Querying the List of Attack Events

Function

This API is used to query the attack event list. Currently, this API does not support query of all protection events. The pagesize parameter cannot be set to -1. The larger the data volume, the larger the memory consumption. A maximum of 10,000 data records can be queried. For example, if the number of data records in a user-defined period exceeds 10,000, the data whose page is 101 (or pagesize is greater than 100) cannot be queried. You need to adjust the time range to a longer period and then query the data.

Calling Method

For details, see Calling APIs.

URI

GET /v1/{project_id}/waf/event

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID. To obtain it, log in to the Huawei Cloud console, click the username, choose My Credentials, and find the project ID in the Projects list. Constraints N/A Range N/A Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Obtain the enterprise project ID by calling the ListEnterpriseProject API of Enterprise Project Management Service (EPS). To obtain the resource details in all enterprise projects of a user, set this parameter to all_granted_eps.
recent	No	String	Definition Time range for querying logs. You need to specify either parameter recent, or parameters from and to. If both parameter recent and parameter from or to are specified, recent takes effect. Constraints N/A Range yesterday: yesterday today: today 3days: last 3 days 1week: last 7 days 1month: last 30 days Default Value N/A
from	No	Long	Definition Start time (timestamp in milliseconds). This parameter must be used together with to. Constraints from <= to Range The maximum range from from to to is 30 days. Default Value N/A
to	No	Long	Definition End time (timestamp in milliseconds). This parameter must be used together with from. Constraints The maximum range from from to to is 30 days. Range The end time cannot be later than the end time of the current day. Default Value N/A
ids	No	Array of strings	Definition List of event IDs. Fuzzy search is supported. Constraints N/A Range N/A Default Value N/A
nids	No	Array of strings	Definition List of event IDs (exclusion search criteria). Fuzzy search is supported. Constraints N/A Range N/A Default Value N/A
attacks	No	Array of strings	Definition Attack type. Constraints N/A Range xss: XSS attacks botm: BOT attack webshell: website Trojans vuln: other vulnerability exploits sqli: SQL injections robot: malicious crawlers rfi: remote file inclusion attacks rce: remote code execution ptr: directory traversal attacks lfi: local file inclusion attacks antileakage: website information leakage iprank: IP reputation database custom_whiteblackip: IP address blacklist and whitelist custom_whiteip: whitelist custom_blackip: blacklist custom_robot: scanner crawler custom_geoip: geographic access control custom_idc_ip: IDC intelligence custom_custom: precise protection cmdi: command injections cc: CC attacks antitamper: web tamper protection anticrawler: anti-crawler third_bot_river: third-party anti-crawler antiscan_high_freq_scan: blocking of high-frequency scanning antiscan_dir_traversal: directory traversal protection illegal: unauthorized requests followed_action: attacks that hit a known attack source rule advanced_bot: BOT management llm_prompt_injection: prompt injections llm_prompt_sensitive: prompt violations llm_response_sensitive: response violations Default Value N/A
nattacks	No	Array of strings	Definition Attack type (exclusion search criteria). Constraints N/A Range xss: XSS attacks botm: BOT attack webshell: website Trojans vuln: other vulnerability exploits sqli: SQL injections robot: malicious crawlers rfi: remote file inclusion attacks rce: remote code execution ptr: directory traversal attacks lfi: local file inclusion attacks antileakage: website information leakage iprank: IP reputation database custom_whiteblackip: IP address blacklist and whitelist custom_whiteip: whitelist custom_blackip: blacklist custom_robot: scanner crawler custom_geoip: geographic access control custom_idc_ip: IDC intelligence custom_custom: precise protection cmdi: command injections cc: CC attacks antitamper: web tamper protection anticrawler: anti-crawler third_bot_river: third-party anti-crawler antiscan_high_freq_scan: blocking of high-frequency scanning antiscan_dir_traversal: directory traversal protection illegal: unauthorized requests followed_action: attacks that hit a known attack source rule advanced_bot: BOT management llm_prompt_injection: prompt injections llm_prompt_sensitive: prompt violations llm_response_sensitive: response violations Default Value N/A
rules	No	Array of strings	Definition Rule ID list Constraints N/A Range N/A Default Value N/A
nrules	No	Array of strings	Definition Rule ID list (exclusion search criteria). Constraints N/A Range N/A Default Value N/A
sips	No	Array of strings	Definition Client IP address list. Constraints N/A Range N/A Default Value N/A
nsips	No	Array of strings	Definition Client IP address list (exclusion search criteria). Constraints N/A Range N/A Default Value N/A
sip	No	String	Definition Client IP address. If the value of query_mode is equal, exact query is performed. Otherwise, fuzzy query is performed. Constraints N/A Range N/A Default Value N/A
urls	No	Array of strings	Definition URL list. Constraints N/A Range N/A Default Value N/A
nurls	No	Array of strings	Definition URL list (exclusion search criteria). Constraints N/A Range N/A Default Value N/A
url	No	String	Definition URL. If the value of query_mode is equal, exact query is performed. Otherwise, fuzzy query is performed. Constraints N/A Range N/A Default Value N/A
actions	No	Array of strings	Definition Protection action list. Constraints N/A Range block: WAF blocks attacks. pass: WAF allows requests. log: WAF only logs detected attacks. captcha: A verification code is required. cache: Does not match mask: Filter js_challenge: JavaScript challenge advanced_captcha: Advanced CAPTCHA verification abort_response: Stop response desensitize: Desensitize Default Value N/A
nactions	No	Array of strings	Definition Protection action list (exclusion search criteria). Constraints N/A Range block: WAF blocks attacks. pass: WAF allows requests. log: WAF only logs detected attacks. captcha: A verification code is required. cache: Does not match mask: Filter js_challenge: JavaScript challenge advanced_captcha: Advanced CAPTCHA verification abort_response: Stop response desensitize: Desensitize Default Value N/A
domain	No	String	Definition Domain name. Fuzzy search is supported. Constraints The domain and ndomain parameters cannot be queried at the same time. If both of them are specified, the domain parameter prevails. Range N/A Default Value N/A
ndomain	No	String	Definition Domain name (exclusion search criteria). Fuzzy search is supported. Constraints The domain and ndomain parameters cannot be queried at the same time. If both of them are specified, the domain parameter prevails. Range N/A Default Value N/A
domains	No	Array of strings	Definition Domain name list. Constraints N/A Range N/A Default Value N/A
ip_countries	No	Array of strings	Definition List of countries where the client IP address belongs. Constraints N/A Range N/A Default Value N/A
nip_countries	No	Array of strings	Definition List of countries where the client IP address belongs (exclusion search criteria). Constraints N/A Range N/A Default Value N/A
ip_regions	No	Array of strings	Definition List of provinces where the client IP address belongs. This parameter is valid only for provinces in China. Constraints N/A Range N/A Default Value N/A
nip_regions	No	Array of strings	Definition List of identities where the client IP address belongs (exclusion search criteria). This parameter is valid only for provinces in China. Constraints N/A Range N/A Default Value N/A
response_codes	No	Array of strings	Definition Response code list. Constraints N/A Range N/A Default Value N/A
payload	No	String	Definition Malicious payloads (attack fragments identified by WAF): Basic web protection (SQL injection, XSS, and command injection): attack fragments identified by WAF CC attack protection rules: Number of requests that match a rule Precise protection, IP address blacklist and whitelist, and geolocation access control: N/A Known attack sources: User ID of a request that has an attack penalty Malicious crawler: User-Agent field that matches a rule Anti-crawler: JavaScript events: js_verified (JavaScript verification success) and js_challenge (sending JavaScript verification content) If a request fails to be validated, this column is left empty. Website information leakage: The filtering types are used for sensitive information filtering, including phone numbers, email addresses, and ID card numbers. The response codes are used for blocking. BOT attack: abnormal request characteristics that match the rule, such as User-Agent; or the scoring details of the AI behavior scan result Constraints N/A Range N/A Default Value N/A
hosts	No	Array of strings	Definition Domain name ID list. You can call the ListHost API to obtain it. Constraints N/A Range N/A Default Value N/A
instances	No	Array of strings	Definition Engine instance ID list. Constraints N/A Range N/A Default Value N/A
page	No	Integer	Definition Page number of the data to be returned in a query. Constraints N/A Range The valid range of page depends on the total data volume and the value of pagesize. The value cannot be greater than the total number of pages. Default Value 1
pagesize	No	Integer	Definition Number of results per page in a query. Constraints N/A Range [0, Total data volume] Default Value 10
sort_key	No	String	Definition Sorting field. The default value is attack_time. If you select another field, the records are sorted by the specified field and attack_time. Constraints N/A Range attack_time: attack time sort_ip: client IP address host: domain name geo_str: geographical location component: application component rule: rule ID attack: event type (attack type) Default Value attack_time
sort_direction	No	String	Definition Sorting direction Constraints N/A Range desc: descending. asc: ascending. Default Value desc
query_mode	No	String	Definition Query mode, which only affects the sip and url parameters. Constraints N/A Range equal: exact query include: fuzzy query Default Value include

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). Constraints N/A Range N/A Default Value N/A
Content-Type	Yes	String	Definition Content type. Constraints N/A Range N/A Default Value application/json;charset=utf8
X-Language	No	String	Definition Language of the geographical location to which the client IP address belongs. The default value is en-us. Constraints N/A Range zh-cn: Chinese en-us: English Default Value en-us

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
total	Integer	Number of attack events.
items	Array of ListEventItems objects	Details about an attack event.

**Table 5** ListEventItems
Parameter	Type	Description
id	String	Event ID.
time	Long	Timestamp when the attack occurred (unit: ms).
policyid	String	Policy ID.
sip	String	Source IP address, which is the IP address of the web visitor, or potential attacker.
host	String	Domain name.
url	String	Attacked URL.
attack	String	Attack types: vuln: other attack types sqli: SQL injections lfi: local file inclusion attacks cmdi: command injections xss: XSS attacks robot: malicious crawlers rfi: remote file inclusion attacks custom_custom: precise protection webshell: website Trojans custom_whiteblackip: attacks blocked based on blacklist and whitelist settings custom_geoip: attacks blocked based on geographic locations antitamper: anti-tamper events anticrawler: anti-crawler events leakage: website data leakage prevention illegal: unauthorized requests antiscan_high_freq_scan: blocking of high-frequency scanning antiscan_dir_traversal: directory traversal protection
rule	String	ID of the hit rule.
payload	String	Malicious payload: Basic web protection (SQL injection, XSS, and command injection): attack fragments identified by WAF CC attack protection rules: Number of requests that match a rule Precise protection, IP address blacklist and whitelist, and geolocation access control: N/A Known attack sources: User ID of a request that has an attack penalty Anti-crawler protection: User-Agent field that matches a rule Anti-crawler: JavaScript events: js_verified (JavaScript verification success) and js_challenge (sending JavaScript verification content) If a request fails to be validated, this column is left empty. Website information leakage: The filtering types are used for sensitive information filtering, including phone numbers, email addresses, and ID card numbers. The response codes are used for blocking. BOT attack: abnormal request characteristics that match the rule, such as User-Agent; or the scoring details of the AI behavior scan result
payload_location	String	Malicious payload location.
action	String	Protective action.
request_line	String	Request method and path.
headers	Object	HTTP request header.
cookie	String	Request cookie.
status	String	Response code status.
process_time	Integer	Processing duration.
region	String	Geographical location.
host_id	String	Domain name ID.
response_time	Long	Response duration.
response_size	Integer	Response body size.
response_body	String	Response body.
request_body	String	Request body.

Status code: 400

**Table 6** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 7** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 401

**Table 8** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 9** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Status code: 500

**Table 10** Response body parameters
Parameter	Type	Description
error_code	String	Error code.
error_msg	String	Error message.
encoded_authorization_message	String	You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs.
details	Array of IAM5ErrorDetails objects	The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs.

**Table 11** IAM5ErrorDetails
Parameter	Type	Description
error_code	String	Error codes of the downstream service.
error_msg	String	Error messages of the downstream service.

Example Requests

The following example shows how to query the event list for the current day in a project. The project ID is specified by project_id.

GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today

Example Responses

Status code: 200

{
  "total" : 1,
  "items" : [ {
    "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb",
    "time" : 1650525961000,
    "policyid" : "25f1d179896e4e3d87ceac0598f48d00",
    "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
    "url" : "/osclass/oc-admin/index.php",
    "attack" : "lfi",
    "rule" : "040002",
    "payload" : " file=../../../../../../../../../../etc/passwd",
    "payload_location" : "params",
    "sip" : "x.x.x.x",
    "action" : "block",
    "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd",
    "headers" : {
      "accept-language" : "en",
      "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a",
      "host" : "x.x.x.x",
      "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52",
      "accept-encoding" : "gzip",
      "accept" : "*/*",
      "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36"
    },
    "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805",
    "status" : "418",
    "host_id" : "6fbe595e7b874dbbb1505da3e8579b54",
    "response_time" : 0,
    "response_size" : 3318,
    "response_body" : "",
    "process_time" : 2,
    "request_body" : "{}"
  } ]
}

SDK Sample Code

The SDK sample code is as follows.

     package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.waf.v1.region.WafRegion;
import com.huaweicloud.sdk.waf.v1.*;
import com.huaweicloud.sdk.waf.v1.model.*;


public class ListEventSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        WafClient client = WafClient.newBuilder()
                .withCredential(auth)
                .withRegion(WafRegion.valueOf("<YOUR REGION>"))
                .build();
        ListEventRequest request = new ListEventRequest();
        try {
            ListEventResponse response = client.listEvent(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}
 
 
  

     # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkwaf.v1.region.waf_region import WafRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkwaf.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = WafClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(WafRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = ListEventRequest()
        response = client.list_event(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)
 
 
  

     package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    waf "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/waf/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth, err := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        SafeBuild()

    if err != nil {
        fmt.Println(err)
        return
    }

    hcClient, err := waf.WafClientBuilder().
         WithRegion(region.ValueOf("<YOUR REGION>")).
         WithCredential(auth).
         SafeBuild()


    if err != nil {
        fmt.Println(err)
        return
    }

    client := waf.NewWafClient(hcClient)

    request := &model.ListEventRequest{}
	response, err := client.ListEvent(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}
 
 
  