Querying the List of Attack Events
Function
This API is used to query the attack event list. Currently, this API does not support query of all protection events. The pagesize parameter cannot be set to -1. The larger the data volume, the larger the memory consumption. A maximum of 10,000 data records can be queried. For example, if the number of data records in a user-defined period exceeds 10,000, the data whose page is 101 (or pagesize is greater than 100) cannot be queried. You need to adjust the time range to a longer period and then query the data.
Calling Method
For details, see Calling APIs.
URI
GET /v1/{project_id}/waf/event
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Definition Project ID. To obtain it, log in to the Huawei Cloud console, click the username, choose My Credentials, and find the project ID in the Projects list. Constraints N/A Range Enter 32 characters. Only letters and digits are allowed. Default Value N/A |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
Definition User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). Constraints N/A Range N/A Default Value N/A |
Content-Type |
Yes |
String |
Definition Content type. Constraints N/A Range N/A Default Value application/json;charset=utf8 |
X-Language |
No |
String |
Definition Language. The default value is zh-cn. zh-cn: Chinese; en-us: English Constraints N/A Range Default Value |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
total |
Integer |
Number of attack events. |
items |
Array of ListEventItems objects |
Details about an attack event. |
Parameter |
Type |
Description |
---|---|---|
id |
String |
Definition Incident ID Range N/A |
time |
Long |
Definition Timestamp when the attack occurs, in milliseconds. Range N/A |
policyid |
String |
Definition Policy ID. Range N/A |
sip |
String |
Definition Source IP address, which is the IP address of the web visitor, or potential attacker. Range N/A |
host |
String |
Definition Domain name. Range N/A |
url |
String |
Definition Attacked URL. Range N/A |
attack |
String |
Definition Attack type. Range |
rule |
String |
Definition ID of the matched rule Range N/A |
payload |
String |
Definition Hit payload Range N/A |
payload_location |
String |
Definition Hit payload position Range N/A |
action |
String |
Definition Protective action. Range N/A |
request_line |
String |
Definition Request method and path Range N/A |
headers |
Object |
Definition HTTP request header Range N/A |
cookie |
String |
Definition Request cookie Range N/A |
status |
String |
Definition Response code status Range N/A |
process_time |
Integer |
Definition Handing duration Range N/A |
region |
String |
Definition Geographical location. Range N/A |
host_id |
String |
Definition Domain name ID. Range N/A |
response_time |
Long |
Definition Response Duration Range N/A |
response_size |
Integer |
Definition Response Body Size Range N/A |
response_body |
String |
Definition Response body Range N/A |
request_body |
String |
Definition Request body Range N/A |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error codes of the downstream service. |
error_msg |
String |
Error messages of the downstream service. |
Status code: 401
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error codes of the downstream service. |
error_msg |
String |
Error messages of the downstream service. |
Status code: 500
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code. |
error_msg |
String |
Error message. |
encoded_authorization_message |
String |
You can call the decode-authorization-message interface of the STS service to decode the rejection reason. For details, see the STS5 joint commissioning and self-verification. This parameter is returned only when an IAM 5 authentication error occurs. |
details |
Array of IAM5ErrorDetails objects |
The set of error messages reported when a downstream service is invoked. This parameter is returned only when an IAM 5 authentication error occurs. |
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error codes of the downstream service. |
error_msg |
String |
Error messages of the downstream service. |
Example Requests
The following example shows how to query the event list for the current day in a project. The project ID is specified by project_id.
GET https://{Endpoint}/v1/{project_id}/waf/event?enterprise_project_id=0&page=1&pagesize=10&recent=today
Example Responses
Status code: 200
ok
{ "total" : 1, "items" : [ { "id" : "04-0000-0000-0000-21120220421152601-2f7a5ceb", "time" : 1650525961000, "policyid" : "25f1d179896e4e3d87ceac0598f48d00", "host" : "x.x.x.x:xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "url" : "/osclass/oc-admin/index.php", "attack" : "lfi", "rule" : "040002", "payload" : " file=../../../../../../../../../../etc/passwd", "payload_location" : "params", "sip" : "x.x.x.x", "action" : "block", "request_line" : "GET /osclass/oc-admin/index.php?page=appearance&action=render&file=../../../../../../../../../../etc/passwd", "headers" : { "accept-language" : "en", "ls-id" : "xxxxx-xxxxx-xxxx-xxxx-9c302cb7c54a", "host" : "x.x.x.x", "lb-id" : "2f5f15ce-08f4-4df0-9899-ec0cc1fcdc52", "accept-encoding" : "gzip", "accept" : "*/*", "user-agent" : "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36" }, "cookie" : "HWWAFSESID=2a1d773f9199d40a53; HWWAFSESTIME=1650525961805", "status" : "418", "host_id" : "6fbe595e7b874dbbb1505da3e8579b54", "response_time" : 0, "response_size" : 3318, "response_body" : "", "process_time" : 2, "request_body" : "{}" } ] }
Status Codes
Status Code |
Description |
---|---|
200 |
ok |
400 |
Request failed. |
401 |
The token does not have required permissions. |
500 |
Internal server error. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot