# Analyze Security Events with Event Advisor

## Overview <a href="#overview" id="overview"></a>

The **AI-based Event Advisor** helps you get detailed insight into open-appsec Security Events and is divided into three easy-to-read sections:

* What Happened?
* Why Was It Blocked?
* What Should You Do?

## How to Use <a href="#how-to-enable" id="how-to-enable"></a>

* Navigate to your open-appsec Security Logs in the Monitoring section.
* Right-click on any individual log entry.
* Select “Event Advisor” from the context menu.
* A panel opens on the right-hand side of the screen, showing the detailed event analysis.

![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252F4AWPK7h9Uhldfba5olZ0%252Fimage.png%3Falt%3Dmedia%26token%3D5304bdd1-5064-4ac3-8cf2-f500773306a6\&width=768\&dpr=4\&quality=100\&sign=56ce8dd0\&sv=2)

## Event Advisor Output <a href="#the-adviser-output" id="the-adviser-output"></a>

![](https://waf-doc.inext.checkpoint.com/~gitbook/image?url=https%3A%2F%2F2760087783-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FEWA4nfgNrSRL8dA6Kap7%252Fuploads%252FsqC2VYKLunydJ72VGIWd%252Fimage.png%3Falt%3Dmedia%26token%3Dbf642b15-2d6a-4c74-ad21-4a4cf1e71199\&width=768\&dpr=4\&quality=100\&sign=e0f80b90\&sv=2)

### **What Happened?**

This section gives a short, clear summary of the event.

* It shows the request method (GET, POST, etc.), the source IP, the destination host/path, and whether the request was blocked or detected.
* Example: “*A POST request from 192.168.0.1 to the root path of "example.com" was blocked due to missing authentication token*.”

### **Why Was It Blocked?**

This section explains why open-appsec took action.

* It describes what was missing, suspicious, or malicious in the request.
* Example: “*The request contained patterns matching Java JNDI injection attempts in the URL path. The presence of 'jndi:' in the URI is a strong indicator of an attempt to exploit Log4j vulnerabilities (Log4Shell) or similar Java deserialization attacks. The request also matched XPath injection patterns. These attacks could allow remote code execution or unauthorized data access on the target system*.*”*

### **What Should You Do?**

This section provides recommended next steps.

The guidance here always starts with the verdict sentence, then adds 2–3 hardening steps relevant to the detected attack type(s):

* **If malicious (blocked/detected):**\
  No action is required.
* **If likely a false positive (blocked/detected but looks legitimate)**:\
  Create a narrow Custom Rule/Exception for the specific URL and parameter or click ‘Report misclassification’.

### **Reporting Misclassification**

If you believe the log classification is incorrect (for example, a false positive), you can click Report misclassification.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.openappsec.io/management-web-ui/analyze-security-events-with-event-advisor.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.