Help Center/ Cloud Firewall/ API Reference/ API/ Log Analysis/ Querying Attack Log Statistics

Updated on 2025-08-12 GMT+08:00

Online Debugging

CLI Examples

View PDF

Querying Attack Log Statistics

Function

This API is used to query attack log statistics.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/cfw/logs/attack-detail

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. You can query the assets of a project by project ID. You can obtain the project ID from the API or console. For details, see Obtaining a Project ID. Constraints N/A Range 32-bit UUID. Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
fw_instance_id	Yes	String	Definition Firewall ID. It is a unique ID generated after a firewall instance is created. You can obtain the firewall ID by referring to Obtaining a Firewall ID. Constraints N/A Range 32-bit UUID. Default Value N/A
range	No	Integer	Definition Time range. Constraints N/A Range 0 (last hour), 1 (last day), or 2 (last seven days) Default Value N/A
log_type	Yes	String	Definition Log type. Constraints N/A Range internet (north-south logs), nat (NAT logs), vpc (east-west logs), or vgw (VGW logs) Default Value N/A
start_time	No	Long	Definition Start time. Constraints N/A Range Milliseconds-level timestamp. Default Value N/A
end_time	No	Long	Definition End time. Constraints N/A Range Milliseconds-level timestamp. Default Value N/A
vgw_id	No	Array of strings	Definition VGW ID Constraints N/A Range 32-bit UUID. Default Value N/A
action	Yes	Integer	Definition Action. Constraints N/A Range 0: all 1: block Default Value N/A
item	Yes	String	Definition Aggregation type. Constraints N/A Range src_region_id: top external attack source regions attack_type: attack type in_src_ip: top internal attack source IP addresses out_src_ip: top external attack source IP addresses dst_port: top attacked ports dst_ip: top attacked IP addresses attack_rule: top attack rules src_ip: top attack source IP addresses Default Value N/A
value	Yes	String	Definition Statistical object. Constraints N/A Range N/A Default Value N/A

Request Parameters

None

Response Parameters

Status code: 200

**Table 3** Response body parameters
Parameter	Type	Description
data	AttackDetailVO object

**Table 4** AttackDetailVO
Parameter	Type	Description
app_count	Long	Definition Number of applications. Range N/A
attack_rule_count	Long	Definition Number of attack rules. Range N/A
attack_type_count	Long	Definition Number of attack types. Range N/A
count	Long	Definition Number of attacks. Range N/A
dst_ip_count	Long	Definition Number of destination IP addresses. Range N/A
dst_port_count	Long	Definition Number of attacked ports. Range N/A
end_time	Long	Definition End time. Range N/A
records	Array of AttackLog objects	Definition Attack event details. Range N/A
src_ip_count	Long	Definition Number of source IP addresses. Range N/A
start_time	Long	Definition Start time. Range N/A
total	Long	Definition Total number. Range N/A

**Table 5** AttackLog
Parameter	Type	Description
action	String	Definition Action. Range N/A
app	String	Definition Application. Range N/A
attack_rule	String	Definition Attack rule. Range N/A
attack_rule_id	String	Definition Attack rule ID. Range N/A
attack_type	String	Definition Attack type. Range N/A
direction	String	Definition Attack direction. Range N/A
dst_ip	String	Definition Destination IP address. Range N/A
dst_port	Integer	Definition Destination port. Range N/A
dst_region_id	String	Definition Destination region ID. Range N/A
dst_region_name	String	Definition Destination region name. Range N/A
dst_province_id	String	Definition Destination province ID. Range N/A
dst_province_name	String	Definition Destination province name. Range N/A
dst_city_id	String	Definition Destination city ID. Range N/A
dst_city_name	String	Definition Destination city name. Range N/A
event_time	Long	Definition Occurrence time. Range N/A
level	String	Definition Risk severity. Range N/A
protocol	String	Definition Protocol. Range N/A
source	String	Definition Source. Range N/A
src_ip	String	Definition Source IP address. Range N/A
real_ip	String	Definition Real IP address. Range N/A
tag	Integer	Definition Tag. Range N/A
src_port	Integer	Definition Source port. Range N/A
src_region_id	String	Definition Source region ID. Range N/A
src_region_name	String	Definition Source region name. Range N/A
src_province_id	String	Definition Source province ID. Range N/A
src_province_name	String	Definition Source province name. Range N/A
src_city_id	String	Definition Source city ID. Range N/A
src_city_name	String	Definition Source city. Range N/A
vgw_id	String	Definition VGW Id Range N/A

Status code: 400

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Definition Error code. Range N/A
error_msg	String	Definition Error message. Range N/A

Example Requests

https://{Endpoint}/v1/7db2c6e2934046dd8c5a996ed4780c5b/cfw/logs/attack-detail?fw_instance_id=a7df0f6c-da03-4511-ad0b-b17b589ff0ec&log_type=internet&range=2&item=src_region_id&action=0&value=US

Query detailed attack log statistics. The project ID is 7db2c6e2934046dd8c5a996ed4780c5b, the firewall ID is a7df0f6c-da03-4511-ad0b-b17b589ff0ec, the time range is 7 days, and the external attack source region is US.

Example Responses

Status code: 200

{
  "data" : {
    "app_count" : 1,
    "attack_rule_count" : 1,
    "attack_type_count" : 1,
    "count" : 1,
    "dst_ip_count" : 1,
    "dst_port_count" : 1,
    "end_time" : 1751014701000,
    "records" : [ {
      "action" : "permit",
      "app" : "UDP-ANY",
      "attack_rule" : "Realtek Jungle SDK Command Injection Vulnerability (CVE-2021-35394)",
      "attack_rule_id" : "806310",
      "attack_type" : "Vulnerability Exploit Attack",
      "dst_ip" : "121.37.223.24",
      "dst_port" : 9034,
      "dst_region_id" : "CN",
      "dst_region_name" : "China",
      "dst_province_id" : "GD",
      "dst_province_name" : "Guangdong",
      "dst_city_id" : "Guangzhou",
      "dst_city_name" : "Guangzhou",
      "event_time" : 1751014701000,
      "level" : "CRITICAL",
      "protocol" : "UDP",
      "source" : "predefined",
      "src_ip" : "92.112.125.103",
      "tag" : -1,
      "src_port" : 43533,
      "src_region_id" : "US",
      "src_region_name" : "United States"
    } ],
    "src_ip_count" : 1,
    "start_time" : 1751014701000,
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.00200007",
  "error_msg" : "Incorrect time range."
}

Status Codes

Status Code	Description
200	OK
400	Bad Request

Error Codes

See Error Codes.

Parent Topic: Log Analysis

Previous topic: Querying the Session Trend

Next topic: Querying Top Attack Log Statistics

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot