waf_metrics is blocked-only

The waf_metrics table (model: WafMetric) is fed from Sucuri’s audit trail. The audit trail only emits block events, so waf_metrics.request_count reflects blocked requests only — there is no corresponding “passed” count.

Implication

Don’t compute block-rate as blocked / (blocked + passed) — we don’t have the denominator.
Dashboards that look like “traffic volume” are actually “block volume.”
A drop in request_count could mean either “fewer attacks” or “WAF stopped receiving traffic” — distinguish via DNS/origin health, not via waf_metrics alone.

Second cap: 10,000 records per day

Sucuri’s audit_trails API returns at most 10,000 records per calendar day per site. On heavily-attacked days the feed flatlines at 10k — that’s the ceiling, not the truth. See audit-trails.

metrics table — different table; tracks our provisioning events
Sucuri audit_trails

waf_metrics is blocked-only

waf_metrics is blocked-only

Implication

Second cap: 10,000 records per day

Related