All Products
Search

This Product

    Web Application Firewall:API Security Policy Configuration

    Document Center

    Web Application Firewall:API Security Policy Configuration

    Last Updated:May 22, 2026

    This topic describes the built-in policies and custom policy configuration for API security. Based on the built-in detection mechanisms, API security supports custom detection policies that align with your business characteristics. You can configure risk detection, security events, sensitive data, authentication credentials, business purposes, whitelists, lifecycle management, log subscription, and target objects, so that the identified API data better reflects your actual business scenario. This further improves the accuracy and recall rate of API security detection, helping you take appropriate actions based on your business needs and reducing losses caused by attacks on API business assets.

    I. Risk detection configuration

    A risk refers to a security risk or vulnerability caused by development defects, or management and configuration deficiencies in an API. The difference between a security risk and a security event is that a security risk does not necessarily indicate that an attack has occurred, while a security event indicates an alert triggered by an attack.

    Built-in policy configuration

    On the Risk Detection Configurations tab of Policy Configuration, you can view the configured risk policies. Built-in policies are enabled by default. You can modify their enable status and adjust risk levels. You can set the risk level of built-in policies to Low, Medium, or High based on your business needs.

    Custom policy configuration

    In addition to built-in policies, the risk detection configuration allows you to create up to 20 custom policies. The configuration rules for custom policies are as follows.

    1. On the API Security page, select the Policy Configurations > Risk Detection Configurations tab.

    2. In the left pane, click New in the Custom Policies section to open the configuration drawer. The following table describes the configuration parameters.

      Parameter

      Description

      Risk Status

      Set the policy status. The default value is Enabled.

      Risk Name

      Set a name for the custom risk. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).

      Suggestions

      Set the handling suggestions for the custom risk policy based on your business needs.

      Risk Level

      You can set the risk level to Low, Medium, or High.

      Check Configurations

      Set the detection conditions for your custom risk policy. A maximum of 10 conditions are supported.

      The following table describes the detailed configuration for detection settings, including the logical operators and match content examples.

      Note

      • You can enter up to 50 match content items and press Enter to confirm.

      • The match content for Risk Detection Configurations is case-sensitive.

      Detailed Configuration

      Match Field

      Sub-condition (Input/Selection Required)

      Logical Operator

      Match Content Description

      Domain Name

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      API

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Request Method

      Not supported

      Equals One of Multiple Values

      Does Not Equal Any Value

      Multiple selection. You can select GET, POST, DELETE, PUT, and other request methods.

      User-Agent

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Referer

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Protocol

      Not supported

      Equals

      List. You can select HTTP or HTTPS.

      Request Content-Type

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Request Length

      Not supported

      Equals

      Less Than

      Greater Than

      An integer from 0 to 8192.

      Response Content-Type

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Response Length

      Not supported

      Equals

      Less Than

      Greater Than

      An integer from 0 to 8192.

      Response Status Code

      Not supported

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

      Request Header

      Custom Header

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      Cookie Parameter

      Custom Cookie-Exact

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      -

      GET Parameter

      Custom Parameter

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      -

      POST Parameter

      Custom Post-Arg

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      -

      Response Header

      Response Header

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      -

      Response Parameter

      Response Parameter

      Exists

      Does Not Exist

      Length Equals

      Length Less Than

      Length Greater Than

      Contains One of Multiple Values

      Does Not Contain Any Value

      -

      Business Purpose

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Business purpose list. Multiple selections are supported.

      Note

      For more information about business purpose types, see How does API security classify API business purposes.

      Service Object

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Multiple selection. Service object list.

      Note

      For more information about service object types, see How does API security distinguish service objects of APIs.

      Authentication

      Not supported

      Equals

      YES/NO

      Request Sensitive Data Type

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Number of Types Greater Than

      Select sensitive data types from the list. Multiple selections are supported. Under the "Number of Types Greater Than" condition, enter an integer from 0 to 8192.

      Request Sensitive Data Level

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      S1-S4. Multiple selections are supported.

      Response Sensitive Data Type

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      Number of Types Greater Than

      Select sensitive data types from the list. Multiple selections are supported. Under the "Number of Types Greater Than" condition, enter an integer from 0 to 8192.

      Response Sensitive Data Level

      Not supported

      Contains One of Multiple Values

      Does Not Contain Any Value

      S1-S4. Multiple selections are supported.

      Response Sensitive Data

      Select response sensitive data from the list. Multiple selections are supported.

      Count Greater Than

      An integer from 0 to 8192.

      Source Geographic Location

      Not supported

      Equals

      CN / NOT-CN

      IP Address

      Not supported

      Belongs To

      Does Not Belong To

      Enter an IP address or IP/mask (for example, 1.1.X.X/24). Regular expressions are not supported. You can enter up to 50 entries, separated by commas (,), or press Enter to confirm.

      Account (Security Events Only)

      Not supported

      Equals One of Multiple Values

      Does Not Equal Any Value

      You can enter multiple values, up to 50, and press Enter to confirm.

    3. After completing the custom configuration, click OK to save the configuration.

    II. Security event configuration

    A security event indicates that an API has experienced abnormal calls or attack behavior, such as a brute-force attack on a login API or abuse of an SMS sending API for SMS bombing. Built-in event detection uses IP addresses and accounts as the detection dimensions.

    Built-in policy configuration

    When a built-in security event policy triggers an alert, if the attack continues, no new alert will be generated. However, the attack time of the existing alert will be updated, and the alert severity level may change based on factors such as the attack volume.

    On the Security Event Configurations tab of Policy Configuration, you can view the configured security event policies. Built-in policies are enabled by default. You can modify their enable status and adjust risk levels.

    Custom policy configuration

    In addition to built-in policies, the security event configuration allows you to create up to 10 custom policies. The configuration rules for custom policies are as follows.

    1. On the API Security page, select the Policy Configurations > Security Event Configurations tab.

    2. In the left pane, click New in the Custom Policies section to open the configuration drawer. The following table describes the configuration parameters.

      Parameter

      Description

      Event Status

      Set the policy status. The default value is Enabled.

      Event Name

      Set a name for the custom event. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).

      Suggestions

      Set the handling suggestions for the custom security event based on your business needs.

      Event Level

      You can set the risk level to Low, Medium, or High.

      Match Condition

      Set the detection conditions for your custom security event policy. A maximum of 10 conditions are supported.

      Note

      If multiple conditions are defined, the rule is triggered only when all conditions are met.

      Rate Limiting

      Set Statistical Object to IP or Account; set Statistical Period with a granularity in minutes, up to 15 minutes; set Requests to a positive integer only.

      Data Statistics

      Set the statistical conditions for your custom security event policy. A maximum of 10 conditions are supported.

      For detailed configuration of match conditions, including the corresponding logical operators and match content examples, see Detailed Configuration in the Risk Detection section.

      Note

      • You can enter up to 50 match content items and press Enter to confirm.

      • The match content for Security Event Configurations is case-sensitive.

      The following table describes the detailed configuration for data statistics, including the logical operators and match content examples.

      Detailed Configuration

      Match Field

      Sub-condition (Input/Selection Required)

      Logical Operator

      Match Content Description

      Status Code Statistics

      Status code (an integer from 100 to 600)

      Greater Than

      An integer from 0 to 8192.

      Request Header

      Custom Header

      Deduplicated Count Less Than

      Deduplicated Count Equals

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      Cookie Parameter

      Custom Cookie-Exact

      Deduplicated Count Less Than

      Deduplicated Count Equals

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      GET Parameter

      Custom Parameter

      Deduplicated Count Less Than

      Deduplicated Count Equals

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      POST Parameter

      Custom Post-Arg

      Deduplicated Count Less Than

      Deduplicated Count Equals

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      Response Sensitive Data Type

      Select response sensitive data types. Multiple selections are supported.

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      Response Sensitive Data Level

      Select response sensitive data levels. Multiple selections are supported.

      Deduplicated Count Greater Than

      An integer from 0 to 8192.

      Source IP Count Statistics

      Set the source IP count threshold.

      Greater Than

      An integer from 0 to 8192.
      Note

      Response sensitive data information in API security is analyzed by default using sampling. If you want to configure response sensitive data types and response sensitive data levels in custom security event policies, to ensure that all response sensitive data information for the protected object is recorded and analyzed, you must enable the Traceability switch for the corresponding protected object in Policy Configurations > Applicable Object Configurations.

    3. After completing the custom configuration, click OK to save the configuration.

    III. Sensitive Data-related Configurations

    On the Sensitive Data-related Configurations tab of Policy Configuration, you can view and configure the following items.

    • Sensitive Data Type: The system has built-in detection logic for common sensitive data types such as ID numbers and mobile phone numbers. You can also customize sensitive data types based on your business needs.

    • API Real-Time Data Masking: The intelligent protection feature based on the AI baseline engine can autonomously learn API structures and identify sensitive data in real time to achieve fine-grained automatic data masking. This feature requires no manual pre-defined fields and can flexibly adapt to complex business scenarios to meet compliance requirements such as cross-border data transfer, achieving fully automatic real-time protection.

    Sensitive Data Type

    On the Sensitive Data-related Configurations tab, click Sensitive Data Type in the left-side list to view and configure the following items:

    Built-in Sensitive Data Types

    Built-in system policies are enabled by default. They cannot be edited, modified, or deleted. You can only enable or disable them.

    Custom Sensitive Data Types

    If your business defines its own sensitive data, you can configure custom sensitive data detection rules. You can configure up to 20 custom policies for sensitive data.

    Click Create Policy to configure settings in the drawer page that appears. Currently, you can configure custom policies in two modes: Basic and Expert.

    Configuration Item

    Description

    Name

    Set a name for the rule.

    Mode

    Set the detection mode of the custom policy.

    • Easy Mode: Provides a simplified configuration interface for ease of use.

      After you select Basic, you need to set the Characters and Length.

      • Characters: Supports detection of digits, uppercase letters, and lowercase letters. Multiple selections are allowed.

      • Length: The supported detection length range is 6 to 64, and the start and end values must be integers.

    • Expert: Enter the regular expression for detection. To avoid misidentification, ensure that the matched characters are no fewer than 6 characters.

    Sensitivity Level

    Set the sensitivity level of detected sensitive data. Options: S1, S2, S3, S4.

    Note

    For more information about sensitive data types, see What sensitive data can API Security detect.

    De-identification Display

    On the Sensitive Data Configuration tab, the De-identification Display switch is provided. It is disabled by default, meaning data is not displayed in a masked format.

    After data masking is enabled, the following information is masked:

    • In Risk Details and API Details, sensitive data in all fields of request and response samples is replaced with the placeholder {{Phone}} by default.

    • In the Event Details of security events, request and response data samples containing sensitive data are masked and displayed as {}.

    • Request Cookie in sample information is masked as {{Cookie}}, Request Header containing Token is masked as {{XXXToken}}, and Response SetCookie is masked as {{SetCookie}}.

    The scope of effect of the data masking feature is as follows:

    • Risk Details and API Details: Applies only to new request and response data sample information.

    • Event Details: Applies to both new and existing request and response data sample information.

    API Real-Time Data Masking

    On the Sensitive Data-related Configurations tab, click API Real-Time Data Masking in the left-side list, and then click Create Template to configure a masking template.

    • Template Name: Set a recognizable template name.

    • Masking Rule Configuration: Click Create Rule to configure specific masking rules. Multiple rules can be configured.

      • Rule Name: Set a recognizable rule name.

      • Sensitive Data Type: Select the data types to be masked. Only built-in sensitive data types are supported.

      • Match Condition: Set HTTP conditions to trigger the rule. 0 to 5 conditions can be configured. If no conditions are configured, the rule is triggered for all HTTP requests.

        Note

        If a rule contains multiple conditions, the request must meet all conditions (logical AND) to trigger the rule. For detailed descriptions of match fields and logical operators, see Match conditions.

      • Data Processing Method: The following two processing methods are supported.

        • Mask: Masks the data. You need to further set a specific masking Action. Options: Clear and Masking.

        • Monitor: Does not mask data, only logs are recorded.

    • Apply To: Specify the API assets to which the rule applies. Only assets with high, medium, or low sensitivity levels are supported. Each target object can have only one masking template configured.

    After the template is created, wait 10 to 20 minutes for the masking rules to take effect for newly added target objects. To view API masking logs, go to the Security reports page.

    For created templates, the following management operations are supported:

    • Enable or disable the template and rules.

    • Add rules to the template.

    • Edit the template and rule information.

    • Delete templates and rules.

    IV. Authentication credentials configuration

    If you use unconventional fields as your authentication fields in your business, or use authentication field names with weak characteristics such as pure digits, we recommend that you configure custom authentication credentials. Based on the built-in authentication credential detection, you can specify parameter names to help the built-in model accurately identify whether a request carries authentication credentials, thereby improving API security and the accuracy of unauthenticated risk detection.

    1. On the API Security page, select the Policy Configurations > Authentication Credential Configurations tab.

    2. Click Create Policy, complete the following configurations, and then click OK.

      Configuration Item

      Description

      Name

      Set a name for the policy.

      Chinese characters, uppercase and lowercase letters are supported. Digits, periods (.), underscores (_), and hyphens (-) are also allowed.

      Match Condition

      Each condition consists of Match Field, Logical Operator, and Match Content. Up to 10 conditions are supported. When configuring, add at least one match condition for Request Header, Request Cookie, Request Query, or Request Body.

      Note

      If multiple conditions are defined, the rule is triggered only when all conditions are met simultaneously.

      For detailed configuration of match conditions, see the following table for corresponding logical operators and match content examples.

      Note

      • You can enter up to 50 match values and press Enter to confirm.

      • Match content for Authentication Credential Configurations is case-sensitive.

      Detailed Configuration

      Match Field

      Sub-condition (Input/Selection Required)

      Logical Operator

      Match Content Description

      Domain

      Not supported

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      API

      Not supported

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      Request Header

      Custom Header

      Exists

      Length Equals

      Length Less Than

      Length Greater Than

      Request Cookie

      Custom Cookie-Exact

      Exists

      Length Equals

      Length Less Than

      Length Greater Than

      Request Query

      Custom Parameter

      Exists

      Length Equals

      Length Less Than

      Length Greater Than

      Request Body

      Custom Post-Arg

      Exists

      Length Equals

      Length Less Than

      Length Greater Than

    V. Business purpose configuration

    API Security provides the following two types of business purpose policies:

    Built-in policy configuration

    Built-in business purpose policies are provided for multiple scenarios, including data update, data sharing, mobile SMS sending, and information sending. Built-in policies are enabled by default and cannot be modified or deleted. You can enable or disable each policy as needed.

    Custom policy configuration

    If the built-in policies do not meet your business needs, you can customize URL features and parameter name features to further improve the detection accuracy of API Security in specific business scenarios.

    1. On the API Security page, select the Policy Configurations > Business Purpose tab.

    2. Click Custom Policy to enter custom policy management. Click Create Policy, complete the following configurations, and then click OK to save your configuration.

    Note

    • You can enter up to 50 match values and press Enter to confirm.

    • Match content for Business Purpose is case-sensitive.

    Detailed Configuration

    Match Field

    Logical Operator

    Match Content

    Domain

    Contains Any of Multiple Values

    Does Not Contain Any Value

    Equals Any of Multiple Values

    Does Not Equal Any Value

    Multiple values can be entered, up to 50. Press Enter to confirm.

    API

    Contains Any of Multiple Values

    Does Not Contain Any Value

    Equals Any of Multiple Values

    Does Not Equal Any Value

    Multiple values can be entered, up to 50. Press Enter to confirm.

    Request Header Parameter Name

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Multiple values can be entered, up to 50. Press Enter to confirm.

    Request Cookie Parameter Name

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Multiple values can be entered, up to 50. Press Enter to confirm.

    Request Query Parameter Name

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Multiple values can be entered, up to 50. Press Enter to confirm.

    Request Body Parameter Name

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Multiple values can be entered, up to 50. Press Enter to confirm.

    Request Sensitive Data Type

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Select from the request sensitive data type list. Multiple selections are allowed.

    Response Sensitive Data Type

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Select from the response sensitive data type list. Multiple selections are allowed.

    Response Parameter Name

    Equals Any of Multiple Values

    Contains Any of Multiple Values

    Multiple values can be entered, up to 50. Press Enter to confirm.

    VI. Allowlist configuration

    The allowlist configuration feature of API security enables you to customize allowlists for security events and risk detection. This helps you filter out unnecessary alert noise based on your actual business scenarios—for example, alerts generated by IP addresses from your office network—and improve operational efficiency.

    1. On the API Security page, select the Policy Configurations > Configure Whitelist tab.

    2. Click Create Policy, enter a name for the policy, and select the feature type for which you want to configure an allowlist. Currently, you can configure allowlists for Risk Detection and Security Events.

    3. Configure the match conditions based on the feature type you selected.

      Note

      • A maximum of 10 match conditions are supported.

      • Match conditions for Configure Whitelist are case-sensitive.

      Risk detection allowlist match conditions

      Match Field

      Logical Operator

      Match Content

      Domain

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      API

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      Security event allowlist match conditions

      Match Field

      Logical Operator

      Match Content

      Domain

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      API

      Contains Any of Multiple Values

      Does Not Contain Any Value

      Equals Any of Multiple Values

      Does Not Equal Any Value

      Multiple values can be entered, up to 50. Press Enter to confirm.

      IP

      Belongs To

      Does Not Belong To

      Enter an IP address or IP/mask (for example, 1.1.X.X/24). Regular expressions are not supported. Enter up to 50 entries, separated with commas (,) or by pressing Enter.

    4. Select the risk detection or security event types to exclude, and click OK to save the configuration.

      Note

      Excluded types support both built-in and custom options, and multiple selections are allowed.

    VII. Lifecycle management

    API security allows you to customize the criteria for identifying inactive APIs by setting daily visit counts and duration thresholds. This makes inactive API detection more aligned with your actual business situation. Lifecycle management helps you identify inactive APIs that meet your custom criteria, so you can take timely actions and prevent attackers from exploiting inactive APIs, avoiding unnecessary business losses.

    1. On the API Security page, select the Policy Configurations > Lifecycle Management tab.

    2. After setting the criteria for identifying inactive APIs, click OK.

      • Click Built-in Model.

        This uses the built-in criteria: an API is considered inactive if it has no visits in the last 8 days or if its traffic has dropped significantly.

      • Click Custom, and set the daily visit count and duration (up to 31 days).

        If an API's daily visit count is below the specified threshold for the custom duration, the API is identified as inactive.

    Important

    If an asset's Last Active Time exceeds 30 days, the system automatically deletes the asset and its associated risk data and security event records.

    VIII. Log subscription

    After you enable log subscription for asset information, risk information, or event information, logs are delivered to a specified LogStore that you created in the Log Service console when the delivery conditions are met. This allows you to centrally manage and operate logs using the features of Alibaba Cloud Log Service (SLS).

    Note

    Currently, only WAF instances in the Chinese mainland can deliver logs to LogStores in the Chinese mainland, and non-Chinese mainland WAF instances can deliver logs to non-Chinese mainland LogStores. Cross-region log delivery between the Chinese mainland and non-Chinese mainland is not supported.

    Activate the service-linked role

    If you have not activated the Web Application Firewall service-linked role, you must do so before using the API security log subscription service. Follow the prompts to activate the role, which authorizes WAF to access your other cloud resources. For details about service-linked roles, see Service-linked roles. If you have already completed authorization when activating features such as WAF log service, skip this step.

    Log subscription configuration

    1. Before configuring API security log subscription tasks, open the Log Service console and create the Project and LogStore where you want to receive log subscriptions. If you have already created the target LogStore and verified that its name complies with the naming rules, proceed to the next step.

      Note

      The log subscription feature currently does not support selecting Logstores that are automatically created by Log Service or custom-named "waf-logstore", "wafng-logstore", or "wafnew-logstore" as the log subscription destination.

    2. After creation, return to the log subscription tab to configure subscriptions for asset information, risk information, and attack event information. If you want to query and analyze logs delivered to the specified LogStore in the Log Service console, enable indexing first. For details, see Create indexes.

    3. Select the log type for the subscription task and click the Settings button to go to the configuration page.

    4. Select the region where the LogStore is located, along with the Project name and LogStore name, and click the OK button to save the configuration. After the configuration is complete and logs are generated, you can return to the corresponding LogStore in the Log Service console to query and analyze the logs. If you want to process the logs—for example, to perform data masking—see Data Processing.

    5. If you disable the log subscription task and no longer need the existing logs, delete the corresponding LogStore after disabling the task on the Log Subscription tab to avoid ongoing charges. For details, see How to Disable Log Service or Stop Billing.

    The following describes the trigger conditions and detailed field descriptions for log subscription tasks.

    Important

    • Creating cloud resources in Log Service and enabling indexing incur additional charges billed by the Log Service product. For billing items and pricing, see Log Service Billing Overview.

    • Charges may still accrue after you create a Project or LogStore but have not enabled the log subscription task. When you are sure that you no longer need the created LogStore, delete it promptly to avoid additional charges. For details, see Why Charges Accrue When Only a Project and LogStore Are Created.

    Asset information logs

    Log subscription trigger conditions:

    1. Asset information logs are delivered immediately after new API assets are added.

    2. If no new API assets are added, asset information logs are delivered on a scheduled basis every hour by default.

    Asset Information Log Fields

    Field Name

    Description

    Field Format

    Example

    user_id

    Customer UID

    string

    123456

    service_host

    Domain

    string

    api.aliyun.com

    api_format

    API path

    string

    /api/v1/getuserbyid/${param}

    request_method

    Request method

    string

    GET

    api_tag

    Business purpose

    object []

    ['QueryInfo']

    api_type

    Service target

    object []

    ['PublicAPI']

    auth_key

    Authentication field

    object []

    ['id_token', 'access_token']

    api_status

    Lifecycle

    string

    NewbornInterface

    api_sensitive_level

    API sensitivity level

    string

    L1

    api_sensitive_req

    Request sensitive data types

    object []

    ['1014', '1017', '1002']

    api_sensitive_res

    Response sensitive data types

    object []

    ['1009', '1013', '1003', '1014', '1002']

    farthest_ts

    First discovery time

    long

    1713237135

    lastest_ts

    Last active time

    long

    1716452318

    abnormal_num

    Number of risks

    integer

    1

    event_num

    Number of events

    integer

    2

    struct_baseline

    Parameter structure

    object

    ['{"key":"Trace-Id","location":"request_header","format":"string","required":"true"}', '{"key":"pageNum","location":"request_query","format":"integer","required":"true"}', '{"key":"tlogTraceId","location":"response_header","format":"integer","required":"true"}', '{"key":"Strict-Transport-Security","location":"request_header","format":"string","required":"true"}', '{"key":"X-Forwarded-ClientSrcPort","location":"request_header","format":"integer","required":"true"}', '{"key":"Trace-State","location":"request_header","format":"string","required":"true"}', '{"key":"auth","location":"request_header","format":"string","required":"true"}', '{"key":"Access-Control-Max-Age","location":"response_header","format":"integer","required":"true"}', '{"key":"Enterprise-Hash","location":"request_header","format":"string","required":"true"}', '{"key":"X-Request-ID","location":"request_header","format":"string","required":"true"}', '{"key":"postName","location":"request_query","format":"string","required":"true"}', '{"key":"pageSize","location":"request_query","format":"integer","required":"true"}']

    matched_hosts

    Protected object

    object []

    ['*.aliyun.com-waf']

    hosts

    Domain

    object []

    ['api.aliyun.com']

    server_port

    Port

    object []

    ['443']

    server_location

    Origin server country

    object []

    ['CN']

    api_id

    Unique API ID

    string

    af418cb31036015fddea71b48d06aa4b

    log_type

    Log type

    string

    asset

    request_header

    Request header

    JSON

    {"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}

    querystring

    Request URL parameters

    string

    ?token=7464f593205896e23b1286ba7532dcff

    request_body

    Request body

    string

    xxx=1

    response_header

    Response header

    JSON

    {"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}

    response_body

    Response body

    string

    xxxx

    example_timestamp

    Example timestamp

    long

    1718546694

    example_traceid

    Example trace ID

    string

    784e2ca717213678365778292e58de

    Risk information logs

    Log subscription trigger condition: When new risk information is detected, the risk information logs are delivered to the specified LogStore.

    Risk Information Log Fields

    Field Name

    Description

    Field Format

    Example

    user_id

    Customer UID

    string

    123456

    service_host

    Domain

    string

    api.aliyun.com

    api_format

    API path

    string

    /api/v1/login

    request_method

    Request method

    string

    POST

    api_tag

    Business purpose

    object []

    ['LoginAPI']

    abnormal_tag

    Risk name

    string

    Risk_DefaultPasswd

    abnormal_type

    Risk type (custom/built-in)

    string

    default

    abnormal_level

    Risk level

    string

    medium

    abnormal_discover_ts

    Risk discovery time

    long

    1716343432

    abnormal_info

    Risk information

    object

    {'default_passwd':'aliyun123'}

    api_id

    Unique API ID

    string

    2c0f97e10b586208039e60671150bd9b

    abnormal_id

    Unique risk ID

    string

    8cfccc0e8c3d41aa1221e94a2fdeffe3

    log_type

    Log type

    string

    risk

    matched_hosts

    Protected object

    object []

    ['*.aliyun.com-waf']

    request_header

    Request header

    JSON

    {"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}

    querystring

    Request URL parameters

    string

    ?token=7464f593205896e23b1286ba7532dcff

    request_body

    Request body

    string

    xxx=1

    response_header

    Response header

    JSON

    {"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}

    response_body

    Response body

    string

    xxxx

    example_timestamp

    Example timestamp

    long

    1718546694

    example_traceid

    Example trace ID

    string

    784e2ca717213678365778****58de

    Attack event information logs

    Log subscription trigger conditions:

    1. When a new attack event is detected, the new attack event information logs are delivered to the specified LogStore.

    2. If the attack continues, the attack event information logs are continuously delivered to the specified LogStore at 10-minute intervals.

    Attack Event Information Log Fields

    Field Name

    Description

    Field Format

    Example

    user_id

    Customer UID

    string

    123456

    service_host

    Domain

    string

    api.aliyun.com

    matched_host

    Protected object

    string

    api.aliyun.com-waf

    host

    Domain

    string

    api.aliyun.com

    api_format

    API path

    string

    /api/admin/login

    request_method

    Request method

    string

    POST

    api_tag

    Business purpose

    object []

    ['AdminService', 'LoginService']

    event_tag

    Event name

    string

    Event_LoginCollision

    event_origin

    Event type (custom/built-in)

    string

    default

    event_level

    Event level

    string

    high

    start_ts

    Attack start time

    long

    1713886210

    end_ts

    Attack end time

    long

    1713887817

    attack_cnt

    Total attacks

    integer

    147

    attack_ip_info

    Attack IP information

    object []

    [{'ip':'103.44.XX.XXX', 'country_id':'HK', 'region_id':'-', 'cnt':'147'}]

    api_id

    Unique API ID

    string

    4dfc73b37d2d645fe2ca7f45c08f7398

    event_id

    Event ID

    string

    f09f6802e9b57a58ebb9f1bea212027e

    log_type

    Log type

    string

    event

    request_data

    Sample request data

    JSON

    {'1002':['张三','李四','陈六'],'1004':['13200000001','15200000002']}

    response_data

    Sample response data

    JSON

    {'postarg.userId':['lisi111','zhangsan123'],'postarg.corpId':['wx1111111'],'postarg.externalUserid':['wm7_KpDgOm6Bm-BGA']}

    Log subscription field value descriptions

    If you need to understand the meaning of field values in logs or see how they map to names displayed in the console while analyzing or querying logs, refer to the following tables. The Description column shows the corresponding name for each field value as it appears in the Web Application Firewall console.

    Lifecycle (api_status)

    Field Value

    Description

    NewbornInterface

    New

    OfflineInterface

    Inactive

    normal

    Normal

    Service Target (api_type)

    Field Value

    Description

    PublicAPI

    Public Service

    ThirdpartAPI

    Third-party Collaboration

    InternalAPI

    Internal Office

    Business Purpose (api_tag)

    Field Value

    Description

    LoginByUserPasswd

    Username and Password Login

    LoginByPhoneCode

    SMS Verification Code Login

    LoginByMailCode

    Email Verification Code Login

    WeChatLogin

    WeChat Login

    AliPayLogin

    Alipay Login

    OAuthLogin

    OAuth Authentication

    OIDCLogin

    OIDC Authentication

    SAMLLogin

    SAML Authentication

    SSOLogin

    SSO Authentication

    LoginAPI

    Login Service

    LogoutAPI

    Logout

    RegisterByUserPasswd

    Username and Password Registration

    RegisterByPhoneCode

    SMS Verification Code Registration

    RegisterByMailCode

    Email Verification Code Registration

    WeChatRegister

    WeChat Registration

    AliPayRegister

    Alipay Registration

    RegisterAPI

    Registration Service

    SendSMS

    SMS Sending

    SendMail

    Email Sending

    ResetPasswd

    Password Reset

    CheckVerifyCode

    Verification Code Check

    CheckStatus

    Status Check

    QueryOrder

    Order Query

    ExportOrder

    Order Export

    UpdateOrder

    Order Update

    PayOrder

    Order Payment

    QueryLog

    Log Query

    UploadLog

    Log Reporting

    DownloadLog

    Log Export

    LogService

    Log Service

    GraphQL

    GraphQL

    SqlService

    SQL Service

    FileUpload

    File Upload

    FileDownload

    File Download

    FileService

    File Service

    AdminService

    Admin Management

    DashBoard

    Dashboard

    MonitorService

    Monitoring Service

    SendInfo

    Data Sending

    CheckInfo

    Data Check

    QueryInfo

    Data Query

    UploadInfo

    Data Upload

    DownloadInfo

    Data Download

    AddInfo

    Add Data

    EditInfo

    Edit Data

    UpdateInfo

    Data Update

    ShareInfo

    Data Sharing

    DeleteInfo

    Data Deletion

    SyncInfo

    Data Sync

    SubmitInfo

    Data Submission

    CopyInfo

    Data Copy

    AuditInfo

    Data Audit

    SaveInfo

    Data Save

    CancelOp

    Cancel

    StartOp

    Start

    BatchOp

    Batch Processing

    PauseOp

    Pause

    BindOp

    Bind

    DebugOp

    Debug

    SetOp

    Settings

    ShutDown

    Shut Down

    Request Sensitive Data Type, Response Sensitive Data Type (api_sensitive_req, api_sensitive_res)

    Field Value

    Description

    1000

    ID Card Number (Chinese Mainland)

    1001

    Debit Card

    1002

    Name (Simplified Chinese)

    1003

    Address (Chinese Mainland)

    1004

    Mobile Number (Chinese Mainland)

    1005

    Email

    1006

    Passport Number (Chinese Mainland)

    1007

    Hong Kong and Macao Travel Permit

    1008

    License Plate Number (Chinese Mainland)

    1009

    Phone Number (Chinese Mainland)

    1010

    Military Officer Certificate

    1011

    Gender

    1012

    Ethnicity

    1013

    Province (Chinese Mainland)

    1014

    City (Chinese Mainland)

    1015

    ID Card Number (Hong Kong)

    1016

    Name (Traditional Chinese)

    1017

    Name (English)

    1018

    ID Card Number (Malaysia)

    1019

    ID Card Number (Singapore)

    1020

    Credit Card

    1022

    SWIFT Code

    1023

    SSN

    1024

    Telephone Number (United States)

    1025

    Religious Belief

    2000

    IP Address

    2001

    MAC Address

    2002

    JDBC Connection String

    2003

    PEM Certificate

    2004

    Private Key

    2005

    AccessKey ID

    2006

    AccessKey Secret

    2007

    IPv6 Address

    2009

    Date

    2010

    IMEI

    2011

    MEID

    2013

    Linux Password File

    2014

    Linux Shadow File

    2015

    URL

    4000

    Business License Number

    4001

    Tax Registration Certificate Number

    4002

    Organization Code

    4003

    Unified Social Credit Code

    4004

    Vehicle Identification Number

    Risk Type (risk)

    Field Value

    Description

    RiskType_Specification

    Security Specification

    Risk_UnsafeHttpMethod

    Unsafe HTTP Method

    Risk_WeakSignAlgorithm

    Weak JWT Signing Algorithm

    Risk_UrlParam

    URL as Parameter

    RiskType_Account

    Account Security

    Risk_PasswdUnencrypt

    Plaintext Password Transmission

    Risk_WeakPasswd

    Weak Password Allowed

    Risk_InternalWeakPasswd

    Weak Password in Internal Application

    Risk_DefaultPasswd

    Default Password Exists

    Risk_PasswdResponse

    Plaintext Password Returned

    Risk_PasswdCookie

    Password Stored in Cookie

    Risk_LoginRestrict

    Login API Lacks Restrictions

    Risk_LoginPrompt

    Unreasonable Login Failure Prompt

    Risk_PasswdUrl

    Username and Password Transmitted via URL

    RiskType_Control

    Access Control

    Risk_InternalAPI

    Internal Application Accessible from Public Network

    Risk_SourceRestrict

    API Does Not Restrict Access Source

    Risk_ClientRestrict

    API Does Not Restrict Access Tool

    Risk_SpeedRestrict

    API Does Not Restrict Access Rate

    RiskType_Permission

    Permission Management

    Risk_WeakToken

    Weak Authentication Credential

    Risk_UnauthSensitive

    Sensitive API Without Authentication

    Risk_UnauthInternalAPI

    Internal API Accessible Without Authorization

    Risk_TokenUrl

    Credential Transmitted via URL

    Risk_AkLeak

    AK Information Leak

    RiskType_Sensitive

    Data Protection

    Risk_SensitiveTypeExcessive

    Excessive Types of Sensitive Data Returned

    Risk_SensitiveNumExcessive

    Excessive Amount of Sensitive Data Returned

    Risk_InvalidDesensitize

    Sensitive Data Not Effectively Desensitized

    Risk_ServerInfoLeak

    Server Sensitive Information Leak

    Risk_InternalIPLeak

    Internal IP Address Leaked

    Risk_SensitiveURL

    Sensitive Data Transmitted via URL

    RiskType_Design

    API Design

    Risk_ParamTraverse

    Traversable Request Parameter

    Risk_PageSize

    Modifiable Response Data Size

    Risk_SqlAPI

    Database Query

    Risk_RceAPI

    Command Execution API

    Risk_SmsContent

    Arbitrary SMS Content Sending

    Risk_MailContent

    Arbitrary Email Content Sending

    Risk_SmsVerifyCodeLeak

    SMS Verification Code Leak

    Risk_MailVerifyCodeLeak

    Email Verification Code Leak

    Risk_FileDownload

    Specified File Download

    Risk_ExceptionLeak

    Application Exception Information Leak

    Risk_ExceptionSql

    Database Exception Information Leak

    Event Type (event)

    Field Value

    Description

    Event_AbnormalFrequency

    Abnormal High-Frequency Access

    Event_ExceptionIPInvoke

    Internal API Accessed from Abnormal IP

    Event_ExceptionRegionInvoke

    Internal API Accessed from Abnormal Region

    Event_ExceptionClientInvoke

    Accessed via Abnormal Tool

    Event_ExceptionTimeInvoke

    Accessed During Abnormal Time Period

    Event_AbnormalParamValue

    Access with Abnormal Parameter Value

    Event_InternalLoginWeakPasswd

    Internal Application Login with Weak Password

    Event_LoginAccountBruteForce

    Username Brute Force

    Event_LoginPasswdBruteForce

    Login Password Brute Force

    Event_LoginCollision

    Credential Stuffing Attack

    Event_MobileVerifyBruteForce

    SMS Verification Code Brute Force

    Event_MailVerifyBruteForce

    Email Verification Code Brute Force

    Event_AbnormalRegister

    Batch Registration

    Event_SMSInterfaceAbuse

    Malicious SMS Resource Consumption

    Event_EmailInterfaceAbuse

    Malicious Email Resource Consumption

    Event_AbnormalExport

    Batch Download

    Event_DataTraverse

    API Data Traversal and Scraping

    Event_WebAttackAPI

    Malicious Attack on API

    Event_ObtainSensitiveUnauthorized

    Unauthorized Access to Sensitive Data

    Event_ObtainSensitiveExcessive

    Access to Large Amount of Sensitive Data

    Event_CrossborderIPSensitiveExcessive

    Large Amount of Sensitive Data Accessed from Overseas IP

    Event_ExceptionResponse

    Abnormal Error Message in API Response

    Event_ExceptionSql

    Database Error Message in API Response

    Event_SystemInfoResponse

    System Sensitive Information in API Response

    Event_AbnormalStatus

    Abnormal API Response Status

    IX. Target object configuration

    Subscription-based WAF

    API Security provides three effective switches at the protection object or protection object group level:

    • Basic Detection switch: Enabled by default. Controls whether all built-in detection mechanisms and custom detection policies take effect.

    • Compliance Check switch: Disabled by default. Can be enabled only after the Basic Detection switch is enabled. Controls whether the Compliance Check feature takes effect.

    • Traceability switch: Disabled by default. Can be enabled only after the Basic Detection switch is enabled. Controls whether the Traceability feature takes effect.

    Pay-as-you-go WAF

    API Security provides one effective switch at the protection object or protection object group level:

    • Basic Detection switch: Controls whether all built-in detection mechanisms and custom detection policies take effect. To disable the API Security feature, disable the Basic Detection switch for all protection objects and protection object groups.