Web Application Firewall Logs not clear for large matches
In the WAF logs, when a rule is matched, the 'detailsmatchess' column shows a JSON breakdown of which strings matched the rule and caused the action to trigger.
However when the match is longer than 100 characters then the 'matchedPortion' value shows as empty which can make it hard to identify why the rule was triggered.
In these instances, it would be beneficial to give the name of the Parameter itself that is causing the trigger for example "__VIEWSTATE".
This could actually be added to the JSON string itself as a separate key for all matches.
The attached Excel sheet is a copy of the non-sensitive relevant information from my logs that demonstrate this issue.
David Maskell commented
Looks like this match field is completely broken across the board. Even small values return empty.