Querying Attack Event Logs¶
Function Description¶
This API is used to query attack event logs.
URI¶
URI format
GET /v1/{project_id}/waf/event?from={from}&to={to}&hosts={hostname}&attacks={attack}&sips={sip}&offset={offset}&limit={limit}
Note
An example of a URI is as follows:
GET /v1/3ac26c59e15a4a11bb680a103a29ddb6/waf/event/attack/type?from=1543976973635&to=1563976973635&hosts=3211757cafa3437aae24d760022e79ba&hosts=93029844064b43739b51ca63036fbc4b&hosts=34fe5f5c60ef4e43a9975296765d1217
Parameter description
¶ Parameter
Mandatory
Type
Description
project_id
Yes
String
Specifies the project ID.
from
Yes
Long
Specifies the start time (UTC) in milliseconds. For example, 1548172800000.
to
Yes
Long
Specifies the end time (UTC) in milliseconds. For example, 1548431999000.
hosts
No
Array
Specifies the domain IDs.
attacks
No
Array
Specifies the list of attack types. For example, sqli and xss.
sips
No
Array
Specifies the attack source IP addresses. For example, X.X.12.23 and X.X.20.85.
nsips
No
Array
Specifies the excluded attack source IP addresses. For example, X.X.12.1 and X.X.20.2.
offset
No
Long
Specifies the number of returned pages. Its value ranges from 0 to 65535. The default value is 0.
limit
No
Long
Specifies the maximum number of records displayed on each page. Its value ranges from 0 to 50. The default value is 10.
marker
No
String
Specifies the ID of the last event record on the previous page.
Request¶
Request parameters
None
Response¶
Response parameters
Parameter | Type | Description |
---|---|---|
total | Integer | Specifies the total number of event logs. |
items | Specifies the event log objects. |
Parameter | Type | Description |
---|---|---|
id | String | Specifies the event ID. |
time | Integer | Specifies the attack time since Unix Epoch in milliseconds. |
policy_id | String | Specifies the policy ID. |
sip | String | Specifies an attack source IP address. |
host | String | Specifies an attacked domain name. |
host_id | String | Specifies a domain name ID. |
url | String | Specifies the attacked URL, excluding a domain name. |
attack | String | Specifies the attack type.
|
rule | String | Specifies the matched rule ID that consists of six digits. |
payload | String | Specifies the hit load. |
action | String | Specifies the protective action.
|
payload_location | String | Specifies the location in the request packet where the attack occurs. The options are as follows: body, url, params, and header. |
request_line | String | Specifies the attack request method. |
headers | Object | Specifies the attack request header. |
cookie | String | Specifies the cookie. |
body | String | Specifies the body of an attack request. |
Example¶
total with a value of 2 is used as an example.
Response example
{
"total": 2,
"items": [
{
"id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
"time": 1499817600,
"policy_id": "xxx",
"sip": "X.X.1.1",
"host": "a.com",
"host_id": "123",
"url": "/login",
"attack": "sqli",
"rule": "20001",
"payload": "1 or 1=1",
"action": "block",
"payload_location": "params",
"request_line": "GET / ",
"headers": {
"Connection": "keep-alive",
"User-Agent": "curl"
},
"cookie": "sid=123; uid=456",
"body": "user=admin&pass=abc123"
},
{
"id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
"time": 1499817600,
"host": "a.com",
"host_id": "a",
"policy_id": "xxx",
"sip": "X.X.1.2",
"url": "/login",
"attack": "sqli",
"rule": "20001",
"payload": "1 or 1=1",
"action": "log",
"payload_location": "params",
"request_line": "GET / ",
"headers": {
"Connection": "keep-alive",
"User-Agent": "curl"
},
"cookie": "sid=123; uid=456",
"body": "user=admin&pass=abc123"
}
]
}
Status Code¶
Table 4 describes the normal status code returned by the API.
Status Code | Description | Meaning |
---|---|---|
200 | OK | The request has succeeded. |
For details about error status codes, see Status Codes.