WAF statistics reporting
Problem to solve
Users who have enabled the WAF do not easily know what the WAF is blocking, allowing, or how much traffic it processes. This lack of visibility means it is more difficult to determine how to configure, tune, and evaluate the WAF.
- Users will view this after initially creating a cluster and installing the WAF, to confirm they are seeing traffic
- Security team members will view this to see what the distribution of blocked vs. allowed traffic is
Reporting statistics and information about the WAF's behavior could be a very deep experience if we invested a lot of time in it. For this iteration, I'd like us to view it as an MVC and find a way to provide visibility with a minimal amount of product changes. Then we can get feedback on what is useful or missing and then build out a deeper experience in future iterations.
Display to users with the WAF how many times the WAF has:
- Allowed traffic
- Blocked traffic
- Total amount of traffic.
- Proposal that we put this in the security tab as a set of text boxes, similar to how we have # of vulns in the security dashboard. Would like input from others on this.
- Table with detailed event listings
- View raw logs themselves in the pod logs
Permissions and Security
Users should be required to have the same permissions as they would for the security dashboard to view.
What does success look like, and how can we measure that?
- Of all users who have the WAF installed, at least 75% view the provided information at least once within 30 days.
- Of all users who have the WAF installed, at least 90% view the provided information within 90 days.
- This demonstrates that the users who are using the WAF actually are looking at the results and not just installing it and ignoring it.
What is the type of buyer?
Links / references