**Introducing a new console experience for AWS WAF** You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). # AWS WAF metrics and dimensions AWS WAF metrics and dimensionsUpdated AWS WAF metrics and dimensions Two new Distributed Denial of Service (DDoS) prevention metrics are now published to the `AWS/ApplicationELB` namespace: `LowReputationRequestsDenied` and `LowReputationPacketsDropped`.Updated AWS WAF metrics and dimensions for silent Challenge Added `ChallengesAttempted`, `ChallengesSolved`, `ChallengesAttemptedSdk`, and `ChallengesSolvedSdk` to the AWS AWS WAF metrics and dimensions section.Updated AWS WAF metrics and dimensions Added information on usage metrics to the AWS WAF metrics and dimensions section.AWS WAF metrics added new metrics for CAPTCHA JavaScript API AWS WAF added two new metrics, `CaptchasAttemptedSdk` and `CaptchasSolvedSdk`, to show account-wide CAPTCHA puzzle attempts using the CAPTCHA JavaScript API. AWS WAF metrics added dimensions and new metrics AWS WAF added new dimension for `ManagedRuleSetRule` in rule metrics and new metrics for the matched rule action for label metrics. AWS WAF metrics added dimensions AWS WAF added new dimensions for viewing web ACL metrics. AWS WAF reports metrics once a minute. AWS WAF provides metrics and dimensions in the `AWS/WAFV2` namespace. You can see summary information for AWS WAF metrics through the AWS WAF console, in the protection pack (web ACL)'s traffic overview tab. For more information, go to the console or see [Traffic overview dashboards for protection packs (web ACLs)](web-acl-dashboards.md). You can see the following metrics for protection packs (web ACLs), rules, rule groups, and labels. + **Your rules** – Metrics are grouped by the rule action. For example, when you test a rule in Count mode, its matches are listed as `Count` metrics for the protection pack (web ACL). + **Your rule groups** – The metrics for your rule groups are listed under the rule group metrics. + **Rule groups owned by another account** – Rule group metrics are generally visible only to the rule group owner. However, if you override the rule action for a rule, the metrics for that rule will be listed under your protection pack (web ACL) metrics. Additionally, labels added by any rule group are listed in your protection pack (web ACL) metrics. Count action rules in rule groups do NOT emit web ACL dimension metrics - only Rule, RuleGroup, and Region dimensions. This applies even when the rule group is referenced in a web ACL. Rule groups in this category are [AWS Managed Rules for AWS WAF](aws-managed-rule-groups.md), [AWS Marketplace rule groups](marketplace-rule-groups.md), [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md), and rule groups that are shared with you by another account. When a protection pack (web ACL) is deployed through Firewall Manager, any rules within the WebACL that have a Count action will not display their metrics in the member account. + **Labels** - Labels that were added to a web request during evaluation are listed in the protection pack (web ACL) label metrics. You can access the metrics for all labels, regardless of whether they were added by your rules and rule groups or by rules in a rule group that another account owns. **Topics** + [ ## AWS WAF core metrics and dimensions ](#waf-metrics-general) + [ ## Label metrics and dimensions ](#waf-metrics-label) + [ ## Free bot visibility metrics and dimensions ](#waf-metrics-bot-free) + [ ## Account metrics and dimensions ](#waf-metrics-account) + [ ## AWS WAF usage metrics ](#waf-metrics-usage) ## AWS WAF core metrics and dimensions AWS WAF core metrics and dimensions **AWS WAF core metrics** | Metric | Description | | --- | --- | | `AllowedRequests` | The number of allowed web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockedRequests` | The number of blocked web requests. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountedRequests` | The number of counted web requests. Reporting criteria: There is a nonzero value. A counted web request is one that matches at least one of the rules. Request counting is typically used for testing. Valid statistics: Sum | | `CaptchaRequests` | The number of web requests that had CAPTCHA controls applied. It represents a terminating rule and does not include `RequestsWithValidCaptchaToken`. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether the CAPTCHA token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum | | `RequestsWithValidCaptchaToken` | The number of web requests that had CAPTCHA controls applied and that had a valid CAPTCHA token. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasAttempted` | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasSolved` | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRequests` | The number of web requests that had challenge controls applied. It represents a terminating rule and does not include `RequestsWithValidChallengeToken`. Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether the challenge token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum | | `ChallengesAttempted` | The number of attempts that were submitted by an end user in response to a silent challenge served by a Challenge rule. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesSolved` | The number of silent challenge solutions submitted that successfully passed the silent challenge served by a Challenge rule. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `PassedRequests` | The number of passed requests. This is only used for requests that go through a rule group evaluation without matching any of the rule group rules. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `RequestsWithValidChallengeToken` | The number of web requests that had challenge controls applied and that had a valid challenge token. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `LowReputationPacketsDropped` | The number of packets dropped from known malicious sources. This metric is recorded when a request is blocked by resource-level DDoS protection. Reporting criteria: There is a nonzero value. Valid statistics: Sum This metric is published to the `AWS/ApplicationELB` namespace. | | `LowReputationRequestsDenied` | The number of HTTP requests denied with HTTP 403 responses. This metric is recorded when a request is blocked by resource-level DDoS protection. Reporting criteria: There is a nonzero value. Valid statistics: Sum This metric is published to the `AWS/ApplicationELB` namespace. | **AWS WAF core dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `Rule` | One of the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/waf-metrics.html) | | `RuleGroup` | The metric name of the `RuleGroup`. | | `WebACL` | The metric name of the `WebACL`. | | `WebACLArn` | The Amazon Resource Name (ARN) of the web ACL. This dimension is only available when AWS WAF is enabled. | | `ResourceType` | The type of the protected resource, such as `CF`, `APIGW`, or `ALB`. | | `Resource` | The Amazon Resource Name (ARN) of the protected resource. This dimension does not include App Runner resource ARNs. | | `Country` | The country of origin of the request. This is the two-character designation from the International Organization for Standardization (ISO) 3166 standard. For example, US for the United States and UA for Ukraine. If a request has an `X-Forwarded-For` header, AWS WAF uses that to determine this setting. Otherwise, AWS WAF uses the country of the client IP. This determination is independent of any logic you use in your rules to determine country of origin. AWS WAF determines the locations of the IPs using MaxMind GeoIP databases. | | `Attack` | The type of attack that AWS WAF identified in the request, based on the rules and rule groups that you use in your web ACL. Your rules and the rules in the baseline AWS managed rule groups can identify attack types. For example, cross-site scripting (XSS) rule matches identify XSS attack types, and rate-based rules identify volumetric attack types. The attack type usually indicates the type of rule that terminated the web request evaluation. | | `Device` | The device type of the client that sent the request, obtained from the web request’s `user-agent` header. | | `LoadBalancerArn` | The Amazon Resource Name (ARN) of the load balancer. | | `LoadBalancerArnAvailabilityZone` | The combination of the load balancer ARN and the Availability Zone. | | `ManagedRuleGroup` | The metric name of the `ManagedRuleGroup`. | | `ManagedRuleGroupRule` | The rule within the `ManagedRuleGroup` that was matched. | | `VulnerabilityCategory` | The vulnerability category that the request matches, based on AWS managed rule IP sets. | ## Label metrics and dimensions Label metrics and dimensions Metrics for the labels added to requests during evaluation by your rules and by the managed rule groups that you use in your protection pack (web ACL). For information, see [Web request labeling](waf-labels.md). For any single web request, AWS WAF stores metrics for at most 100 labels. Your protection pack (web ACL) evaluation can apply more than 100 labels and match against more than 100 labels, but only the first 100 are reflected in the metrics. **Label metrics** | Metric | Description | | --- | --- | | `AllowedRequests` | The number of labels on web requests that had the action setting Allow applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockedRequests` | The number of labels on web requests that had the action setting Block applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountedRequests` | The number of labels added to web requests by rule group rules that have a Count action setting. This metric is only available to the owner of a rule group, for rules inside the rule group. For other cases, the count label metrics are rolled up into the terminating action that was applied to the request, like Allow or Block. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRequests` | The number of labels on web requests that had a terminating CAPTCHA action applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRequests` | The number of labels on web requests that had a terminating Challenge action applied. The labels can have been added at any point during the web request evaluation. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `AllowRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with an Allow action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `BlockRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a Block action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CountRuleMatch` | The number of matched rules that both generated the associated label and applied a Count action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a CAPTCHA action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRuleMatch` | The number of matched rules that both generated the associated label and terminated request evaluation with a Challenge action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchaRuleMatchWithValidToken` | The number of matched rules that both generated the associated label and applied a non-terminating CAPTCHA action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengeRuleMatchWithValidToken` | The number of matched rules that both generated the associated label and applied a non-terminating Challenge action. One request could result in multiple instances of this metric, if multiple rules are configured with the same label and action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Label dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `RuleGroup` | The metric name of the `RuleGroup`. Used for the metric `CountedRequests`. | | `WebACL` | The metric name of the `WebACL`. | | `ResourceType` | The type of the protected resource, such as `CF`, `APIGW`, or `ALB`. | | `Resource` | The Amazon Resource Name (ARN) of the protected resource. | | `LabelNamespace` | The namespace prefix of the label that was added to the request. | | `Label` | The name of the label that was added to the request. | | `Context` | The managed rule group that served as the context of the label addition. For example, the context for token management labels such as awswaf:managed:token:accepted is the AWS WAF managed rule group that uses token management on the request, such as the Bot Control or ATP managed rule group. This dimension doesn't apply to all labels. | ## Free bot visibility metrics and dimensions Free bot visibility metrics and dimensions When you don't use Bot Control in your protection pack (web ACL), AWS WAF applies the Bot Control managed rule group to a sampling of your web requests, at no additional cost. This can provide an idea of the bot traffic that is coming to your protected resources. For information about Bot Control, see [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md). **Free bot visibility metrics** | Metric | Description | | --- | --- | | `SampleAllowedRequest` | The number of sampled requests that have Allow action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleBlockedRequest` | The number of sampled requests that have Block action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleCaptchaRequest` | The number of sampled requests that have CAPTCHA action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleChallengeRequest` | The number of sampled requests that have Challenge action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `SampleCountRequest` | The number of sampled requests that have Count action. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Free bot visibility dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | | `WebACL` | The metric name of the `WebACL`. | | `BotCategory` | The name of the of the detected bot category, based on the web request labels. | | `VerificationStatus` | The name of the of the detected bot verification status, based on the web request labels. | | `Signal` | The name of the of the detected bot signals, based on the web request labels. | ## Account metrics and dimensions Account metrics and dimensions Account metrics provide account-wide information about CAPTCHA puzzles and silent Challenge rule actions that were serviced through the JavaScript API. **Account metrics** | Metric | Description | | --- | --- | | `CaptchasAttemptedSdk` | The number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge, for puzzles that were served via the CAPTCHA JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `CaptchasSolvedSdk` | The number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle, for puzzles that were served via the CAPTCHA JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesAttemptedSdk` | The number of attempts that were submitted by an end user in response to a silent challenge served by the Challenge JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | | `ChallengesSolvedSdk` | The number of silent challenge solutions submitted that successfully passed the silent challenge served by the Challenge JavaScript API. Reporting criteria: There is a nonzero value. Valid statistics: Sum | **Account dimensions** | Dimension | Description | | --- | --- | | `Region` | Required for all protected resource types except for Amazon CloudFront distributions. | ## AWS WAF usage metrics AWS WAF usage metrics You can use CloudWatch usage metrics to provide visibility into your account's usage of resources. Use these metrics to visualize your current service usage on CloudWatch graphs and dashboards. AWS WAF usage metrics correspond to AWS service quotas. You can configure alarms that alert you when your usage approaches a service quota. For more information about CloudWatch integration with service quotas, see [AWS usage metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Service-Quota-Integration.html) in the *Amazon CloudWatch User Guide.* AWS WAF publishes the following metrics in the `AWS/Usage` namespace. **Usage metrics** | Metric | Description | | --- | --- | | `ResourceCount` | The number of the specified resources in your account. The resources are defined by the dimensions associated with the metric. The most useful statistic for this metric is `MAXIMUM`, which represents the maximum number of resources used during the 1-minute period. | The following dimension is used to refine the usage metrics that are published by AWS WAF. **Usage dimensions** | Dimension | Description | | --- | --- | | `Resource` | The type of resource for which the usage is being reported. | The following are the supported values for the `Resource` dimension. **`Resource` values** | Value | Description | | --- | --- | | `WebAclsPerAccountCloudFront` | The number of protection packs (web ACLs) the customer has in CloudFront per account. This metric is only available when there is at least one protection pack (web ACL) in CloudFront. | | `WebAclsPerAccountRegional` | The number of protection packs (web ACLs) the customer has in a region per account. This metric is only available when there is at least one protection pack (web ACL) in that region. | | `RuleGroupsPerAccountCloudFront` | The number of rule groups the customer has in CloudFront per account. This metric is only available when there is at least one rule group in CloudFront. | | `RuleGroupsPerAccountRegional` | The number of rule groups the customer has in a region per account. This metric is only available when there is at least one rule group in that region. | | `IpSetsPerAccountCloudFront` | The number of IP sets the customer has in CloudFront per account. This metric is only available when there is at least one IP set in CloudFront. | | `IpSetsPerAccountRegional` | The number of IP sets the customer has in a region per account. This metric is only available when there is at least one IP set in that region. | | `RegexPatternSetsPerAccountCloudFront` | The number of regex pattern sets the customer has in CloudFront per account. This metric is only available when there is at least one regex pattern set in CloudFront. | | `RegexPatternSetsPerAccountRegional` | The number of regex pattern sets the customer has in a region per account. This metric is only available when there is at least one regex pattern set in that region. |