Digging WAF alert

Need a bit help on digging the problem:
Got some POST methods that were blocked due to XSS, HTML Injection (rule id 100173) and I was wondering is there any possibility (if yes, where) to find out what triggered that (more info), maybe some raw logs. Because it seems that it could’ve been false positive. At the moment I believe that it could’ve been because of EdgeResponseBytes size - whenever the size was 4999-5000, WAF was dropping and other traffic with lower byte size is going through. Though, traffic with that big EdgeResponseBytes size a month ago reached destination. Traffic I’m talking about comes only from one entity (few different IPs).
At the moment there’s a WAF rule with exception to Allow traffic from those IPs, but it’s bugging me not knowing why rule fired in the first place…

Thanks in advance

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.