# F5XC security event explainer

> Paste an F5XC security event (WAF, Bot Defense, Service Policy, or API) and it decodes the type, the action and disposition, the request context, and the specific reason it fired.

- Tool: https://ronutz.com/en/tools/f5xc-security-event-explainer
- Family: Security & WAF

---

## What it does

This tool decodes an F5 Distributed Cloud (XC) security event. Paste the event JSON - from the Console's security-events page, a global log receiver, or the API - and it lays out what happened: which security service produced the event, the action that was taken and whether the request was blocked, the request context, and the exact reason the event fired. It runs entirely in your browser.

## The four event types

XC produces four kinds of security event, and the tool identifies which one you pasted from the sec_event_type field. A WAF event comes from the application firewall and carries signatures, violations, and attack types. A Bot Defense event carries the bot verdict. A Service Policy event carries the policy and rule that matched. An API event carries OpenAPI validation results and policy hits. If the type tag is missing, the tool infers the type from the shape of the event.

## Action versus recommendation

A security event records both what the WAF recommended and what it actually did, and those are not always the same. The recommended (or calculated) action reflects the policy's verdict; the action taken reflects the enforcement mode. In monitoring mode - or while a signature is in staging - the WAF logs a full event with signatures and violations but does not block, so the action is report even though the signature matched. The tool shows both, and derives a plain disposition: blocked, reported, or allowed.

## The reason it fired

The most useful part of an event is why it fired, and that lives in different fields per type. For a WAF event, the tool lists each signature with its id, name, accuracy, and attack type, each violation with its context, and the detected attack types. For a Bot Defense event, it shows the insight (human, good bot, or malicious), the automation type, and the recommendation. For a Service Policy event, it names the policy, the rule, and the policy set. For an API event, it shows the matched policy and rule, the OpenAPI request and response validation status, and any signatures. Together with the request id, that is enough to either open a support case or build a precise exclusion.

## Standards and references

- [F5 Distributed Cloud: Security Events Reference (WAF / Bot Defense / Service Policy / API event fields)](https://docs.cloud.f5.com/docs-v2/platform/reference/security-events-reference) - verified field names and values: sec_event_type, action, calculated_action, signatures{id,name,accuracy,attack_type}, violations{name,context}, attack_types, bot_info/bot_defense, policy/policy_rule/result, policy_hits, oas_req_status, vh_name, req_id (mod 2026-07-01)
- [F5 Distributed Cloud: AI Assistant field reference (sec_event_type values, signatures.accuracy, bot_info.classification, violations, attack_types)](https://docs.cloud.f5.com/docs-v2/ai-assistant/how-to/use-ai-assistant) - sec_event_type examples (waf_sec_event, bot_defense_sec_event, svc_policy_sec_event, api_sec_event); violation and attack-type token forms
- [F5 Distributed Cloud: Create Web Application Firewall (enforcement mode blocking vs monitoring, signature staging)](https://docs.cloud.f5.com/docs-v2/web-app-and-api-protection/how-to/app-security/application-firewall) - why a signature can trigger yet not block (monitoring mode / staging), and the action-vs-recommended-action distinction

## Related reading

- [Reading an XC Security Event: Type, Action, and the Reason It Fired](https://ronutz.com/en/learn/f5xc-security-events-anatomy.md): XC's WAF, Bot Defense, service policies, and API protection all write to one security-events stream. The sec_event_type field tells you the source; action versus recommended action (and enforcement/staging) explains why a matched signature may not block; and the reason lives in different fields per type - WAF signatures/violations/attack types, the bot verdict, the matched service policy and rule, or API OpenAPI validation and policy hits.
