Help Center/ Cloud Firewall/ API Reference/ API/ Log Analysis/ Querying Attack Log Statistics
Updated on 2025-08-12 GMT+08:00

Querying Attack Log Statistics

Function

This API is used to query attack log statistics.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/cfw/logs/attack-detail

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Definition

Project ID, which is used to specify the project that an asset belongs to. You can query the assets of a project by project ID. You can obtain the project ID from the API or console. For details, see Obtaining a Project ID.

Constraints

N/A

Range

32-bit UUID.

Default Value

N/A

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

fw_instance_id

Yes

String

Definition

Firewall ID. It is a unique ID generated after a firewall instance is created. You can obtain the firewall ID by referring to Obtaining a Firewall ID.

Constraints

N/A

Range

32-bit UUID.

Default Value

N/A

range

No

Integer

Definition

Time range.

Constraints

N/A

Range

0 (last hour), 1 (last day), or 2 (last seven days)

Default Value

N/A

log_type

Yes

String

Definition

Log type.

Constraints

N/A

Range

internet (north-south logs), nat (NAT logs), vpc (east-west logs), or vgw (VGW logs)

Default Value

N/A

start_time

No

Long

Definition

Start time.

Constraints

N/A

Range

Milliseconds-level timestamp.

Default Value

N/A

end_time

No

Long

Definition

End time.

Constraints

N/A

Range

Milliseconds-level timestamp.

Default Value

N/A

vgw_id

No

Array of strings

Definition

VGW ID

Constraints

N/A

Range

32-bit UUID.

Default Value

N/A

action

Yes

Integer

Definition

Action.

Constraints

N/A

Range

0: all

1: block

Default Value

N/A

item

Yes

String

Definition

Aggregation type.

Constraints

N/A

Range

src_region_id: top external attack source regions

attack_type: attack type

in_src_ip: top internal attack source IP addresses

out_src_ip: top external attack source IP addresses

dst_port: top attacked ports

dst_ip: top attacked IP addresses

attack_rule: top attack rules

src_ip: top attack source IP addresses

Default Value

N/A

value

Yes

String

Definition

Statistical object.

Constraints

N/A

Range

N/A

Default Value

N/A

Request Parameters

None

Response Parameters

Status code: 200

Table 3 Response body parameters

Parameter

Type

Description

data

AttackDetailVO object

Table 4 AttackDetailVO

Parameter

Type

Description

app_count

Long

Definition

Number of applications.

Range

N/A

attack_rule_count

Long

Definition

Number of attack rules.

Range

N/A

attack_type_count

Long

Definition

Number of attack types.

Range

N/A

count

Long

Definition

Number of attacks.

Range

N/A

dst_ip_count

Long

Definition

Number of destination IP addresses.

Range

N/A

dst_port_count

Long

Definition

Number of attacked ports.

Range

N/A

end_time

Long

Definition

End time.

Range

N/A

records

Array of AttackLog objects

Definition

Attack event details.

Range

N/A

src_ip_count

Long

Definition

Number of source IP addresses.

Range

N/A

start_time

Long

Definition

Start time.

Range

N/A

total

Long

Definition

Total number.

Range

N/A

Table 5 AttackLog

Parameter

Type

Description

action

String

Definition

Action.

Range

N/A

app

String

Definition

Application.

Range

N/A

attack_rule

String

Definition

Attack rule.

Range

N/A

attack_rule_id

String

Definition

Attack rule ID.

Range

N/A

attack_type

String

Definition

Attack type.

Range

N/A

direction

String

Definition

Attack direction.

Range

N/A

dst_ip

String

Definition

Destination IP address.

Range

N/A

dst_port

Integer

Definition

Destination port.

Range

N/A

dst_region_id

String

Definition

Destination region ID.

Range

N/A

dst_region_name

String

Definition

Destination region name.

Range

N/A

dst_province_id

String

Definition

Destination province ID.

Range

N/A

dst_province_name

String

Definition

Destination province name.

Range

N/A

dst_city_id

String

Definition

Destination city ID.

Range

N/A

dst_city_name

String

Definition

Destination city name.

Range

N/A

event_time

Long

Definition

Occurrence time.

Range

N/A

level

String

Definition

Risk severity.

Range

N/A

protocol

String

Definition

Protocol.

Range

N/A

source

String

Definition

Source.

Range

N/A

src_ip

String

Definition

Source IP address.

Range

N/A

real_ip

String

Definition

Real IP address.

Range

N/A

tag

Integer

Definition

Tag.

Range

N/A

src_port

Integer

Definition

Source port.

Range

N/A

src_region_id

String

Definition

Source region ID.

Range

N/A

src_region_name

String

Definition

Source region name.

Range

N/A

src_province_id

String

Definition

Source province ID.

Range

N/A

src_province_name

String

Definition

Source province name.

Range

N/A

src_city_id

String

Definition

Source city ID.

Range

N/A

src_city_name

String

Definition

Source city.

Range

N/A

vgw_id

String

Definition

VGW Id

Range

N/A

Status code: 400

Table 6 Response body parameters

Parameter

Type

Description

error_code

String

Definition

Error code.

Range

N/A

error_msg

String

Definition

Error message.

Range

N/A

Example Requests

https://{Endpoint}/v1/7db2c6e2934046dd8c5a996ed4780c5b/cfw/logs/attack-detail?fw_instance_id=a7df0f6c-da03-4511-ad0b-b17b589ff0ec&log_type=internet&range=2&item=src_region_id&action=0&value=US

Query detailed attack log statistics. The project ID is 7db2c6e2934046dd8c5a996ed4780c5b, the firewall ID is a7df0f6c-da03-4511-ad0b-b17b589ff0ec, the time range is 7 days, and the external attack source region is US.

Example Responses

Status code: 200

OK

{
  "data" : {
    "app_count" : 1,
    "attack_rule_count" : 1,
    "attack_type_count" : 1,
    "count" : 1,
    "dst_ip_count" : 1,
    "dst_port_count" : 1,
    "end_time" : 1751014701000,
    "records" : [ {
      "action" : "permit",
      "app" : "UDP-ANY",
      "attack_rule" : "Realtek Jungle SDK Command Injection Vulnerability (CVE-2021-35394)",
      "attack_rule_id" : "806310",
      "attack_type" : "Vulnerability Exploit Attack",
      "dst_ip" : "121.37.223.24",
      "dst_port" : 9034,
      "dst_region_id" : "CN",
      "dst_region_name" : "China",
      "dst_province_id" : "GD",
      "dst_province_name" : "Guangdong",
      "dst_city_id" : "Guangzhou",
      "dst_city_name" : "Guangzhou",
      "event_time" : 1751014701000,
      "level" : "CRITICAL",
      "protocol" : "UDP",
      "source" : "predefined",
      "src_ip" : "92.112.125.103",
      "tag" : -1,
      "src_port" : 43533,
      "src_region_id" : "US",
      "src_region_name" : "United States"
    } ],
    "src_ip_count" : 1,
    "start_time" : 1751014701000,
    "total" : 1
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.00200007",
  "error_msg" : "Incorrect time range."
}

Status Codes

Status Code

Description

200

OK

400

Bad Request

Error Codes

See Error Codes.