Querying the List of Attack Events

Function

This API is used to query the attack event list. Currently, this API does not support query of all protection events. The pagesize parameter cannot be set to -1. The larger the data volume, the larger the memory consumption. A maximum of 10,000 data records can be queried. For example, if the number of data records in a user-defined period exceeds 10,000, the data whose page is 101 (or pagesize is greater than 100) cannot be queried. You need to adjust the time range to a longer period and then query the data.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/waf/event

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID. To obtain it, log in to the Huawei Cloud console, click the username, choose My Credentials, and find the project ID in the Projects list. Constraints N/A Range Enter 32 characters. Only letters and digits are allowed. Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Obtain the enterprise project ID by calling the ListEnterpriseProject API of Enterprise Project Management Service (EPS). To obtain the resource details in all enterprise projects of a user, set this parameter to all_granted_eps. Constraints N/A Range 0: the default enterprise project. all_granted_eps: all enterprise projects. A specific enterprise project ID: Enter a maximum of 36 characters. Default Value 0
recent	No	String	Definition Time range of logs to be queried. Constraints You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range yesterday today 3days 1week 1month Default Value N/A
from	No	Long	Definition Start time. Constraints Parameter from must be used together with parameter to. You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range 13-bit millisecond timestamp. Default Value N/A
to	No	Long	Definition End time. Constraints Parameter to must be used together with parameter from. You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range 13-bit millisecond timestamp. Default Value N/A
attacks	No	Array of strings	Definition Attack type. Constraints N/A Range vuln: other attack types sqli: SQL injections lfi: local file inclusion attacks cmdi: command injections xss: XSS attacks robot: malicious crawlers rfi: remote file inclusion attacks custom_custom: precise protection cc: CC attacks webshell: website Trojans custom_whiteblackip: attacks blocked based on blacklist and whitelist settings custom_geoip: attacks blocked based on geolocations antitamper: anti-tamper events anticrawler: anti-crawler events leakage: website data leakage prevention illegal: unauthorized requests antiscan_high_freq_scan: blocking of high-frequency scanning antiscan_dir_traversal: directory traversal protection Default Value N/A
hosts	No	Array of strings	Definition Domain name ID. You can call the ListHost API to obtain it. Constraints N/A Range N/A Default Value N/A
sips	No	Array of strings	Definition Source IP address, which is the IP address of the web visitor, or potential attacker. Constraints N/A Range N/A Default Value N/A
page	No	Integer	Definition Page number of the data to be returned in a query. The default value is 1, indicating that data on the first page is returned. Constraints N/A Range N/A Default Value 1
pagesize	No	Integer	Definition Number of results on each page in a pagination query. The default value is 10, indicating that each page contains 10 results. Constraints N/A Range N/A Default Value 10

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). Constraints N/A Range N/A Default Value N/A
Content-Type	Yes	String	Definition Content type. Constraints N/A Range N/A Default Value application/json;charset=utf8
X-Language	No	String	Definition Language. The default value is zh-cn. zh-cn: Chinese; en-us: English Constraints N/A Range zh-cn: Chinese en-us: English zh-cn Default Value

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total	Integer	Number of attack events.
items	Array of ListEventItems objects	Details about an attack event.

**Table 5** ListEventItems
Parameter	Type	Description
id	String	Definition Incident ID Range N/A
time	Long	Definition Timestamp when the attack occurs, in milliseconds. Range N/A
policyid	String	Definition Policy ID. Range N/A
sip	String	Definition Source IP address, which is the IP address of the web visitor, or potential attacker. Range N/A
host	String	Definition Domain name. Range N/A
url	String	Definition Attacked URL. Range N/A
attack	String	Definition Attack type. Range vuln: other attack types sqli: SQL injections lfi: local file inclusion attacks cmdi: command injections xss: XSS attacks robot: malicious crawlers rfi: remote file inclusion attacks custom_custom: precise protection webshell: website Trojans custom_whiteblackip: attacks blocked based on blacklist and whitelist settings custom_geoip: attacks blocked based on geolocations antitamper: anti-tamper events anticrawler: anti-crawler events leakage: website data leakage prevention illegal: The request is invalid. antiscan_high_freq_scan: blocking of high-frequency scanning antiscan_dir_traversal: directory traversal protection
rule	String	Definition ID of the matched rule Range N/A
payload	String	Definition Hit payload Range N/A
payload_location	String	Definition Hit payload position Range N/A
action	String	Definition Protective action. Range N/A
request_line	String	Definition Request method and path Range N/A
headers	Object	Definition HTTP request header Range N/A
cookie	String	Definition Request cookie Range N/A
status	String	Definition Response code status Range N/A
process_time	Integer	Definition Handing duration Range N/A
region	String	Definition Geographical location. Range N/A
host_id	String	Definition Domain name ID. Range N/A
response_time	Long	Definition Response Duration Range N/A
response_size	Integer	Definition Response Body Size Range N/A
response_body	String	Definition Response body Range N/A
request_body	String	Definition Request body Range N/A

Status code: 400

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 7** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 401

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 9** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 500

**Table 10** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 11** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Example Requests

The following example shows how to query the event list for the current day in a project. The project ID is specified by project_id.

GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today

Example Responses

Status code: 200

{
  "total" : 1,
  "items" : [ {
    "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb",
    "time" : 1650525961000,
    "policyid" : "25f1d179896e4e3d87ceac0598f48d00",
    "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "url" : "/osclass/oc-admin/index.php",
    "attack" : "lfi",
    "rule" : "040002",
    "payload" : " file=../../../../../../../../../../etc/passwd",
    "payload_location" : "params",
    "sip" : "x.x.x.x",
    "action" : "block",
    "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd",
    "headers" : {
      "accept-language" : "en",
      "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a",
      "host" : "x.x.x.x",
      "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52",
      "accept-encoding" : "gzip",
      "accept" : "*/*",
      "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36"
    },
    "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805",
    "status" : "418",
    "host_id" : "6fbe595e7b874dbbb1505da3e8579b54",
    "response_time" : 0,
    "response_size" : 3318,
    "response_body" : "",
    "process_time" : 2,
    "request_body" : "{}"
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.waf.v1.region.WafRegion;
import com.huaweicloud.sdk.waf.v1.*;
import com.huaweicloud.sdk.waf.v1.model.*;


public class ListEventSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        WafClient client = WafClient.newBuilder()
                .withCredential(auth)
                .withRegion(WafRegion.valueOf("<YOUR REGION>"))
                .build();
        ListEventRequest request = new ListEventRequest();
        try {
            ListEventResponse response = client.listEvent(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkwaf.v1.region.waf_region import WafRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkwaf.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = WafClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(WafRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListEventRequest()
        response = client.list_event(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    waf "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := waf.NewWafClient(
        waf.WafClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.ListEventRequest{}
	response, err := client.ListEvent(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     