Use DescribeSecurityEventLogs to Query WAF Security Event Logs - Web Application Firewall

Queries the detailed logs of attack traffic. Each log entry contains the details of a request that matched a protection rule.

Operation description

Attack traffic refers to requests that hit a rule and are identified as threats. The following three types of requests are not included:

Requests that hit a whitelist rule.
Requests that hit a bot rule whose action is set to Mark for Origin Fetch.
Requests that hit a rule whose action is set to Dynamic Token, Slider, Strict Slider, or JS Challenge, but are allowed because the user passed the verification.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:DescribeSecurityEventLogs

get

*All Resource

*

acs:ResourceGroupId

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the Web Application Firewall (WAF) instance. Note Call DescribeInstance to query the ID of the WAF instance.	waf_cdnsdf3****
Filter	object	Yes	The filter conditions. A logical AND relationship exists between multiple filter conditions.
DateRange	object	Yes	The time range to query.
StartDate	integer	Yes	The start of the time range to query. The time range cannot exceed the last 30 days. The value is a UNIX timestamp. Unit: seconds. Note The start time must be within the last 30 days from the current time.	1713888000
EndDate	integer	Yes	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1713888600
Conditions	array<object>	No	A list of filter conditions. Each node describes a filter condition.
	object	No	The configuration of a single query condition. A query condition consists of a field name, an operator, and a filter value. For more information about the supported field names and operators, see the Additional information about request parameters section.
Key	string	No	The name of the field to filter. This operation supports all fields.	matched_host
OpValue	string	No	The operator.	eq
Values	any	No	The filter value.	test.waf-top
PageSize	integer	Yes	The number of entries to return on each page for a paged query. The maximum value is 100.	10
PageNumber	integer	Yes	The page number to return for a paged query. The default value is 1, which indicates the first page.	1
RegionId	string	No	The region of the WAF instance. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q

Operator descriptions

Operator	Meaning	Description
all-not-match	Not equal to any value	The field value is not equal to any value in the dataset. Filter data where `real_client_ip` is not equal to any value in the collection: `{"Key":"real_client_ip","OpValue":"all-not-match","Values":["1.1.1.1","2.2.2.2","3.3.3.3"]}`
contain	Contains	The field value contains a specific string. Filter data where the URL contains "test": `{"Key":"request_path","OpValue":"contain","Values":"test"}`
eq	Equals	The field value equals a specific string. Filter data where the URL is "/testcase": `{"Key":"request_path","OpValue":"eq","Values":"/testcase"}`
match-one	Equals one of multiple values	The field value is equal to any value in the dataset. Filter data where `real_client_ip` is equal to any value in the collection: `{"Key":"real_client_ip","OpValue":"match-one","Values":["1.1.1.1","2.2.2.2","3.3.3.3"]}`
ne	Not equal to	The field value does not equal a specific string. Filter data where the URL is not "/testcase": `{"Key":"request_path","OpValue":"ne","Values":"/testcase"}`
not-contain	Does not contain	The field value does not contain a specific string. Filter data where the URL does not contain "test": `{"Key":"request_path","OpValue":"not-contain","Values":"test"}`
prefix-match	Prefix match	The field value starts with a specific string. Filter data where the URL prefix is "/testcase": `{"Key":"request_path","OpValue":"prefix-match","Values":"/testcase"}`
suffix-match	Suffix match	The field value ends with a specific string. Filter data where the URL suffix is "/testcase": `{"Key":"request_path","OpValue":"suffix-match","Values":"/testcase"}`

Supported keys for filter conditions

Field name	Description	Supported operators
action	The protection action. This is the final action taken on the request.	ne, eq
cluster	The protection cluster.	ne, eq, match-one, all-not-match
defense_scene	The protection module. A request may hit multiple protection modules. Requests filtered by this field may also hit other modules.	ne, eq
host	The `host` field in the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
http_cookie	The `cookie` field in the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
http_user_agent	The `User-Agent` field in the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
matched_host	The protected object.	ne, eq, match-one, all-not-match
real_client_ip	The source IP address of the request. Only IP address strings are supported as filter values. CIDR blocks are not supported.	ne, eq, match-one, all-not-match
remote_country_id	The country to which the source IP address of the HTTP request belongs.	ne, eq, match-one, all-not-match
remote_region_id	The province or city to which the source IP address of the HTTP request belongs.	ne, eq, match-one, all-not-match
request_method	The HTTP request method.	ne, eq, match-one, all-not-match
request_path	The HTTP request URL, excluding the query string.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
request_traceid	The unique ID that identifies the request.	ne, eq, match-one, all-not-match
rule_id	The rule ID. A request may hit multiple rules. Requests filtered by this field may also hit other rules.	ne, eq

Response elements

Element	Type	Description	Example
	object	The returned data. For an example of the format, see Examples.
RequestId	string	The request ID.	D827FCFE-90A7-4330-9326-******4C7726
SecurityEventLogs	array	A list of detailed attack logs.
	any	Each node is an attack log that corresponds to a request. For more information, see the Log field descriptions and Response example sections.	{ "remote_region_id": "11*0", "plugin_matched_detail_waf_group": "", "plugin_matched_block_rule_detail": "", "querystring": "-", "matched_host": "i-8vbaazr2tboqsq**-443-ecs", "remote_country_id": "CN", "remote_isp_id": "1008", "request_method": "GET", "plugin_matched_test_rule_detail": "[]", "request_traceid": "0b6261221742197109309484****", "dst_port": "0", "host": "39.99..109", "real_client_ip": "47.92.**.14", "request_path": "/.git/HEAD", "server_protocol": "HTTP/1.1", "timestamp": "1742197109" }
SecurityEventMetaData	object	The metadata of the returned data.
DateRange	object	The time range used for the query.
StartDate	integer	The start of the time range used for the query. The value is a UNIX timestamp. Unit: seconds. This value is the same as the `StartDate` request parameter.	1713888000
EndDate	integer	The end of the time range used for the query. The value is a UNIX timestamp. Unit: seconds. This value is the same as the `EndDate` request parameter.	1713888600
Units	string	The unit of the returned statistical data.	requests
SecurityEventLogsTotalCount	integer	The total number of attack logs found.	1000

Log field descriptions

Field name	Description	Example value
dst_port	The requested destination port.	443
host	The `Host` field in the client request header. This value indicates the accessed domain name or IP address.	api.example.com
matched_host	The WAF protected object (cloud product instance or domain name) that the client request matched.	.aliyun**.com
plugin_matched_detail_waf_group	The details of the basic protection rule that the request matched, including the matched URI pattern and the raw request URI.
plugin_matched_block_rule_detail	The details of the protection rule in block mode that the request matched, including the rule ID, action, and protection module.
plugin_matched_test_rule_detail	The details of the protection rule in monitor mode that the request matched, including the rule ID, action, and protection module.
querystring	The query string of the client request, which is the part of the URL after the question mark (?).	title=tm_content%3Darticle&pid=123
remote_region_id	The ID of the province to which the IP address belongs.	410000
remote_country_id	The ID of the country to which the source IP address belongs.	CN
remote_isp_id	The ID of the Internet service provider (ISP) to which the source IP address belongs.	100098
request_method	The client request method.	GET
request_traceid	The unique ID that WAF generates for the client request.	7837b11715410386943437009*****
real_client_ip	The actual IP address of the client, as determined by WAF from the request headers.	192.0.XX.XX
request_path	The request path, which is the part of the URL after the domain name and before the question mark (?). This value does not include the query string.	/news/search.php
server_protocol	The protocol between the client and WAF.	HTTP/1.1
timestamp	The time when the request was processed by the DPI engine. The value is a UNIX timestamp. Unit: seconds.	1742197109

Response example

{
    "SecurityEventLogsTotalCount": 1,
    "SecurityEventLogs": [
        {
            "remote_region_id": "110000",
            "plugin_matched_detail_waf_group": "{\"uri\":{\"hit\":[\"/.git/\"],\"raw\":\"/.git/\"}}",
            "plugin_matched_block_rule_detail": "[{\"RuleId\":\"12***5\",\"Action\":\"block\",\"DefenseScene\":\"waf_base\",\"RuleType\":\"other\"}]",
            "querystring": "-",
            "matched_host": "i-8vbaazr2tboqsq******-443-ecs",
            "remote_country_id": "CN",
            "remote_isp_id": "100098",
            "request_method": "GET",
            "plugin_matched_test_rule_detail": "[]",
            "request_traceid": "0b6261221742197109309484******",
            "dst_port": "0",
            "host": "39.99.***.109",
            "real_client_ip": "47.92.***.14",
            "request_path": "/.git/HEAD",
            "server_protocol": "HTTP/1.1",
            "timestamp": "1742197109"
        }
    ],
    "SecurityEventMetaData": {
        "DateRange": {
            "StartDate": 1742196600,
            "EndDate": 1742197500
        }
    }
}

Examples

Success response

JSON format

{
  "RequestId": "D827FCFE-90A7-4330-9326-******4C7726\n",
  "SecurityEventLogs": [
    "{\n\t\"remote_region_id\": \"11***0\",\n\t\"plugin_matched_detail_waf_group\": \"****\",\n\t\"plugin_matched_block_rule_detail\": \"****\",\n\t\"querystring\": \"-\",\n\t\"matched_host\": \"i-8vbaazr2tboqsq******-443-ecs\",\n\t\"remote_country_id\": \"CN\",\n\t\"remote_isp_id\": \"100**8\",\n\t\"request_method\": \"GET\",\n\t\"plugin_matched_test_rule_detail\": \"[]\",\n\t\"request_traceid\": \"0b6261221742197109309484******\",\n\t\"dst_port\": \"0\",\n\t\"host\": \"39.99.***.109\",\n\t\"real_client_ip\": \"47.92.***.14\",\n\t\"request_path\": \"/.git/HEAD\",\n\t\"server_protocol\": \"HTTP/1.1\",\n\t\"timestamp\": \"1742197109\"\n}"
  ],
  "SecurityEventMetaData": {
    "DateRange": {
      "StartDate": 1713888000,
      "EndDate": 1713888600
    },
    "Units": "requests"
  },
  "SecurityEventLogsTotalCount": 1000
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Report.%s	Invalid parameter:%s.	Invalid parameter:%s
400	Waf.Report.InternalError	Server error occurred in report service.	Report Service Internal Error

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.