Querying the List of Attack Events

Function

This API is used to query the attack event list. Currently, this API cannot be used to query all the events. The pagesize parameter cannot be set to -1. A large query data volume will result in large memory consumption. To avoid affecting performance, a maximum of 10,000 data records can be returned. For example, if the number of data records in the specified time period exceeds 10,000, the data records on page 101 and later cannot be returned. In this case, you need to modify the time period and query again.

URI

GET /v1/{project_id}/waf/event

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	ID of the enterprise project. It can be obtained by calling the ListEnterpriseProject API of EPS.
recent	No	String	Time range for querying logs. This parameter cannot be used together with from and to. Enumeration values: yesterday today 3days 1week 1month
attacks	No	Array	Attack type. vuln: other attack types sqli: SQL injections lfi: local file inclusion attacks cmdi: command injections xss: XSS attacks robot: malicious crawlers rfi: remote file inclusion attacks custom_custom: precise protection cc: CC attacks webshell: website Trojans custom_whiteblackip: attacks blocked based on blacklist and whitelist settings custom_geoip: attacks blocked based on geolocations antitamper: anti-tamper events anticrawler: anti-crawler events leakage: website data leakage prevention illegal: unauthorized requests
from	No	Long	Start time (13-digit timestamp). This parameter must be used together with to, but cannot be used together with recent.
to	No	Long	End time (13-digit timestamp). This parameter must be used together with from but cannot be used together with recent.
hosts	No	Array	Domain name ID. It can be obtained by calling the ListHost API.
page	No	Integer	Page number of the data to be returned in a query. The value range is 0 to 100000. The default value is 1, indicating that data on the first page is returned.
pagesize	No	Integer	Number of results on each page in query pagination. The value range is 1 to 100. The default value is 10, indicating that each page contains 10 results.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header).
Content-Type	Yes	String	Content type Default: application/json;charset=utf8

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total	Integer	Number of attack events
items	Array of ListEventItems objects	Attack event details

**Table 5** ListEventItems
Parameter	Type	Description
id	String	Event ID
time	Long	Count
policyid	String	Policy ID
sip	String	Source IP address
host	String	Domain name
url	String	Attacked URL
attack	String	Attack type: vuln: other attack types sqli: SQL injections lfi: local file inclusion attacks cmdi: command injections xss: XSS attacks robot: malicious crawlers rfi: remote file inclusion attacks custom_custom: precise protection webshell: website Trojans custom_whiteblackip: attacks blocked based on blacklist and whitelist settings custom_geoip: attacks blocked based on geolocations antitamper: anti-tamper events anticrawler: anti-crawler events leakage: website data leakage prevention illegal: unauthorized requests
rule	String	ID of the matched rule
payload	String	Hit payload
action	String	Action
request_line	String	Request method and path
headers	Object	HTTP request header
cookie	String	Request cookie
status	String	Response code status
process_time	Integer	Processing time
region	String	Geographical location
host_id	String	Domain name ID
response_time	Long	Time to response
response_size	Integer	Response body size
response_body	String	Response body
request_body	String	Request body

Status code: 400

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Error Code
error_msg	String	Error Messages

Status code: 401

**Table 7** Response body parameters
Parameter	Type	Description
error_code	String	Error Code
error_msg	String	Error Messages

Status code: 500

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error Code
error_msg	String	Error Messages

Example Requests

GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today

Example Responses

Status code: 200

{
  "total" : 1,
  "items" : [ {
    "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb",
    "time" : 1650525961000,
    "policyid" : "25f1d179896e4e3d87ceac0598f48d00",
    "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "url" : "/osclass/oc-admin/index.php",
    "attack" : "lfi",
    "rule" : "040002",
    "payload" : " file=../../../../../../../../../../etc/passwd",
    "payload_location" : "params",
    "sip" : "x.x.x.x",
    "action" : "block",
    "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd",
    "headers" : {
      "accept-language" : "en",
      "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a",
      "host" : "x.x.x.x",
      "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52",
      "accept-encoding" : "gzip",
      "accept" : "*/*",
      "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36"
    },
    "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805",
    "status" : "418",
    "host_id" : "6fbe595e7b874dbbb1505da3e8579b54",
    "response_time" : 0,
    "response_size" : 3318,
    "response_body" : "",
    "process_time" : 2,
    "request_body" : "{}"
  } ]
}