Querying the List of Attack Events
Function
This API is used to query the attack event list. Currently, this API does not support query of all protection events. The pagesize parameter cannot be set to -1. The larger the data volume, the larger the memory consumption. A maximum of 10,000 data records can be queried. For example, if the number of data records in a user-defined period exceeds 10,000, the data whose page is 101 (or pagesize is greater than 100) cannot be queried. You need to adjust the time range to a longer period and then query the data.
Calling Method
For details, see Calling APIs.
URI
GET /v1/{project_id}/waf/event
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Definition Project ID. To obtain it, log in to the Huawei Cloud console, click the username, choose My Credentials, and find the project ID in the Projects list. Constraints N/A Range Enter 32 characters. Only letters and digits are allowed. Default Value N/A |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
enterprise_project_id |
No |
String |
Definition Obtain the enterprise project ID by calling the ListEnterpriseProject API of Enterprise Project Management Service (EPS). To obtain the resource details in all enterprise projects of a user, set this parameter to all_granted_eps. Constraints N/A Range
Default Value 0 |
recent |
No |
String |
Definition Time range of logs to be queried. Constraints You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range
Default Value N/A |
from |
No |
Long |
Definition Start time. Constraints Parameter from must be used together with parameter to. You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range 13-bit millisecond timestamp. Default Value N/A |
to |
No |
Long |
Definition End time. Constraints Parameter to must be used together with parameter from. You need to specify either parameter recent or parameters from and to. If bot parameter recent and parameter from or to are specified, recent takes effect. Range 13-bit millisecond timestamp. Default Value N/A |
attacks |
No |
Array of strings |
Definition Attack type. Constraints N/A Range
Default Value N/A |
hosts |
No |
Array of strings |
Definition Domain name ID. You can call the ListHost API to obtain it. Constraints N/A Range N/A Default Value N/A |
sips |
No |
Array of strings |
Definition Source IP address, which is the IP address of the web visitor, or potential attacker. Constraints N/A Range N/A Default Value N/A |
page |
No |
Integer |
Definition Page number of the data to be returned in a query. The default value is 1, indicating that data on the first page is returned. Constraints N/A Range N/A Default Value 1 |
pagesize |
No |
Integer |
Definition Number of results on each page in a pagination query. The default value is 10, indicating that each page contains 10 results. Constraints N/A Range N/A Default Value 10 |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
Definition User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). Constraints N/A Range N/A Default Value N/A |
Content-Type |
Yes |
String |
Definition Content type. Constraints N/A Range N/A Default Value application/json;charset=utf8 |
X-Language |
No |
String |
Definition Language. The default value is zh-cn. zh-cn: Chinese; en-us: English Constraints N/A Range
Default Value |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
total |
Integer |
Number of attack events. |
items |
Array of ListEventItems objects |
Details about an attack event. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Definition Incident ID Range N/A |
time |
Long |
Definition Timestamp when the attack occurs, in milliseconds. Range N/A |
policyid |
String |
Definition Policy ID. Range N/A |
sip |
String |
Definition Source IP address, which is the IP address of the web visitor, or potential attacker. Range N/A |
host |
String |
Definition Domain name. Range N/A |
url |
String |
Definition Attacked URL. Range N/A |
attack |
String |
Definition Attack type. Range
|
rule |
String |
Definition ID of the matched rule Range N/A |
payload |
String |
Definition Hit payload Range N/A |
payload_location |
String |
Definition Hit payload position Range N/A |
action |
String |
Definition Protective action. Range N/A |
request_line |
String |
Definition Request method and path Range N/A |
headers |
Object |
Definition HTTP request header Range N/A |
cookie |
String |
Definition Request cookie Range N/A |
status |
String |
Definition Response code status Range N/A |
process_time |
Integer |
Definition Handing duration Range N/A |
region |
String |
Definition Geographical location. Range N/A |
host_id |
String |
Definition Domain name ID. Range N/A |
response_time |
Long |
Definition Response Duration Range N/A |
response_size |
Integer |
Definition Response Body Size Range N/A |
response_body |
String |
Definition Response body Range N/A |
request_body |
String |
Definition Request body Range N/A |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error codes of the downstream service. |
error_msg |
String |
Error messages of the downstream service. |
Status code: 401
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error codes of the downstream service. |
error_msg |
String |
Error messages of the downstream service. |
Status code: 500
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Example Requests
The following example shows how to query the event list for the current day in a project. The project ID is specified by project_id.
GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today
Example Responses
Status code: 200
ok
{ "total" : 1, "items" : [ { "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb", "time" : 1650525961000, "policyid" : "25f1d179896e4e3d87ceac0598f48d00", "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "url" : "/osclass/oc-admin/index.php", "attack" : "lfi", "rule" : "040002", "payload" : " file=../../../../../../../../../../etc/passwd", "payload_location" : "params", "sip" : "x.x.x.x", "action" : "block", "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd", "headers" : { "accept-language" : "en", "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a", "host" : "x.x.x.x", "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52", "accept-encoding" : "gzip", "accept" : "*/*", "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" }, "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805", "status" : "418", "host_id" : "6fbe595e7b874dbbb1505da3e8579b54", "response_time" : 0, "response_size" : 3318, "response_body" : "", "process_time" : 2, "request_body" : "{}" } ] }
SDK Sample Code
The SDK sample code is as follows.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
package com.huaweicloud.sdk.test; import com.huaweicloud.sdk.core.auth.ICredential; import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.core.exception.ConnectionException; import com.huaweicloud.sdk.core.exception.RequestTimeoutException; import com.huaweicloud.sdk.core.exception.ServiceResponseException; import com.huaweicloud.sdk.waf.v1.region.WafRegion; import com.huaweicloud.sdk.waf.v1.*; import com.huaweicloud.sdk.waf.v1.model.*; public class ListEventSolution { public static void main(String[] args) { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment String ak = System.getenv("CLOUD_SDK_AK"); String sk = System.getenv("CLOUD_SDK_SK"); String projectId = "{project_id}"; ICredential auth = new BasicCredentials() .withProjectId(projectId) .withAk(ak) .withSk(sk); WafClient client = WafClient.newBuilder() .withCredential(auth) .withRegion(WafRegion.valueOf("<YOUR REGION>")) .build(); ListEventRequest request = new ListEventRequest(); try { ListEventResponse response = client.listEvent(request); System.out.println(response.toString()); } catch (ConnectionException e) { e.printStackTrace(); } catch (RequestTimeoutException e) { e.printStackTrace(); } catch (ServiceResponseException e) { e.printStackTrace(); System.out.println(e.getHttpStatusCode()); System.out.println(e.getRequestId()); System.out.println(e.getErrorCode()); System.out.println(e.getErrorMsg()); } } } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
# coding: utf-8 import os from huaweicloudsdkcore.auth.credentials import BasicCredentials from huaweicloudsdkwaf.v1.region.waf_region import WafRegion from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkwaf.v1 import * if __name__ == "__main__": # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak = os.environ["CLOUD_SDK_AK"] sk = os.environ["CLOUD_SDK_SK"] projectId = "{project_id}" credentials = BasicCredentials(ak, sk, projectId) client = WafClient.new_builder() \ .with_credentials(credentials) \ .with_region(WafRegion.value_of("<YOUR REGION>")) \ .build() try: request = ListEventRequest() response = client.list_event(request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.request_id) print(e.error_code) print(e.error_msg) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
package main import ( "fmt" "github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic" waf "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1" "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/model" region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/region" ) func main() { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak := os.Getenv("CLOUD_SDK_AK") sk := os.Getenv("CLOUD_SDK_SK") projectId := "{project_id}" auth := basic.NewCredentialsBuilder(). WithAk(ak). WithSk(sk). WithProjectId(projectId). Build() client := waf.NewWafClient( waf.WafClientBuilder(). WithRegion(region.ValueOf("<YOUR REGION>")). WithCredential(auth). Build()) request := &model.ListEventRequest{} response, err := client.ListEvent(request) if err == nil { fmt.Printf("%+v\n", response) } else { fmt.Println(err) } } |
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
Status Code |
Description |
---|---|
200 |
ok |
400 |
Request failed. |
401 |
The token does not have required permissions. |
500 |
Internal server error. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot