DescribeApisecEvents - Web Application Firewall - Alibaba Cloud Documentation Center

Queries a list of API security events.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:DescribeApisecEvents

get

*All Resource

*

acs:ResourceGroupId

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the Web Application Firewall (WAF) instance. Note Call the DescribeInstance operation to query the ID of the WAF instance.	waf_v2_public_cn-5y***d31
EventId	string	No	The ID of the API security event.	18ba94fea9***e66ba0557b7b91
ApiFormat	string	No	The path of the API that is associated with the security event.	/apisec/v1/***.php
MatchedHost	string	No	The domain name or IP address that is protected by WAF.	a.***.com
EventTag	string	No	The event type. Note Call the DescribeApisecRules operation to query the supported event types.	ObtainSensitiveUnauthorized
StartTs	integer	No	The beginning of the time range to query. This value is a UNIX timestamp. Unit: seconds.	1683648000
EndTs	integer	No	The end of the time range to query. This value is a UNIX timestamp. Unit: seconds.	1683703260
OrderKey	string	No	The field that is used to sort the query results. Valid values: allCnt: the number of attacks. startTs: the start time of the event. endTs: the end time of the event.	startTs
OrderWay	string	No	The order in which the query results are sorted. Valid values: desc: descending order. This is the default value. asc: ascending order.	desc
PageNumber	integer	No	The page number of the page to return. Default value: 1.	1
PageSize	integer	No	The number of entries to return on each page. Default value: 10.	10
ApiTag	string	No	The business purpose of the API. Note Call the DescribeApisecRules operation to query the supported business purposes.	SendMail
Origin	string	No	The source of the event type. Valid values: custom: a user-defined event type. default: a built-in event type.	default
EventLevel	string	No	The severity level of the event. Valid values: high: high severity. medium: medium severity. low: low severity.	low
UserStatus	string	No	The handling status of the event. Valid values: toBeConfirmed: pending confirmation. confirmed: confirmed but not yet handled. actioned: handled. ignored: ignored.	ignored
AttackIp	string	No	The IP address of the attacker that you want to use to filter events.	42.224..
ApiId	string	No	The ID of the API.	820b860***6205da93b935b28
ClusterId	string	No	The ID of the hybrid cloud WAF cluster. Note This parameter is required only in hybrid cloud scenarios. Call the DescribeHybridCloudClusters operation to query the IDs of hybrid cloud WAF clusters.	428
RegionId	string	No	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
ResourceManagerResourceGroupId	string	No	The ID of the resource group.	rg-acfm***q
EventScope	string	No	The dimension by which security events are categorized. Valid values: ip: IP security event. This is the default value. account: account security event.	ip
Account	string	No	The account that you want to use to filter events.	1818743389962696

Response elements

Element	Type	Description	Example
	object	The response parameters.
TotalCount	integer	The total number of entries returned.	3
RequestId	string	The request ID.	12F4CC8F-7E9F-5E4D-BF7C-BD1EDDE0C282
Data	array<object>	The list of security events.
	object	The details of the security event.
Origin	string	The source of the event type. Valid values: custom: a user-defined event type. default: a built-in event type.	custom
EventLevel	string	The severity level of the event. Valid values: high: high severity. medium: medium severity. low: low severity.	medium
StartTs	integer	The start time of the event. This value is a UNIX timestamp. Unit: seconds.	1683648000
EventInfo `deprecated`	string	The details of the security event. The value is a JSON string that contains the following fields: ip_info: the information about the attacker IP address. For more information, see the AttackIpInfo response parameter. rule_id: the ID of the rule that corresponds to the event. rule_tag: the information about the rule that corresponds to the event.	{ "ip_info": [ { "ip": "112.224.143.", "country_id": "CN", "region_id": "-", "cnt": "4" } ], "rule_id": "837", "rule_tag": "interface returns a large amount of sensitive information" }
ApiFormat	string	The path of the API that is associated with the security event.	/apisec/v1/register.php
ApiTag	string	The business purpose of the API. Note Call the DescribeApisecRules operation to query the supported business purposes.	SendMail
UserStatus	string	The handling status of the event. Valid values: toBeConfirmed: pending confirmation. confirmed: confirmed but not yet handled. actioned: handled. ignored: ignored.	toBeConfirmed
Follow	integer	Indicates whether the event is followed. Valid values: 1: The event is followed. 0: The event is not followed.	0
RequestData `deprecated`	string	A sample of the API request data. The value is a JSON string.	{}
EventId	string	The ID of the security event.	c82cb276847e9c96f9597d9f4b0cdcff
AttackIp `deprecated`	string	The IP address of the attacker. Important This parameter is deprecated. Use the AttackIps parameter instead.	104.234.140.**
AttackIpInfo `deprecated`	string	The information about the attacker IP address. The value is a JSON string that contains the following fields: ip: the IP address. country_id: the country. region_id: the region. cnt: the number of attacks.	[ { "ip": "72...119", "country_id": "US", "region_id": "", "cnt": "2100" } ]
EndTs	integer	The end time of the event. This value is a UNIX timestamp. Unit: seconds.	1683703260
AttackCntInfo `deprecated`	string	The attack count over time. The value is a JSON string in which each key is a UNIX timestamp in seconds and each value is the number of attacks at that time.	{ "1717498320": 500, "1717498380": 529, "1717498440": 20 }
AllCnt	integer	The total number of attacks in the security event.	10
RemoteRegion	string	The region where the attacker IP address is located.	110000
ResponseData `deprecated`	string	A sample of the API response data. The value is a JSON string.	{}
AttackClient	string	The type of client that initiated the attack, such as a browser or automation tool.	Chrome
EventTag	string	The event type. Note Call the DescribeApisecRules operation to query the supported event types.	ObtainSensitiveUnauthorized
MatchedHost	string	The domain name or IP address that is protected by WAF.	a.***.com
Note	string	The remarks that are added to the security event.	Notify
ApiId	string	The ID of the API that is associated with the security event.	2ecc1cf67b91853bc55545052ccf06a8
RemoteCountry	string	The country where the attacker IP address is located.	US
AttackIps `deprecated`	array	The list of attacker IP addresses.
	string	The IP address of the attacker.	104.234.140.**
AttackerList	array	The list of attackers that are associated with the security event.
	string	The attacker that is associated with the security event. Note If the value of EventScope is ip, this parameter indicates the attacker IP address. If the value of EventScope is account, this parameter indicates the attacker account.	1.1.1.1

Examples

Success response

JSON format

{
  "TotalCount": 3,
  "RequestId": "12F4CC8F-7E9F-5E4D-BF7C-BD1EDDE0C282",
  "Data": [
    {
      "Origin": "custom",
      "EventLevel": "medium",
      "StartTs": 1683648000,
      "EventInfo": "{\n    \"ip_info\": [\n        {\n            \"ip\": \"112.224.143.**\",\n            \"country_id\": \"CN\",\n            \"region_id\": \"-\",\n            \"cnt\": \"4\"\n        }\n    ],\n    \"rule_id\": \"837**\",\n    \"rule_tag\": \"interface returns a large amount of sensitive information\"\n}\n",
      "ApiFormat": "/apisec/v1/register.php",
      "ApiTag": "SendMail",
      "UserStatus": "toBeConfirmed",
      "Follow": 0,
      "RequestData": "{}",
      "EventId": "c82cb276847e9c96f9597d9f4b0cdcff",
      "AttackIp": "104.234.140.**",
      "AttackIpInfo": "[\n    {\n        \"ip\": \"72.*.*.119\",\n        \"country_id\": \"US\",\n        \"region_id\": \"\",\n        \"cnt\": \"2100\"\n    }\n]",
      "EndTs": 1683703260,
      "AttackCntInfo": "{\n    \"1717498320\": 500,\n    \"1717498380\": 529,\n    \"1717498440\": 20\n}",
      "AllCnt": 10,
      "RemoteRegion": "110000",
      "ResponseData": "{}",
      "AttackClient": "Chrome",
      "EventTag": "ObtainSensitiveUnauthorized",
      "MatchedHost": "a.***.com",
      "Note": "Notify",
      "ApiId": "2ecc1cf67b91853bc55545052ccf06a8",
      "RemoteCountry": "US",
      "AttackIps": [
        "104.234.140.**\n"
      ],
      "AttackerList": [
        "1.1.1.1"
      ]
    }
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.