Querying the Application Protection Event List

project_id

Yes

String

Definition

Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID.

Constraints

N/A

Range

The value can contain 1 to 256 characters.

Default Value

N/A

enterprise_project_id

No

String

Definition

Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID.

To query assets in all enterprise projects, set this parameter to all_granted_eps.

Constraints

You need to set this parameter only after the enterprise project function is enabled.

Range

The value can contain 1 to 256 characters.

Default Value

0: default enterprise project.

host_id

No

String

Definition

Unique ID of a server.

Constraints

N/A

Range

The value can contain 1 to 64 characters.

Default Value

N/A

offset

No

Integer

Definition

Offset, which specifies the start position of the record to be returned.

Constraints

N/A

Range

The value range is 0 to 2,000,000.

Default Value

The default value is 0.

limit

No

Integer

Definition

Number of records displayed on each page.

Constraints

N/A

Range

Value range: 10-200

Default Value

10

start_time

Yes

Long

Definition

Start time (Unix timestamp) for querying application protection events. This parameter is used together with end_time to filter events in a specified period.

Time Format

Unix timestamp (accurate to millisecond. For example, 1736414463000 indicates 2024-12-10 10:41:03.)

Constraints

It must be earlier than end_time. Otherwise, no result will be returned. The timestamp must be a valid time (from 1970-01-01 00:00:00 to now).

Range

The value range is 0 to 9,223,372,036,854,775,807.

Default Value

None

end_time

Yes

Long

Definition

End time of the query period, in milliseconds.

Constraints

N/A

Range

The value range is 0 to 9,223,372,036,854,775,807.

Default Value

None

app_type

No

String

Definition

Application type of the application protection, which is used to filter the protection events of a specified application type.

Constraints

Currently, only the Java type is supported. If other values are transferred, a null result will be returned. The value is case-sensitive.

Range

• java: Java application protection events

Default Value

None. (Query the events of all supported application types.)

severity

No

String

Definition

Alarm severity of an application protection event. It is used to filter events of a specified severity.

Constraints

The value must be within the specified range. Otherwise, an empty result will be returned.

Range

• Security: information

• Low

• Medium

• High

• Critical

Default Value

None

attack_tag

No

String

Definition

Attack type ID of an application protection event, which is used to filter events of a specified attack type.

Constraints

The value is case sensitive and must be in the specified format. Otherwise, an empty result will be returned.

Range

• Attack Success: successful attack

• Attack Attempt: attack attempt

• Attack Blocked: attack blocked

• Abnormal Behavior: abnormal behavior

• Collapsible Host: server compromised

• System Vulnerability: system vulnerability

Default Value

None

protect_status

No

String

Definition

Whether application protection is enabled. It is used to filter events in a specified protection status.

Constraints

The value is case-sensitive and must be within the specified range. Otherwise, a null result will be returned.

Range

• closed: Protection is disabled.

• opened: Protection is enabled.

Default Value

None. (Query events in all protection statuses.)

X-Auth-Token

Yes

String

Definition

User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token.

Constraints

N/A

Range

The value can contain 1 to 32,768 characters.

Default Value

N/A

total_num

Long

Definition

Total number of application protection events that meet all filter criteria, which is used to calculate the total number of pages.

Range

The value range is 0 to 9,223,372,036,854,775,807.

data_list

Array of RaspProtectHistoryResponseInfo objects

Definition

It contains details about the queried application protection events. Each element corresponds to the complete data of a protection event.

Range

The array length ranges from 0 to the number of elements displayed on each page. The element structure complies with the RaspProtectHistoryResponseInfo definition. If the array is empty, it indicates there are no matching results.

host_name

String

Definition

Name of the cloud server where an application protection event belongs. It is used to identify the event source server.

Range

The value contains 1 to 64 characters. It can contain letters, numbers, hyphens (-), and underscores (_), and must comply with the Huawei Cloud ECS naming rules.

private_ip

String

Definition

Private IP address of the cloud server where an application protection event occurred. It is used to determine the network location of the event source server.

Range

A string in IPv4 format (for example, 192.168.0.97). Multiple private IP addresses can be separated by commas (,).

alarm_time

Long

Definition

Time when the application protection event occurred, in Unix timestamp (in milliseconds).

Time Format

It can be converted to the YYYY-MM-DD HH:MM:SS format. (For example, 1736414463000 can be converted to 2024-12-10 10:41:03).

Range

Unix timestamp (in milliseconds). The value ranges from 0 to the current system timestamp.

event_name

String

Definition

Name of an application protection event, which identifies the attack type of the event (for example, ExpressionInject indicates expression injection attacks).

Range

The value contains 1 to 128 characters, including letters, numbers, and underscores (_). It is a predefined attack type ID.

severity

String

Definition

Alarm severity of an application protection event. It is used to filter events of a specified severity.

Constraints

The value must be within the specified range. Otherwise, an empty result will be returned.

Range

• Security: information

• Low

• Medium

• High

• Critical

Default Value

None

req_src_ip

String

Definition

Source IP address of the attack, which can be a public or private IP address, used to locate the attack source.

Range

A string in IPv4 or IPv6 format. It can be a single IP address or an IP address segment (for example, 127.0.0.1 or 2001:db8::1).

app_stack

String

Definition

Call stack information of an application when an application protection event occurs, which is used to locate the vulnerability triggering point.

Range

The value can contain 0 to 4,096 characters, including letters, numbers, and common stack information characters. If the value is empty, no stack data is available.

attack_input_name

String

Definition

Name of an additional field (such as a request header field or form field) in an attack request, which is used to identify the incoming field of the attack payload.

Range

The value can contain 0 to 256 characters, including letters, numbers, and common characters in HTTP request fields. If this parameter is left blank, it indicates there are no related fields.

attack_input_value

String

Definition

Malicious payload data (such as injection scripts and malicious commands) contained in an attack request, which is used to analyze attack methods.

Range

The value can contain 0 to 2,048 characters, including letters, numbers, and special characters. If the value is empty, no malicious payload is available.

query_string

String

Definition

Query string of an attack request URL (parameters after the question mark [?]), which is used to analyze the parameter transfer mode of the attack request.

Range

The value can contain 0 to 1024 characters. It can contain characters after URL encoding. If the value is empty, no query string is available.

req_headers

String

Definition

HTTP request header information of an attack request. It is stored in JSON format and contains fields such as User-Agent and Host.

Range

The value can contain 0 to 4096 characters. It is a JSON string. The field name and value support common HTTP header characters. If the value is empty, no request header information is available.

req_method

String

Definition

HTTP method (such as GET and POST) used by an attack request, which is used to analyze the request type of the attack.

Range

The value is a string of 3 to 10 characters. Standard HTTP methods (GET, POST, PUT, and DELETE) are supported. The value is case sensitive.

req_params

String

Definition

Request body parameter of an attack request (for example, form data of a POST request), which is used to analyze the transferred parameters of the attack.

Range

The value can contain 0 to 2,048 characters, including form or JSON code characters. If the value is empty, no request body parameter is available.

req_path

String

Definition

URL path (excluding the query string) of an attack request, which is used to locate the target interface of the attack.

Range

The value can contain 0 to 512 characters, including URL path characters, such as slashes (/), letters, numbers, hyphens (-), and underscores (_). If this parameter is left blank, the root path is used.

req_protocol

String

Definition

HTTP protocol version (such as HTTP/1.1) used by an attack request, which is used to analyze the protocol environment of the attack.

Range

The value is a string of 5 to 10 characters. Standard protocol versions such as HTTP/1.0, HTTP/1.1, and HTTP/2 are supported.

req_url

String

Definition

Complete URL of an attack request (including the protocol, server, path, and query string), which is used to reconstruct the attack request.

Range

The value is a string of 0 to 1024 characters and must comply with the URL format specifications. If the value is empty, no complete URL information is available.

attack_tag

String

Definition

Attack type ID of an application protection event, which corresponds to the attack ID of the request parameter (using lowercase letters and underscores).

Range

• Attack Success: successful attack

• Attack Attempt: attack attempt

• Attack Blocked: attack blocked

• Abnormal Behavior: abnormal behavior

• Collapsible Host: server compromised

• System Vulnerability: system vulnerability

chk_probe

String

Definition

ID of the RASP probe that detects an attack event. It is used to locate the probe type and detection module.

Range

The value contains 1 to 128 characters, including letters, numbers, periods (.), hyphens (-), and underscores (_). It is a predefined probe ID.

chk_rule

String

Definition

Unique ID of a detection rule that triggers a protection event. It is used to associate the specific protection rule configuration.

Range

The value can contain 1 to 64 characters, including letters, numbers, and underscores (_). It is a predefined rule ID (for example, ExpressionInject).

chk_rule_desc

String

Definition

Detailed description of a detection rule that triggers a protection event, which describes the detection logic and purpose of the rule.

Range

The value can contain 0 to 512 characters, including letters, numbers, and common punctuation marks. If the value is empty, no rule description is available.

exist_bug

String

Definition

Whether the attack is caused by application vulnerabilities. (Its value can be yes or no.)

Range

• yes: There is such a vulnerability.

• no: There are no such vulnerabilities.

• unknown

200

Request succeeded.