Querying Attack Event Logs

Function Description

This API is used to query attack event logs.

URI

  • URI format

    GET /v1/{project_id}/waf/event?from={from}&to={to}&hosts={hostname}&attacks={attack}&sips={sip}&offset={offset}&limit={limit}

    Note

    An example of a URI is as follows:

    GET /v1/3ac26c59e15a4a11bb680a103a29ddb6/waf/event/attack/type?from=1543976973635&to=1563976973635&hosts=3211757cafa3437aae24d760022e79ba&hosts=93029844064b43739b51ca63036fbc4b&hosts=34fe5f5c60ef4e43a9975296765d1217

  • Parameter description

    Table 1 Path parameters

    Parameter

    Mandatory

    Type

    Description

    project_id

    Yes

    String

    Specifies the project ID.

    from

    Yes

    Long

    Specifies the start time (UTC) in milliseconds. For example, 1548172800000.

    to

    Yes

    Long

    Specifies the end time (UTC) in milliseconds. For example, 1548431999000.

    hosts

    No

    Array

    Specifies the domain IDs.

    attacks

    No

    Array

    Specifies the list of attack types. For example, sqli and xss.

    sips

    No

    Array

    Specifies the attack source IP addresses. For example, X.X.12.23 and X.X.20.85.

    nsips

    No

    Array

    Specifies the excluded attack source IP addresses. For example, X.X.12.1 and X.X.20.2.

    offset

    No

    Long

    Specifies the number of returned pages. Its value ranges from 0 to 65535. The default value is 0.

    limit

    No

    Long

    Specifies the maximum number of records displayed on each page. Its value ranges from 0 to 50. The default value is 10.

    marker

    No

    String

    Specifies the ID of the last event record on the previous page.

Request

Request parameters

None

Response

Response parameters

Table 2 Parameter description

Parameter

Type

Description

total

Integer

Specifies the total number of event logs.

items

Table 3

Specifies the event log objects.

Table 3 items

Parameter

Type

Description

id

String

Specifies the event ID.

time

Integer

Specifies the attack time since Unix Epoch in milliseconds.

policy_id

String

Specifies the policy ID.

sip

String

Specifies an attack source IP address.

host

String

Specifies an attacked domain name.

host_id

String

Specifies a domain name ID.

url

String

Specifies the attacked URL, excluding a domain name.

attack

String

Specifies the attack type.

  • cc refers to CC attack.

  • cmdi refers to command injection.

  • custom refers to Precise Protection events.

  • illegal refers to invalid requests.

  • sqli refers to SQL injection.

  • lfi refers to local file inclusion.

  • robot refers to malicious crawlers.

  • antitamper refers to Web Tamper Protection events.

  • rfi refers to remote file inclusion.

  • vuln refers to other types of attacks.

  • xss refers to XSS attack.

  • whiteblackip refers to Blacklist and Whitelist events.

  • webshell refers to webshells.

rule

String

Specifies the matched rule ID that consists of six digits.

payload

String

Specifies the hit load.

action

String

Specifies the protective action.

  • Block: WAF blocks and logs detected attacks.

  • Log only: WAF logs detected attacks only.

  • Allow: WAF allows the requests that meet the specified conditions.

  • Verification code: A verification code is displayed when the number of requests reaches the maximum limit in a CC attack protection rule. Upon completing the verification, you are no longer restricted by the maximum number of requests allowed.

  • Filter: WAF implements data masking.

  • Mismatch: The cached web page in the WAF engine does not match the original web page.

payload_location

String

Specifies the location in the request packet where the attack occurs. The options are as follows: body, url, params, and header.

request_line

String

Specifies the attack request method.

headers

Object

Specifies the attack request header.

cookie

String

Specifies the cookie.

body

String

Specifies the body of an attack request.

Example

total with a value of 2 is used as an example.

Response example

{
  "total": 2,
  "items": [
    {
      "id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
      "time": 1499817600,
      "policy_id": "xxx",
      "sip": "X.X.1.1",
      "host": "a.com",
      "host_id": "123",
      "url": "/login",
      "attack": "sqli",
      "rule": "20001",
      "payload": "1 or 1=1",
      "action": "block",
      "payload_location": "params",
      "request_line": "GET / ",
      "headers": {
        "Connection": "keep-alive",
        "User-Agent": "curl"
      },
      "cookie": "sid=123; uid=456",
      "body": "user=admin&pass=abc123"
    },
   {
      "id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
      "time": 1499817600,
      "host": "a.com",
      "host_id": "a",
      "policy_id": "xxx",
      "sip": "X.X.1.2",
      "url": "/login",
      "attack": "sqli",
      "rule": "20001",
      "payload": "1 or 1=1",
      "action": "log",
      "payload_location": "params",
      "request_line": "GET / ",
      "headers": {
        "Connection": "keep-alive",
        "User-Agent": "curl"
      },
      "cookie": "sid=123; uid=456",
      "body": "user=admin&pass=abc123"
    }
  ]
}

Status Code

Table 4 describes the normal status code returned by the API.

Table 4 Status code

Status Code

Description

Meaning

200

OK

The request has succeeded.

For details about error status codes, see Status Codes.