Updated on 2024-07-25 GMT+08:00

Querying the List of Attack Events

Function

This API is used to query the attack event list. Currently, this API cannot be used to query all the events. The pagesize parameter cannot be set to -1. A large query data volume will result in large memory consumption. To avoid affecting performance, a maximum of 10,000 data records can be returned. For example, if the number of data records in the specified time period exceeds 10,000, the data records on page 101 and later cannot be returned. In this case, you need to modify the time period and query again.

URI

GET /v1/{project_id}/waf/event

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

ID of the enterprise project. It can be obtained by calling the ListEnterpriseProject API of EPS.

recent

No

String

Time range for querying logs. This parameter cannot be used together with from and to.

Enumeration values:

  • yesterday

  • today

  • 3days

  • 1week

  • 1month

attacks

No

Array

Attack type.

  • vuln: other attack types

  • sqli: SQL injections

  • lfi: local file inclusion attacks

  • cmdi: command injections

  • xss: XSS attacks

  • robot: malicious crawlers

  • rfi: remote file inclusion attacks

  • custom_custom: precise protection

  • cc: CC attacks

  • webshell: website Trojans

  • custom_whiteblackip: attacks blocked based on blacklist and whitelist settings

  • custom_geoip: attacks blocked based on geolocations

  • antitamper: anti-tamper events

  • anticrawler: anti-crawler events

  • leakage: website data leakage prevention

  • illegal: unauthorized requests

from

No

Long

Start time (13-digit timestamp). This parameter must be used together with to, but cannot be used together with recent.

to

No

Long

End time (13-digit timestamp). This parameter must be used together with from but cannot be used together with recent.

hosts

No

Array

Domain name ID. It can be obtained by calling the ListHost API.

page

No

Integer

Page number of the data to be returned in a query. The value range is 0 to 100000. The default value is 1, indicating that data on the first page is returned.

pagesize

No

Integer

Number of results on each page in query pagination. The value range is 1 to 100. The default value is 10, indicating that each page contains 10 results.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header).

Content-Type

Yes

String

Content type

Default: application/json;charset=utf8

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total

Integer

Number of attack events

items

Array of ListEventItems objects

Attack event details

Table 5 ListEventItems

Parameter

Type

Description

id

String

Event ID

time

Long

Count

policyid

String

Policy ID

sip

String

Source IP address

host

String

Domain name

url

String

Attacked URL

attack

String

Attack type:

  • vuln: other attack types

  • sqli: SQL injections

  • lfi: local file inclusion attacks

  • cmdi: command injections

  • xss: XSS attacks

  • robot: malicious crawlers

  • rfi: remote file inclusion attacks

  • custom_custom: precise protection

  • webshell: website Trojans

  • custom_whiteblackip: attacks blocked based on blacklist and whitelist settings

  • custom_geoip: attacks blocked based on geolocations

  • antitamper: anti-tamper events

  • anticrawler: anti-crawler events

  • leakage: website data leakage prevention

  • illegal: unauthorized requests

rule

String

ID of the matched rule

payload

String

Hit payload

action

String

Action

request_line

String

Request method and path

headers

Object

HTTP request header

cookie

String

Request cookie

status

String

Response code status

process_time

Integer

Processing time

region

String

Geographical location

host_id

String

Domain name ID

response_time

Long

Time to response

response_size

Integer

Response body size

response_body

String

Response body

request_body

String

Request body

Status code: 400

Table 6 Response body parameters

Parameter

Type

Description

error_code

String

Error Code

error_msg

String

Error Messages

Status code: 401

Table 7 Response body parameters

Parameter

Type

Description

error_code

String

Error Code

error_msg

String

Error Messages

Status code: 500

Table 8 Response body parameters

Parameter

Type

Description

error_code

String

Error Code

error_msg

String

Error Messages

Example Requests

GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today

Example Responses

Status code: 200

ok

{
  "total" : 1,
  "items" : [ {
    "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb",
    "time" : 1650525961000,
    "policyid" : "25f1d179896e4e3d87ceac0598f48d00",
    "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "url" : "/osclass/oc-admin/index.php",
    "attack" : "lfi",
    "rule" : "040002",
    "payload" : " file=../../../../../../../../../../etc/passwd",
    "payload_location" : "params",
    "sip" : "x.x.x.x",
    "action" : "block",
    "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd",
    "headers" : {
      "accept-language" : "en",
      "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a",
      "host" : "x.x.x.x",
      "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52",
      "accept-encoding" : "gzip",
      "accept" : "*/*",
      "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36"
    },
    "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805",
    "status" : "418",
    "host_id" : "6fbe595e7b874dbbb1505da3e8579b54",
    "response_time" : 0,
    "response_size" : 3318,
    "response_body" : "",
    "process_time" : 2,
    "request_body" : "{}"
  } ]
}

Status Codes

Status Code

Description

200

ok

400

Request failed.

401

The token does not have required permissions.

500

Internal server error.

Error Codes

See Error Codes.