from the International Organization for Standardization (ISO) 3166 standard. For example, US for the United States and UA for Ukraine.

If a request has an X-Forwarded-For header, AWS WAF uses that to determine this setting. Otherwise, AWS WAF uses the country of the client IP. This determination is independent of any logic you use in your rules to determine country of origin. AWS WAF determines the locations of the IPs using MaxMind GeoIP databases.

Attack

The type of attack that AWS WAF identified in the request, based on the rules and rule groups that you use in your web ACL.

Your rules and the rules in the baseline AWS managed rule groups can identify attack types. For example, cross-site scripting (XSS) rule matches identify XSS attack types, and rate-based rules identify volumetric attack types. The attack type usually indicates the type of rule that terminated the web request evaluation.

Device

The device type of the client that sent the request, obtained from the web request’s user-agent header.

ManagedRuleGroup

The metric name of the ManagedRuleGroup.

ManagedRuleGroupRule

The rule within the ManagedRuleGroup that was matched.

Label metrics and dimensions

Metrics for the labels added to requests during evaluation by your rules and by the managed rule groups that you use in your web ACL. For information, see Labels on web requests.

For any single web request, AWS WAF stores metrics for at most 100 labels. Your web ACL evaluation can apply more than 100 labels and match against more than 100 labels, but only the first 100 are reflected in the metrics.

Label metrics
Metric Description

AllowedRequests

The number of labels on web requests that had the action setting Allow applied. The labels can have been added at any point during the web request evaluation.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

BlockedRequests

The number of labels on web requests that had the action setting Block applied. The labels can have been added at any point during the web request evaluation.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CountedRequests

The number of labels added to web requests by rule group rules that have a Count action setting.

This metric is only available to the owner of a rule group, for rules inside the rule group. For other cases, the count label metrics are rolled up into the terminating action that was applied to the request, like Allow or Block.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CaptchaRequests

The number of labels on web requests that had a terminating CAPTCHA action applied. The labels can have been added at any point during the web request evaluation.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ChallengeRequests

The number of labels on web requests that had a terminating Challenge action applied. The labels can have been added at any point during the web request evaluation.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

AllowRuleMatch

The number of matched rules that both generated the associated label and terminated request evaluation with an Allow action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

BlockRuleMatch

The number of matched rules that both generated the associated label and terminated request evaluation with a Block action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CountRuleMatch

The number of matched rules that both generated the associated label and applied a Count action.

One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CaptchaRuleMatch

The number of matched rules that both generated the associated label and terminated request evaluation with a CAPTCHA action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ChallengeRuleMatch

The number of matched rules that both generated the associated label and terminated request evaluation with a Challenge action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

CaptchaRuleMatchWithValidToken

The number of matched rules that both generated the associated label and applied a non-terminating CAPTCHA action.

One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ChallengeRuleMatchWithValidToken

The number of matched rules that both generated the associated label and applied a non-terminating Challenge action.

One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

Label dimensions
Dimension Description

Region

Required for all protected resource types except for Amazon CloudFront distributions.

WebACL

The metric name of the WebACL.

RuleGroup

The metric name of the RuleGroup. Used for the metric CountedRequests.

LabelNamespace

The namespace prefix of the label that was added to the request.

Label

The name of the label that was added to the request.

Context

The managed rule group that served as the context of the label addition. For example, the context for token management labels such as awswaf:managed:token:accepted is the AWS WAF managed rule group that uses token management on the request, such as the Bot Control or ATP managed rule group. This dimension doesn't apply to all labels.

Free bot visibility metrics and dimensions

When you don't use Bot Control in your web ACL, AWS WAF applies the Bot Control managed rule group to a sampling of your web requests, at no additional cost. This can provide an idea of the bot traffic that is coming to your protected resources. For information about Bot Control, see AWS WAF Bot Control rule group.

Free bot visibility metrics
Metric Description

SampleAllowedRequest

The number of sampled requests that have Allow action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

SampleBlockedRequest

The number of sampled requests that have Block action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

SampleCaptchaRequest

The number of sampled requests that have CAPTCHA action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

SampleChallengeRequest

The number of sampled requests that have Challenge action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

SampleCountRequest

The number of sampled requests that have Count action.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

Free bot visibility dimensions
Dimension Description

Region

Required for all protected resource types except for Amazon CloudFront distributions.

WebACL

The metric name of the WebACL.

BotCategory

The name of the of the detected bot category, based on the web request labels.

VerificationStatus

The name of the of the detected bot verification status, based on the web request labels.

Signal

The name of the of the detected bot signals, based on the web request labels.