DescribeSecurityEventTimeSeriesMetric - Web Application Firewall

Queries the time series data of attack traffic. Attack requests are requests that hit a rule and are identified as a threat.

Operation description

Attack traffic refers to requests that hit a rule and are identified as a threat. The following data is excluded:

Requests that hit a whitelist rule.
Requests that hit a bot rule where the rule action is "Mark for origin fetch".
Requests that hit a rule with the action "Dynamic Token", "Slider", "Strict Slider", or "JS Challenge", but are allowed because the user passed the verification.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:DescribeSecurityEventTimeSeriesMetric

get

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the Web Application Firewall (WAF) instance. Note Call DescribeInstance to query the ID of the WAF instance.	waf-cn-tl32ast****
Filter	object	Yes	The filter conditions for the query. Multiple filter conditions have a logical AND relationship.
DateRange	object	Yes	The time range to query.
StartDate	integer	Yes	You can query data from the last 30 days. The start time of the query. This is a UNIX timestamp. Unit: seconds. Note The start time must be within the last 30 days.	1713888000
EndDate	integer	Yes	The end time of the query. This is a UNIX timestamp. Unit: seconds.	1713888600
Conditions	array	No	A list of filter conditions. Each node describes one filter condition.
	object	No	A single query condition, which consists of a field name, an operator, and a filter value. For information about the supported field names and operators, see Additional information about request parameters.
Key	string	No	The name of the field to filter. This operation supports all fields.	matched_host
OpValue	string	No	The operator.	eq
Values	any	No	The filter value.	test.waf-top
Metric	string	Yes	Specifies the content of the returned data. Different metrics correspond to different data content. This operation supports the following metrics: mitigated_requests: Returns the time series statistics of blocked requests. monitored_requests: Returns the time series statistics of requests that hit only observation-type rules. mitigated_requests_group_by_defense_scene: Returns data grouped by module. It records a time series graph of the hit count for each module. A single request may hit multiple modules. Therefore, the hit count returned by this metric may not be consistent with the number of requests. mitigated_requests_group_by_block_defense_scene: Returns data grouped by module. It records a time series graph of the number of blocked requests for each module. A single request is blocked by only one module. Therefore, the count returned by this metric is consistent with the number of requests.	mitigated_requests
RegionId	string	No	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q

Operator descriptions

Operator	Meaning	Description
all-not-match	Not equal to any value	The field value is not equal to any value in the dataset. For example, to filter requests where real_client_ip is not equal to any value in the collection: `{"Key":"real_client_ip","OpValue":"all-not-match","Values":["1.1.1.1","2.2.2.2","3.3.3.3"]}`
contain	Contains	The field value contains a specific string. For example, to filter data where the URL contains "test": `{"Key":"request_path","OpValue":"contain","Values":"test"}`
eq	Equals	The field value equals a specific string. For example, to filter data where the URL equals "/testcase": `{"Key":"request_path","OpValue":"eq","Values":"/testcase"}`
match-one	Equals one of multiple values	The field value is equal to any value in the dataset. For example, to filter requests where real_client_ip is equal to any value in the collection: `{"Key":"real_client_ip","OpValue":"match-one","Values":["1.1.1.1","2.2.2.2","3.3.3.3"]}`
ne	Not equal to	The field value does not equal a specific string. For example, to filter statistics where the URL does not equal "/testcase": `{"Key":"request_path","OpValue":"ne","Values":"/testcase"}`
not-contain	Does not contain	The field value does not contain a specific string. For example, to filter data where the URL does not contain "test": `{"Key":"request_path","OpValue":"not-contain","Values":"test"}`
prefix-match	Prefix match	The field value starts with a specific string. For example, to filter data where the URL prefix is "/testcase": `{"Key":"request_path","OpValue":"prefix-match","Values":"/testcase"}`
suffix-match	Suffix match	The field value ends with a specific string. For example, to filter data where the URL suffix is "/testcase": `{"Key":"request_path","OpValue":"suffix-match","Values":"/testcase"}`

Supported keys for filter conditions

Field name	Description	Supported operators
action	The protection action. This is the final action taken on the request.	ne, eq
cluster	The protection cluster.	ne, eq, match-one, all-not-match
defense_scene	The protection module. A request may hit multiple protection modules. Requests filtered by this field may also hit other modules.	ne, eq
host	The host from the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
http_cookie	The cookie from the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
http_user_agent	The User-Agent from the HTTP header.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
matched_host	The protected object.	ne, eq, match-one, all-not-match
real_client_ip	The source IP address of the request. The parameter that follows the operator must be an IP address string or a list of IP address strings. Queries by CIDR block are not supported.	ne, eq, match-one, all-not-match
remote_country_id	The country to which the source IP address of the HTTP request belongs.	ne, eq, match-one, all-not-match
remote_region_id	The province or city to which the source IP address of the HTTP request belongs.	ne, eq, match-one, all-not-match
request_method	The HTTP request method.	ne, eq, match-one, all-not-match
request_path	The HTTP request URL, excluding the query string.	contain, not-contain, ne, eq, match-one, all-not-match, prefix-match, suffix-match
request_traceid	The unique ID that identifies the request.	ne, eq, match-one, all-not-match
rule_id	The rule ID. A request may hit multiple rules. Requests filtered by this field may also hit other rules.	ne, eq

Response elements

Element	Type	Description	Example
	object	The returned data. For a sample format, see the Examples section.
RequestId	string	The request ID.	D827FCFE-90A7-4330-9326-*****4C7726
SecurityEventTimeSeries	array<object>	The returned time series data. The operation can return time series data for multiple values.
	object	A single set of time series data. The time series data consists of two arrays: `Timestamps` and `Values`. The `Timestamps` array contains a time series with fixed intervals. The `Values` array contains the statistical count for each interval. The two arrays have the same number of nodes, and their data points have a one-to-one correspondence.
Metric	string	The content of the returned data. This is consistent with the `Metric` request parameter.	monitored_requests
Timestamps	array	The time series. Each point represents the start time of a time range.
	string	The start time for each data point. This is a UNIX timestamp string.	[]
Values	array	The data series. Each point represents the statistical count within a specific time range.
	integer	The statistical count for the current time range.	[]
TimeSeriesMetaData	object	The metadata of the returned data.
DateRange	object	The time range used for the query.
StartDate	integer	The start time of the query. This is a UNIX timestamp. Unit: seconds. This value is the same as the `StartDate` request parameter.	1713888000
EndDate	integer	The end time of the query. This is a UNIX timestamp. Unit: seconds. This value is the same as the `EndDate` request parameter.	1713888600
AggregateInterval	string	The time granularity of each data point in the returned time series data. For example, "15m" indicates that each returned data point represents statistics for a 15-minute interval. For more information about the time granularity of the returned data, see the Time granularity of time series data points section.	1m
Units	string	The unit of the returned statistical data.	requests

Time granularity of time series data points

The statistical time granularity of the returned data varies based on the selected time range.

If the time range is less than 3 hours, the time granularity of the data points is 1m (1 minute).
If the time range is 3 hours or more but less than 6 hours, the time granularity of the data points is 5m (5 minutes).
If the time range is 6 hours or more but less than 24 hours, the time granularity of the data points is 15m (15 minutes).
If the time range is 24 hours or more but less than 7 days, the time granularity of the data points is 1h (1 hour).
If the time range is 7 days or more but less than 30 days, the time granularity of the data points is 1d (1 day).

Examples

Success response

JSON format

{
  "RequestId": "D827FCFE-90A7-4330-9326-*****4C7726\n",
  "SecurityEventTimeSeries": [
    {
      "Metric": "monitored_requests",
      "Timestamps": [
        "[]"
      ],
      "Values": [
        0
      ]
    }
  ],
  "TimeSeriesMetaData": {
    "DateRange": {
      "StartDate": 1713888000,
      "EndDate": 1713888600
    },
    "AggregateInterval": "1m",
    "Units": "requests\n"
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Report.%s	Invalid parameter:%s.	Invalid parameter:%s
400	Waf.Report.InternalError	Server error occurred in report service.	Report Service Internal Error

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.