We would like to request the implementation of an alert that is triggered by pure WAF detections only.

F5XC currently provides an alert called “WAFTooManyAttacks”. However, according to feedback from support, the count used for this alert includes not only WAF signature detections, but also Malicious Bot detections.

In our environment, approximately 90% of WAF-related detections are classified as Malicious Bot activity. As a result, the alert is dominated by bot traffic and cannot be effectively used as a trigger for monitoring genuine WAF (signature-based) attacks.

For this reason, we strongly request the implementation of an alert that is based exclusively on pure WAF detections, excluding Malicious Bot detections, so that meaningful WAF-related security events can be monitored and alerted accurately.

Note: English is not my first language, so this text was translated with the assistance of AI. Please excuse any unintended inaccuracies or misunderstandings.