Updated on 2023-09-08 GMT+08:00

Querying the List of Attack Events

Function

This API is used to query the attack event list. Currently, this API does not support query of all protection events. The pagesize parameter cannot be set to -1. The larger the data volume, the larger the memory consumption. A maximum of 10,000 data records can be queried. For example, if the number of data records in a user-defined period exceeds 10,000, the data whose page is 101 (or pagesize is greater than 100) cannot be queried. You need to adjust the time range to a longer period and then query the data.

URI

GET /v1/{project_id}/waf/event

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID. To obtain it, go to Cloud management console and hover the cursor over your username. On the displayed window, choose My Credentials.Then, in the Projects area, view Project ID of the corresponding project.

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

You can obtain the ID by calling the ListEnterpriseProject API of EPS.

recent

No

String

Time range for querying logs. This parameter cannot be used together with from or to at the same time. Parameter recent must be used with either from or to.

Enumeration values:

  • yesterday

  • today

  • 3days

  • 1week

  • 1month

from

No

Long

Start time (13-digit timestamp). This parameter must be used together with to, but cannot be used together with recent.

to

No

Long

End time (13-digit timestamp). This parameter must be used together with from but cannot be used together with recent.

attacks

No

Array

Attack type

  • vuln: other attack types

  • sqli: SQL injection attacks

  • lfi: local file inclusion

  • cmdi: command injection attacks

  • xss: XSS attacks

  • robot: malicious crawler

  • rfi: remote file inclusion

  • custom_custom: attack hit the precision protection rule

  • cc: CC attacks

  • webshell: website Trojan

  • custom_whiteblackip: attacks that hit the blocklist and trustlist rule

  • custom_geoip: attacks that hit the geolocation access control rule

  • antitamper: attacks that hit the web tamper prevention rule

  • anticrawler: attacks that hit the anti-crawler rules

  • leakage: attacks that hit the information leakage prevention rule

  • illegal: illegal requests

hosts

No

Array

Domain name ID. It can be obtained by calling the **ListHost API.

page

No

Integer

Page number of the data to be returned during pagination query. The default value is 1, indicating that the data on the first page is returned.

pagesize

No

Integer

Number of results on each page during pagination query. Value range: 1 to 100. The default value is 10, indicating that each page contains 10 results.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header).

Content-Type

Yes

String

Content type.

Default: application/json;charset=utf8

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

total

Integer

Number of attack events

items

Array of ListEventItems objects

Details about an attack event

Table 5 ListEventItems

Parameter

Type

Description

id

String

Event ID

time

Long

Count

policyid

String

Policy ID

sip

String

Source IP address, which is the IP address of the web visitor (attacker's IP address).

host

String

Attacked domain name

url

String

Attacked URL

attack

String

Attack type

  • vuln: other attack types

  • sqli: SQL injection attack

  • lfi: local file inclusion

  • cmdi: command injection attacks

  • XSS: XSS attacks

  • robot: malicious crawler

  • rfi: remote file inclusion

  • custom_custom: attacks hit a precise protection rule

  • webshell: Trojan

  • custom_whiteblackip: attacks hit a blacklist or whitelist rule

  • custom_geoip: attacks hit a geolocation access control rule

  • antitamper: attacks hit a web tamper prevention rule

  • anticrawler: attacks hit an anti-crawler rule

  • leakage: attacks hit an information leakage prevention rule

  • illegal: invalid requests

rule

String

ID of the matched rule

payload

String

Hit payload

payload_location

String

Hit Load Position

action

String

Protective action

request_line

String

Request method and path

headers

Object

HTTP request header

cookie

String

Request cookie

status

String

Response code status

process_time

Integer

Processing time

region

String

Geographical location

host_id

String

Domain name ID

response_time

Long

Time to response

response_size

Integer

Response body size

response_body

String

Response body

request_body

String

Request body

Status code: 400

Table 6 Response body parameters

Parameter

Type

Description

error_code

String

Error code

error_msg

String

Error message

Status code: 401

Table 7 Response body parameters

Parameter

Type

Description

error_code

String

Error code

error_msg

String

Error message

Status code: 500

Table 8 Response body parameters

Parameter

Type

Description

error_code

String

Error code

error_msg

String

Error message

Example Requests

GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today

Example Responses

Status code: 200

ok

{
  "total" : 1,
  "items" : [ {
    "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb",
    "time" : 1650525961000,
    "policyid" : "25f1d179896e4e3d87ceac0598f48d00",
    "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "url" : "/osclass/oc-admin/index.php",
    "attack" : "lfi",
    "rule" : "040002",
    "payload" : " file=../../../../../../../../../../etc/passwd",
    "payload_location" : "params",
    "sip" : "x.x.x.x",
    "action" : "block",
    "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd",
    "headers" : {
      "accept-language" : "en",
      "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a",
      "host" : "x.x.x.x",
      "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52",
      "accept-encoding" : "gzip",
      "accept" : "*/*",
      "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36"
    },
    "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805",
    "status" : "418",
    "host_id" : "6fbe595e7b874dbbb1505da3e8579b54",
    "response_time" : 0,
    "response_size" : 3318,
    "response_body" : "",
    "process_time" : 2,
    "request_body" : "{}"
  } ]
}

Status Codes

Status Code

Description

200

ok

400

Request failed.

401

The token does not have required permissions.

500

Internal server error.

Error Codes

See Error Codes.