Dimensions

Access the dimensions by clicking the Dimensions tab in the left column.

Attack type

The Attack Type dimension provides request data by attack type, namely the dimension groups listed in the left menu (for example, WAF, DoS, and Custom Rule). The display provides the total number of requests by attack type, a graph with the average number of requests per second at given moments within the displayed time period, and a table breaking down the data by the individual attack types, providing the attack type, the number of requests for each, and a graphical display of request distribution within the selected time period.

Common

The Common dimension group provides data in a number of dimensions common to all incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • IP address. The dimension provides request data by IP address.
    In addition, you can have the table display either the Connecting IP Address (the IP address that connected to ​Akamai​'s edge servers) or the End User IP Address (which will differ from the connecting IP address if the edge server acted on an IP address taken from the x-forwarded-for header).

📘

Country, company, and domain are calculated at run time, so while it's possible these values could be different subsequent to the event's triggering, occurrences like this are rare.

  • IP subnet. The dimension provides request data by IP subnet. These are calculated by
    truncating the IP address to a /24 netmask for IPv4 and a /64 netmask for IPv6.
    In addition, you can have the table display either the Connecting IP Subnet or the End User IP Subnet.

  • AS number. The dimension provides request data by AS (autonomous system) number, which
    identifies the originating network.
    In addition, you can have the table display either the Connecting AS Number or the End User AS Number. AS numbers are calculated by a reverse look up on the connecting IP addresses or the end users' IP addresses at the time the requests were received by ​Akamai​'s edge servers.

  • Country/Area. The dimension provides request data by geography.
    In addition, you can have the table display either the Connecting Country/Area or the End User Country/Area. Country/area is calculated by a reverse look up on the connecting IP address or the end user IP address at the time the request was received by ​Akamai​'s edge servers.

  • Hostname. The dimension provides request data by hostname.

  • Path. The dimension provides request data by path.

  • Query. The dimension provides request data by query string.

📘

In the Statistics view, if a query string is longer than 1000 characters, the system trims it to the first 1000 characters and adds a "[TRUNCATED]" suffix. You can still see the full query value in the Sample Log view.

  • Referer. The dimension provides request data by the referer header.

📘

In the Statistics view, referer is displayed without the query string to allow for better aggregation. The full referer field is available in the Samples view.

  • URL. The dimension provides request data by URL.

  • User-Agent. The dimension provides request data by User-Agent header.

  • SDK version. The dimension lets you filter on a version of Bot Manager Premier Mobile
    Protection Module that you use to protect native mobile apps.

📘

The returned value may be empty if the request came from a web client or the request was stopped by an edge detection, for example with a reason code 3902001. For more information about the code, see Behavioral detection

  • Native mobile app version. For Bot Manager Premier only. The dimension lets you filter on a version you entered when defining your native mobile apps. It can be, for example, the Earliest app version with SDK integrated or Earliest app version using Proof-of-Work feature.

📘

The returned value may be empty if you have no User agent version prefix defined for your native mobile application.

  • Action. The dimension provides request data by action type such as alert and deny.

  • API ID. The dimension provides request data by your API IDs.

📘

The API ID dimension is only available if API protections are enabled.

  • API operation (formerlyAPI resource purpose name) shows request data by individual API operation names you defined when registering an API. This value is the name you gave to any transactional endpoints you defined in order manage their bot traffic using behavior anomaly detections. Use for bot management and account protection.

  • API operation purpose (formerly API resource purpose type) lets you see request data by the purpose you specified for an API operation. Purpose is the task an operation serves, like login. You define and name an individual API operations when you register an API. Then you can manage its bot traffic using transactional endpoint protection and also Account Protector.

  • Origin response. View request data grouped by the response to the requests forwarded to the protected endpoints on your origin server:

    • Fail - the request was rejected.

    • Success - the request was fulfilled.

    • Unknown - the request doesn't meet the defined criteria to be a failure or success.

  • API key. The API Key dimension provides request data by your API keys.

📘

The API key dimension is only available if API protections are enabled.

  • Policy. The dimension provides request data by your firewall policies.

📘

Policy name is the current name assigned to the policy ID. Should the name change during the displayed analysis period, the new name used.

  • Status code. The dimension provides request data by status code.

IP/geo firewall

The IP/Geo Firewall dimension group provides network list data for incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • Network list. The Network List dimension provides request data by network list.

📘

The network list's name is obtained from the security configuration at run time. So, if it was changed during the course of analysis, only the new name will appear in this report.

DoS protection

The DoS Protection dimension group provides data in two DoS (denial of service) dimensions, DoS category and rule, for incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • DoS category. The DoS Category dimension provides request data by DoS category (rate, slow POST, or DoS anomaly).

  • Rule. The Rule dimension provides request data by individual rules.

📘

The rule name is the current name assigned to the rule ID. Should the name change during the analysis period, the new name is the one displayed.

Custom rules

The Custom Rules dimension group provides data in three custom rule dimensions—rule, selector, and match—for incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • Rule. The Rule dimension provides request data by individual custom rules.

📘

The rule name is the current name assigned to the rule ID. Should the name change during the analysis period, the new name is the one displayed.

  • Selector. The Selector dimension provides request data by selector, the HTTP property on which the rule triggered.

  • Match. The Match dimension provides request data by match, the HTTP property value within the request that triggered the rule.

  • Message. The Message dimension provides request data by message.

  • Tag. The Tag dimension provides request data by tag.

Web application firewall

The Web Application Firewall dimension group provides data in five web application firewall (WAF) dimensions—WAF category, rule combination, rule, selector, and match—for incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • Attack Group. The Attack Group dimension provides request data by attack group (SQL injection, total inbound, and command injection, for example).
    Refer to the About rules topic for more information on attack groups.

  • Rule combination. The Rule Combination dimension provides request data by different combinations of rules.

  • Rule. The Rule dimension provides request data by individual rules.

📘

The rule name is the current name assigned to the rule ID. Should the name change during the analysis period, the new name is the one displayed.

  • Selector. The Selector dimension provides request data by selector, the HTTP property on which the rule triggered.

  • Match. The Match dimension provides request data by match, the HTTP property value within the request that triggered the rule.

Client reputation (Client Reputation only)

The Client Reputation dimension group provides data in three Client Reputation dimensions—reputation profile, reputation category, and reputation score—for incoming requests.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • Reputation profile. The Reputation Profile dimension provides request data by Client Reputation profiles.

📘

Multiple reputation profiles can trigger on a single request.

📘

Policy name is the current name assigned to the policy ID. Should the name change during the displayed analysis period, the new name is used.

For more information regarding Client Reputation profiles, go to Control for client reputation.

  • Reputation category. The Reputation Category dimension provides request data by Client Reputation category.

  • Reputation score. The Reputation Score dimension provides request data by Client Reputation score.

For information on reputation score is, see Control for client reputation.

Bot management (Bot Manager only)

The Bot Management dimension group provides data for incoming requests in several dimensions.

When you select a dimension, you can see the total number of requests, a graph with the average number of requests per second at given moments within the displayed time period, a table with additional details on the dimension, and a graphical display of request distribution within the selected time period.

  • Bot type. View requests grouped by bot type:

    • Unknown are bots that have no declared identity, but that doesn't mean Bot Manager knows nothing about them. Though the source is unknown, Bot Manager uses detected characteristics to dynamically "name" a bot using botnet ID.

    • Akamai are bots that Akamai has identified and categorized for you. You see these bots listed in Bot Manager under Akamai-categorized bots, and can set action by category. For example, you may want to allow all web search engines, but not enterprise data aggregators.

    • Customer are bots that you defined and categorized (under Customer-categorized bots) in order to allow or block requests.

  • Client type. See bot traffic grouped by requesting client types, which include:

    • Web client - standard telemetry are requests from web browsers that Bot Manager processes using first-party cookies to associate and transmit user behavior data. In Bot Manager, you set up your protected resources to use either standard telemetry or inline telemetry. Because the cookies are limited to a single domain, standard telemetry requires that a requesting page and protected resource to be on the same domain, or the process breaks.

    • Web client - inline telemetry are requests from to which Bot Manager attaches user telemetry directly. In Bot Manager, you set up your protected resources to use either standard telemetry or inline telemetry. You use inline telemetry when your protected resource gets requests from web pages on a different domain.

    • Native mobile app traffic comes directly from a native mobile application, like iOS or Android.

  • Bot category. The Bot Category dimension provides request data by Bot Manager category.

    These could be: Akamai-categorized, custom-categorized, or unknown bots (those not officially categorized but that tripped the detection specified, like Unknown Bots (Session Validation Failed)).

  • Botnet ID. The Botnet ID dimension provides request data by individual botnets.

  • Bot Score. If you're using bot score to set your response strategy, this dimension lists the number of requests by bot score ranges of 10.

👍

To view these ranges by action applied, policy, and other additional data points, click Pivot on the right side of the list.

  • Bot Score Response Segment. If you're using bot score, this shows number of requests by the Bot Score Response Segments, which you use to set response actions for different bot score ranges.

  • Rule. The Rule dimension provides request data by individual rules.

📘

The rule name is the current name assigned to the rule ID. Should the name change during the analysis period, the new name is the one displayed.

  • Rule combination. The Rule Combination dimension provides request data by
    different combinations of rules.

Account Protection (Account Protector only)

The User Protection group provides request data in several dimensions related to user behavior and risk.
The display provides the total number of requests by attack type, a graph with the average number of requests per second at given moments within the displayed time period, and tables breaking down the data by dimensions, such as User ID, User Risk Level, User Score Status, Device ID, Device OS, Device Browser Type and providing additional details.

  • User ID. The User ID dimension provides request data by individual web users represented by their UUID (universally unique identifier).

  • User Risk Level. View the number and distribution of requests grouped by risk level:

    • Critical - requests by users with a score range from 76 to 100.

    • High - requests by users with a score range from 51 to 75.

    • Medium - requests by users with a score range from 26 to 50.

    • Low - requests by users with a score range from 0 to 25.

  • User Score Status indicates whether a request is scored, and whether the score is based on a user profile or other request data. Until Account Protector can build a full user profile, scores are based on other factors. You can group requests by the following status codes:

ScoreDescription
0User profile sufficient to score
1No score: Unknown error
2No user profile yet. Possibly no previous successful logins seen. Score based on other factors.
3Partial user profile built: scored on other factors. Previously successful logins have been seen but not enough to have a full view of a user's activity. Score based on the partial user profile and other indicators.
4Request scored without telemetry
5No score: timed out
6Username blank: scored on non-profile factors
7Can’t identify user: scored on non-profile factors
  • Device ID. View request data grouped by the unique device identifier used to send the request.

  • Device OS. View request data grouped by the OS of the device used to send the request.

  • Device Browser Type. View request data grouped by the browser type of the device used to send the requests.

  • Indicator. View requests by anomalies that contribute a user risk score. See full indicator list.