The DETECT operator for custom rules lets you detect incoming traffic based on QIDs.
For example, you can use the DETECT operator to detect false positives.
request.path DETECT “qid/150011” with action Allow
The above rule will look for a path that potentially exposes sensitive files (QID 150011 - Local File Inclusion), but allows this request even if it’s usually blocked, as it’s a false positive.
Similarly, if you create a DETECT rule with action Block, WAF blocks the request and applies a virtual patch for it.
Once you select the DETECT operator for a key, enter qid/ followed by the QID number (all in quotes)
request.path DETECT “qid/150011”
The DETECT operator is available for the following keys: