Function Description

This API is used to query attack event logs.

URI

URI format
GET /v1/{project_id}/waf/event?from={from}&to={to}&hosts={hostname}&attacks={attack}&sips={sip}&offset={offset}&limit={limit}

An example of a URI is as follows:

GET /v1/3ac26c59e15a4a11bb680a103a29ddb6/waf/event/attack/type?from=1543976973635&to=1563976973635&hosts=3211757cafa3437aae24d760022e79ba&hosts=93029844064b43739b51ca63036fbc4b&hosts=34fe5f5c60ef4e43a9975296765d1217

Parameter description

**Table 1** Path parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Specifies the project ID.
from	Yes	Long	Specifies the start time (UTC) in milliseconds. For example, 1548172800000.
to	Yes	Long	Specifies the end time (UTC) in milliseconds. For example, 1548431999000.
hosts	No	Array	Specifies the domain IDs.
attacks	No	Array	Specifies the list of attack types. For example, sqli and xss.
sips	No	Array	Specifies the attack source IP addresses. For example, X.X.12.23 and X.X.20.85.
nsips	No	Array	Specifies the excluded attack source IP addresses. For example, X.X.12.1 and X.X.20.2.
offset	No	Long	Specifies the number of returned pages. Its value ranges from 0 to 65535. The default value is 0.
limit	No	Long	Specifies the maximum number of records displayed on each page. Its value ranges from 0 to 50. The default value is 10.
marker	No	String	Specifies the ID of the last event record on the previous page.

Request

Request parameters

None

Response

Response parameters

**Table 2** Parameter description
Parameter	Type	Description
total	Integer	Specifies the total number of event logs.
items	Table 3	Specifies the event log objects.

**Table 3** **items**
Parameter	Type	Description
id	String	Specifies the event ID.
time	Integer	Specifies the attack time since Unix Epoch in milliseconds.
policy_id	String	Specifies the policy ID.
sip	String	Specifies an attack source IP address.
host	String	Specifies an attacked domain name.
host_id	String	Specifies a domain name ID.
url	String	Specifies the attacked URL, excluding a domain name.
attack	String	Specifies the attack type. cc refers to CC attack. cmdi refers to command injection. custom refers to Precise Protection events. illegal refers to invalid requests. sqli refers to SQL injection. lfi refers to local file inclusion. robot refers to malicious crawlers. antitamper refers to Web Tamper Protection events. rfi refers to remote file inclusion. vuln refers to other types of attacks. xss refers to XSS attack. whiteblackip refers to Blacklist and Whitelist events. webshell refers to webshells.
rule	String	Specifies the matched rule ID that consists of six digits.
payload	String	Specifies the hit load.
action	String	Specifies the protective action. Block: WAF blocks and logs detected attacks. Log only: WAF logs detected attacks only. Allow: WAF allows the requests that meet the specified conditions. Verification code: A verification code is displayed when the number of requests reaches the maximum limit in a CC attack protection rule. Upon completing the verification, you are no longer restricted by the maximum number of requests allowed. Filter: WAF implements data masking. Mismatch: The cached web page in the WAF engine does not match the original web page.
payload_location	String	Specifies the location in the request packet where the attack occurs. The options are as follows: body, url, params, and header.
request_line	String	Specifies the attack request method.
headers	Object	Specifies the attack request header.
cookie	String	Specifies the cookie.
body	String	Specifies the body of an attack request.

Example

total with a value of 2 is used as an example.

Response example

{
  "total": 2,
  "items": [
    {
      "id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
      "time": 1499817600,
      "policy_id": "xxx",
      "sip": "X.X.1.1",
      "host": "a.com",
      "host_id": "123",
      "url": "/login",
      "attack": "sqli",
      "rule": "20001",
      "payload": "1 or 1=1",
      "action": "block",
      "payload_location": "params",
      "request_line": "GET / ",
      "headers": {
        "Connection": "keep-alive",
        "User-Agent": "curl"
      },
      "cookie": "sid=123; uid=456",
      "body": "user=admin&pass=abc123"
    },
   {
      "id": "0000-0000-0000-13-56ef71f5745764348192f844658dd144",
      "time": 1499817600,
      "host": "a.com",
      "host_id": "a",
      "policy_id": "xxx",
      "sip": "X.X.1.2",
      "url": "/login",
      "attack": "sqli",
      "rule": "20001",
      "payload": "1 or 1=1",
      "action": "log",
      "payload_location": "params",
      "request_line": "GET / ",
      "headers": {
        "Connection": "keep-alive",
        "User-Agent": "curl"
      },
      "cookie": "sid=123; uid=456",
      "body": "user=admin&pass=abc123"
    }
  ]
}

Status Code

Table 4 describes the normal status code returned by the API.

**Table 4** Status code
Status Code	Description	Meaning
200	OK	The request has succeeded.

For details about error status codes, see Status Codes.

Querying Attack Event Logs

Function Description

URI

Request

Response

Example

Status Code