Many false positives for waf_blocked alarm in idle deployments

Since the waf_blocked alarm is triggered when the % of blocked requests is more than 25% for a given period, the alarm can be tripped by a low number of blocked requests as long as the number of allowed requests in the same period was also low.

## Blocked requests (WAF logs)

<img width="1033" height="160" alt="Image" src="https://github.com/user-attachments/assets/5f506a7a-81dc-4222-83df-d604d4caebb1" />

## All requests (API Gateway logs)

<img width="1038" height="153" alt="Image" src="https://github.com/user-attachments/assets/9a9bb4fb-4aef-4f1c-ba45-79d681ce156d" />

## Alarm raised

<img width="1045" height="512" alt="Image" src="https://github.com/user-attachments/assets/df67b206-4e4e-42cc-8446-c3e7c2d683d5" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Many false positives for waf_blocked alarm in idle deployments #7642

Blocked requests (WAF logs)

All requests (API Gateway logs)

Alarm raised

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Many false positives for waf_blocked alarm in idle deployments #7642

Description

Blocked requests (WAF logs)

All requests (API Gateway logs)

Alarm raised

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions