How-to

Reading a Path Detail Page

Priority badges, site-wide baseline overlay, 7-day history, HTTP methods, related alerts, and unique IPs per ASN — how to read what the page is telling you.

4 min readLast updated 26 April 2026
Jump to section

What the Path detail page shows

Every path prefix on the Paths list drills into a detail view with the full signal set for that endpoint. Use this page when you need to answer: "is this path being abused?".

Priority badge

Some paths carry a coloured Priority pill next to the title. These are SFCC controllers Edge treats as high-signal:

  • Red — Checkout / Payment (COBilling, CheckoutServices, COSummary, Order, PaymentInstruments, Adyen) — card-testing, gift-card enumeration, payment fraud target
  • Amber — Auth / Credential (Login, Account, Customer, ResetPassword) — credential stuffing, account takeover target
  • Blue — Cart / Basket (Cart, BasketMgr) — grinch bots, inventory hoarding target

The badge is a cue to scrutinise traffic patterns on this path more carefully than you would a browsing endpoint.

Requests stat tile — "X× 7d avg"

The Requests tile's sublabel includes a 7-day-average comparison: "0.2% of total · 1.4× 7d avg (normal)".

  • quiet (< 0.5×): traffic is well below typical
  • normal (0.5–2×): within the expected range
  • elevated (2–5×): unusually busy but not alarming
  • spike (≥ 5×): well above typical — worth investigating

The 7-day baseline is independent of the currently-selected range — it always compares against the last 7 days' daily average.

Status-class timeseries — Site-wide overlay

The chart shows this path's requests broken down by HTTP status class (2xx, 4xx, 499, etc.), stacked. A dashed grey Site-wide line overlays the total site traffic shape.

  • Path tracks the site baseline → this path is riding a general traffic pattern (legit campaign, time-of-day)
  • Path diverges from the baseline → this path has independent behaviour; could be a targeted attack

Top ASNs table — Unique IPs column

The Top ASNs table shows, for each ASN hitting this path:

  • Requests — volume from that ASN
  • Unique IPs — distinct client IPs within that ASN captured in the path's top-N IP rollup

Interpreting the Unique IPs column:

  • Red (≤ 2 IPs) — likely bot. One or two IPs carrying meaningful volume is a classic scripted-attack signature.
  • Amber (3–5 IPs) — worth a look. Small egress pool could be a small bot cluster or a corporate proxy.
  • White (≥ 6 IPs) — distributed traffic, likely legitimate humans.
  • — (em-dash) — ASN didn't crack the top-N IP rollup for this path. Usually means low ASN volume — not a signal either way.

Note: this is "how many of this path's top IPs belong to this ASN" rather than a true distinct-count. For offender detection that's the signal that matters.

HTTP methods card

Colour-coded method breakdown:

  • Green — read-only methods (GET, HEAD, OPTIONS). Safe and idempotent.
  • Amber — mutating methods (POST, PUT, PATCH, DELETE). On prescribed-POST endpoints like COBilling-Submit, this bar should be 100% — any GET volume is probing.
  • Red — (no method) — Logpush didn't supply a method for these requests. See HTTP methods and required fields for what to do about this.

High-signal patterns:

  • Login-Submit showing significant GETs — someone is scraping the form / harvesting CSRF tokens
  • Search endpoint flipping from 80% GET to 80% POST — unusual scraper behaviour or testing of a different attack vector
  • Adyen-Notify getting GETs — legit Adyen webhooks are POST-only; GETs here are a probe

If any open alerts match this path directly (e.g. a path_spike alert) OR any of the ASNs in the Top ASNs table (e.g. asn_spike on one of them), they appear here.

This answers "is a known bad ASN hitting a known priority path?" without the operator having to cross-check manually.

Pin, Ignore, Investigate IPs

Three actions on the page header:

  • Pin — float this path to the top of the Paths list
  • Ignore — hide from the list by default
  • Investigate IPs — jumps to /admin/ip-discovery with this path pre-filled as the sampling filter. Use when the continuous Top IPs view shows because volume is low but you suspect real abuse — the forensic sampler captures the full tuple list.

Low-volume path banner (added 2026-04-24)

If a path has request totals showing in the headline tiles but the Top ASNs / Cache / UA / HTTP methods panels below are all empty, you'll see an amber "Low-volume path — limited drill-down detail" banner above them.

Why: the headline counts and status-class timeseries come from the edge_path_totals AE dataset which has full path coverage. The dimensional panels query the main edge_requests rollup which keeps only the top-120 (path × ASN × country × UA × …) tuples per batch. A path with low per-tuple volume (say, 950 requests/hour spread across many ASNs) doesn't survive that cut, so no dimensional breakdown was captured.

What to do about it:

  • Widen the range — 7d or 30d sums across many more batches and may surface dimensional data
  • Use /ips — the IP-level rollup uses a separate dataset and may capture activity for this path
  • Spin up an IP discovery window via the Investigate IPs button — forensic sampling captures the full tuple list at high resolution

The banner is silent on paths where dimensional data is healthy.

Still stuck? Email support or open the support widget in the bottom-right.