how to configure API security policies - Web Application Firewall

This topic describes how to configure built-in and custom policies for API Security. In addition to its built-in detection mechanisms, API Security lets you define custom detection policies that are specific to your business requirements. You can configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, whitelists, lifecycle management, log subscriptions, and effective objects. These configurations tailor API data identification to your business needs. This improves the accuracy and recall rate of API security detection and helps you respond to threats and reduce losses from attacks on your API assets.

1. Risk detection configuration

A security risk is a vulnerability in an API caused by defects in development, management, or configuration. A security risk does not necessarily mean an attack has occurred, while a security event is an alert generated by an attack.

Built-in policy configuration

On the Risk Detection Configuration tab of the Policy Configuration page, you can view configured risk policies. For built-in policies, you can enable or disable them and adjust their risk levels. You can set the risk level of a built-in policy to Low, Medium, or High, as needed.

Custom policy configuration

In addition to built-in policies, you can create up to 20 custom risk detection policies. To create a custom policy, follow these steps.

On the API Security page, go to the Policy Configurations > Risk Detection Configurations tab.

In the Custom Policy section on the left, click New. In the panel that appears, configure the parameters that are described in the following table.

Parameter	Description
Risk Status	Set the policy status. The default value is On.
Risk Name	Set the name for the custom risk. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	Set the recommended action for the custom risk policy based on your business needs.
Risk Level	Set the risk level. Valid values are Low, Medium, and High.
Check Configurations	Set the detection conditions for your custom risk policy. You can add up to 10 conditions.

The following table describes the detailed configurations for detection settings, including logical operators and examples of match content.

Note

You can enter up to 50 values for Match Content. Press the Enter key after you enter each value.
The match content for Risk Detection Configurations is case-sensitive.

Detailed configuration

Match Field	Sub-condition (Enter/Select)	Logical Operator	Match Content
Domain Name	Not supported	is one of Contains no value is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.
API	Not supported	is one of is not one of is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.
Request Method	Not supported	is one of (exact match) is not one of (exact match)	Select one or more request methods, such as GET, POST, DELETE, and PUT.
User-Agent	Not supported	Can be one of Contains no value is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.
Referer	Not supported	Contains one or more values Contains no value is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.
Communication Protocol	Not supported	Equals	Select HTTP or HTTPS from the list.
Request Content-Type	Not supported	is one of Contains no value	Enter up to 50 values. Press the Enter key after each value.
Request Length	Not supported	Equals is less than is greater than	Enter an integer from 0 to 8192.
Response Content-Type	Not supported	is one of No value	Enter up to 50 values. Press the Enter key after each value.
Response Length	Not supported	Equals is less than is greater than	Enter an integer from 0 to 8192.
HTTP Status Code	Not supported	is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.
Request Header	Custom Header	exists does not exist length is length is less than length is greater than is one of Contains no value
Cookie Parameter	Custom Cookie-Exact	exists does not exist length is length is less than length is greater than is one of Contains no value	-
GET Parameter	Custom Parameter	exists does not exist length is length is less than length is greater than is one of is not one of	-
POST Parameter	Custom Post-Arg	exists does not exist length is length is less than length is greater than Contains one or more values is not one of	-
Response Header	Response Header	exists does not exist length is length is less than length is greater than is one of Contains no value	-
Response Parameter	Response Parameter	exists does not exist length is length is less than length is greater than is one of Contains no value	-
Purpose	Not supported	is one of Contains no value	Select one or more business purposes from the list. Note For more information about business purpose types, see How API Security classifies API business purposes.
Service Object	Not supported	Contains any of Contains no value	Select one or more service objects from the list. Note For more information about service object types, see How API Security classifies API service objects.
Authentication	Not supported	is	YES or NO
Request Sensitive Data Type	Not supported	Contains any of: Contains no value number of types is greater than	Select one or more sensitive data types from the list. For the "number of types is greater than" condition, enter an integer from 0 to 8192.
Sensitivity Level of Request Sensitive Data	Not supported	Contains any of Contains no value	Select one or more levels from S1 to S4.
Response Sensitive Data Type	Not supported	Contains any of is not one of number of types is greater than	Select one or more sensitive data types from the list. For the "number of types is greater than" condition, enter an integer from 0 to 8192.
Sensitivity Level of Response Sensitive Data	Not supported	Contains any of is not one of	Select one or more levels from S1 to S4.
Response Sensitive Data	Select one or more response sensitive data types from the list.	count is greater than	Enter an integer from 0 to 8192.
Source Location	Not supported	Equals	CN / NOT-CN
IP	Not supported	belongs to does not belong to	Enter an IP address or an IP address range in CIDR block format (for example, 1.1.X.X/24). Regular expressions are not supported. You can enter up to 50 values, separated by commas (,) or by pressing the Enter key.
Account (Security Events Only)	Not supported	is one of (exact match) is not one of (exact match)	Enter up to 50 values. Press the Enter key after each value.

After you complete the custom configuration, click OK.

2. Security event configuration

A security event is an abnormal call or an attack on an API. Examples include brute-force attacks on logon APIs and message flooding attacks that abuse SMS APIs. Built-in event detection performs detection based on the IP address and account dimensions.

Built-in policy configuration

After a built-in security event policy triggers an alert, it does not generate a new alert if the same attack continues. Instead, the attack time of the original alert is updated. The alert level may also change based on factors such as the attack volume.

On the Security Event Configurations tab of the Policy Configurations page, you can view configured security event policies. You cannot edit or delete built-in policies.

Custom policy configuration

In addition to built-in policies, you can create up to 10 custom security event policies. To create a custom policy, follow these steps.

On the API Security page, go to the Policy Configurations > Security Event Configurations tab.

In the Custom Policy section on the left, click New. In the panel that appears, configure the parameters that are described in the following table.

Parameter	Description
Event Status	Set the policy status. The default value is On.
Event Name	Set the name for the custom event. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	Set the recommended action for the custom security event based on your business needs.
Event Level	Set the risk level. Valid values are Low, Medium, and High.
Match Condition	Set the detection conditions for your custom security event policy. You can add up to 10 conditions. Note If you define multiple conditions, a rule is hit only when all conditions are met.
Rate Limiting	Set Statistical Object to IP or Account. Set Statistical Period in minutes, with a maximum of 15 minutes. Set Requests to a positive integer.
Data Statistics	Set the statistical conditions for your custom security event policy. You can add up to 10 conditions.

For detailed information about match conditions, logical operators, and examples of match content, see the Detailed configuration table in the Risk detection configuration section.

Note

You can enter up to 50 values for Match Content. Press the Enter key after you enter each value.
The match content for Security Event Configurations is case-sensitive.

The following table describes the detailed configurations for data statistics, including logical operators and examples of match content.

Detailed configuration

Match Field	Sub-condition (Enter/Select)	Logical Operator	Match Content
Status Code Statistics	Status code (integer from 100 to 600)	Value Greater Than	Enter an integer from 0 to 8192.
Request Header	Custom Header	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer from 0 to 8192.
Cookie Parameter	Custom Cookie-Exact	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer from 0 to 8192.
GET Parameter	Custom Parameter	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer from 0 to 8192.
POST Parameter	Custom Post-Arg	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer from 0 to 8192.
Response Sensitive Data Type	Select one or more request sensitive data types.	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer from 0 to 8192.
Sensitivity Level of Response Sensitive Data	Select one or more response sensitive data levels.	Distinct Greater Than	Enter an integer from 0 to 8192.
Source IP Count	Set the value for source IP count statistics.	Value Greater Than	Enter an integer from 0 to 8192.

After you complete the custom configuration, click OK.

3. Sensitive data configuration

On the Sensitive Data-related Configurations tab of the Policy Configurations page, you can search, filter, and view configured sensitive data policies.

Data masking display

The Sensitive Data-related Configurations tab has a De-identification Display switch. This switch is disabled by default, which means data is not masked.

When data masking is enabled, the following information is masked:

In Risk Details and API Details, sensitive data in all fields of request and response samples is replaced with a placeholder, such as {{Phone}}.
In the Event Details of a security event, request and response data samples that contain sensitive data are masked as {}.
In sample information, Request Cookie is masked as {{Cookie}}, a Request Header that contains a token is masked as {{XXXToken}}, and Response Set-Cookie is masked as {{SetCookie}}.

The data masking feature applies to the following items:

Risk Details and API Details: The feature applies only to new request and response data samples.
Event Details: The feature applies to both new and existing request and response data samples.

Built-in policy configuration

You cannot edit, modify, or delete built-in policies. You can only enable or disable them.

Custom policy configuration

If your business uses custom sensitive data, you can configure custom sensitive data detection rules. You can create up to 20 custom policies. To create a custom policy, follow these steps.

On the API Security page, go to the Policy Configuration > Sensitive Data-related Configurations tab.

Click Create Policy. In the panel that appears, configure the parameters. You can create a custom policy in Basic Mode or Expert Mode.

Parameter	Description
Name	Set a name for the rule. The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Mode	Set the detection mode for the custom policy. Basic: Provides a simple configuration interface for ease of use. If you select Basic mode, you must set the Characters and Length for detection. Characters: You can select one or more character types to detect, including digits, uppercase letters, and lowercase letters. Length: The supported length range is 6 to 64. The start and end values must be integers. Expert: Supports regular expressions. If you select Expert mode, you must enter a regular expression for detection. To avoid false positives, make sure the regular expression matches at least 6 characters.
Sensitivity Level	Set the level of the sensitive data to be detected. Valid values: S1, S2, S3, and S4. Note For more information about sensitive data types, see What sensitive data can API Security detect.

After you complete the custom configuration, click OK.

4. Authentication credential configuration

If your business uses non-standard fields or fields with weak features (such as all-numeric names) for authentication, you can configure custom authentication credentials. In addition to the built-in credential detection, you can specify parameter names. This helps the built-in model accurately determine whether a request contains authentication credentials. This improves API security and the accuracy of unauthenticated risk detection.

On the API Security page, go to the Policy Configuration > Authentication Credential Configurations tab.

Click Create Policy, configure the parameters, and then click OK.

Parameter

Description

Name

Set a name for the policy.

The name can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).

Match Condition

Each condition consists of a Match Field, a Logical Operator, and Match Content. You can add up to 10 conditions. When configuring, add at least one match condition for Request Header, Request Cookie, Request Query, or Request Body.

Note

If you define multiple conditions, a rule is hit only when all conditions are met.

The following table describes the detailed configurations for match conditions, including logical operators and examples of match content.

Note

You can enter up to 50 values for Match Content. Press the Enter key after you enter each value.
The match content for Authentication Credential Configurations is case-sensitive.

Detailed configuration

Match Field	Sub-condition (Enter/Select)	Logical Operator	Match Content Description
Domain Name	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press the Enter key after each value.
API	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press the Enter key after each value.
Request Header	Custom Header	Exists Length Equal To Length Less Than Length Greater Than
Request Cookie	Custom Cookie-Exact	Exists Length Equal To Length Less Than Length Greater Than
Request Query	Custom Parameter	Exists Length Equal To Length Less Than Length Greater Than
Request Body	Custom Post-Arg	Exists Length Equal To Length Less Than Length Greater Than

5. Business purpose configuration

API Security provides two types of business purpose policy configurations:

Built-in policy configuration

Business purpose policies are supported for multiple scenarios, such as data updates, data sharing, text message sending, and information sending. You cannot modify or delete built-in policies, but you can enable or disable them as needed.

Custom policy configuration

If the built-in policies do not meet your business needs, you can define custom URL and parameter name features. This improves the detection accuracy of API Security in specific business scenarios.

On the API Security page, go to the Policy Configuration > Business Purpose tab.
Click the Custom Policy tab to manage custom policies. Click Create Policy, configure the parameters, and then click OK.

Note

You can enter up to 50 values for Match Content. Press the Enter key after you enter each value.
The match content for Business Purpose is case-sensitive.

Detailed configuration

Match Field	Logical Operator	Match Content
Domain Name	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press the Enter key after each value.
API	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press the Enter key after each value.
Request Header Parameter Name	Contains One of Multiple Values Equals One of Multiple Values	Enter up to 50 values. Press the Enter key after each value.
Request Cookie Parameter Name	Contains One of Multiple Values Equals One of Multiple Values	Enter up to 50 values. Press the Enter key after each value.
Request Query Parameter Name	Contains One of Multiple Values Equals One of Multiple Values	Enter up to 50 values. Press the Enter key after each value.
Request Body Parameter Name	Contains One of Multiple Values Equals One of Multiple Values	Enter up to 50 values. Press the Enter key after each value.
Request Sensitive Data Type	Equals One of Multiple Values Does Not Equal Any Value	Select one or more request sensitive data types from the list.
Response Sensitive Data Type	Equals One of Multiple Values Does Not Equal Any Value	Select one or more response sensitive data types from the list.
Response Parameter Name	Contains One of Multiple Values Equals One of Multiple Values	Enter up to 50 values. Press the Enter key after each value.

6. Whitelist configuration

The whitelist feature of API Security lets you create custom whitelists for security events and risk detection. This helps you filter out alert noise based on your business needs, such as alerts from your office network's egress IP address. This improves operational efficiency.

On the API Security page, go to the Policy Configuration > Configure Whitelist tab.
Click Create Policy, enter a name for your new policy, and select the feature type for which you want to configure a whitelist. You can configure whitelists for Risk Detection and Security Events.

Set the match conditions based on the feature type that you selected.

Note

You can add up to 10 match conditions.
The match conditions for Configure Whitelist are case-sensitive.

Risk detection whitelist policy match conditions

Match Field

Logical Operator

Match Content

Domain Name

Contains One of Multiple Values

Does Not Contain Any Value

Equals One of Multiple Values

Does Not Equal Any Value

Enter up to 50 values. Press the Enter key after each value.

API

Contains One of Multiple Values

Does Not Contain Any Value

Equals One of Multiple Values

Does Not Equal Any Value

Enter up to 50 values. Press the Enter key after each value.

Security event whitelist policy match conditions

Match Field	Logical Operator	Match Content
Domain Name	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press Enter after each value.
API	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press Enter after each value.
IP	Belongs To Does Not Belong To	Enter an IP address or an IP address range in CIDR block format (for example, 1.1.X.X/24). Regular expressions are not supported. You can enter up to 50 values, separated by commas (,) or by pressing Enter.
Account	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	Enter up to 50 values. Press Enter after each value.

Select the risk detection or security event types to ignore, and then click OK.
Note
You can select multiple built-in and custom types to ignore.

7. Lifecycle management

API Security lets you define criteria for inactive APIs by setting the daily access volume and duration. This makes inactive API detection more relevant to your business. API lifecycle management helps you identify inactive APIs based on your custom standards and take prompt action. This helps prevent attackers from exploiting inactive APIs and causing business losses.

On the API Security page, go to the Policy Configuration > Lifecycle Management tab.
Set the criteria for inactive APIs, and then click OK.
- Click Built-in Model.
  An API is considered inactive under the built-in criteria if it has not been accessed or its access volume has dropped significantly over the past 8 days.
- Click Custom and set the daily access volume and duration (up to 31 days). An API is considered inactive if its daily access volume is less than the specified value within the custom duration.
  An API is considered inactive if its daily access count remains below a specified number for a custom duration.

Important

If an asset's Last Active Time exceeds 30 days, the system automatically deletes the asset and its associated risk data and security event records.

8. Log subscription

After you enable log subscription for asset, risk, or event information, the corresponding logs are delivered to a specified Logstore in the Simple Log Service console when the delivery conditions are met. This lets you centrally manage and analyze logs using the features of Alibaba Cloud Simple Log Service (SLS).

Note

Currently, Web Application Firewall (WAF) instances in the Chinese mainland can deliver logs only to SLS Logstores in the Chinese mainland. WAF instances outside the Chinese mainland can deliver logs only to SLS Logstores outside the Chinese mainland. Cross-region log delivery between the Chinese mainland and other regions is not supported.

Enable the service-linked role

If you have not enabled the service-linked role for WAF, you must do so before you use the API Security log subscription service. Follow the prompts to enable the role, which grants WAF permission to access your other cloud resources. For more information about service-linked roles, see Service-linked Role. If you have already granted this authorization when you enabled features such as Simple Log Service for WAF, you can skip this step.

Log subscription configuration

Before you configure a log subscription task for API Security, go to the Simple Log Service console to create a Project and a Logstore to receive the logs. If you have already created a target Logstore and confirmed that it follows the naming conventions, you can proceed to the next step.
Note
The log subscription feature does not support using Logstores that are automatically created by SLS or that you have named "waf-logstore", "wafng-logstore", or "wafnew-logstore" as subscription targets.
After you create the Logstore, return to the log subscription tab to configure subscriptions for your asset information, risk information, and attack event information. If you want to analyze and query the logs that are delivered to the specified Logstore from the SLS console, you must first enable indexing as prompted. For more information, see Create indexes.
Select the log type for the subscription task, and click the Configure button to go to the configuration page.
Select the Region, Project name, and Logstore name for your log subscription task, and click the OK button to save the configuration. After the configuration is complete and logs are generated, you can go to the corresponding Logstore in the Simple Log Service console to query and analyze the logs. If you want to perform data transformation, such as data masking, see Data transformation.
If you disable the log subscription task, no longer need the existing logs, and want to avoid further charges for the Logstore, you can disable the task on the Log Subscription tab and then delete the corresponding Logstore. For more information, see How do I disable Simple Log Service or stop billing?.

The following sections describe the trigger conditions and detailed fields for log subscription tasks.

Important

You may incur additional fees for creating cloud resources and performing operations such as enabling indexing in Simple Log Service. These fees are billed by Simple Log Service. For more information about billing items and pricing, see Billing overview of Simple Log Service.
Charges may still be incurred after you create a Project or Logstore, even if no log subscription task is enabled. If you are sure that you no longer need the created Logstore, delete it promptly to avoid extra charges. For more information, see Why am I charged for creating only a Project and a Logstore?.

Asset information logs

Trigger conditions:

Asset information logs are delivered immediately after a new API asset is added.
If no new API assets are added, asset information logs are delivered by default every hour.

Asset information log fields

Field Name	Description	Format	Example
user_id	Customer UID	string	123456
service_host	Domain Name	string	api.aliyun.com
api_format	API path	string	/api/v1/getuserbyid/${param}
request_method	Request method	string	GET
api_tag	Business Purpose	object []	['QueryInfo']
api_type	Service Object	object []	['PublicAPI']
auth_key	Authentication field	object []	['id_token', 'access_token']
api_status	Lifecycle	string	NewbornInterface
api_sensitive_level	API sensitivity level	string	L1
api_sensitive_req	Request sensitive data type	object []	['1014', '1017', '1002']
api_sensitive_res	Response sensitive data type	object []	['1009', '1013', '1003', '1014', '1002']
farthest_ts	First discovered time	long	1713237135
lastest_ts	Last active time	long	1716452318
abnormal_num	Number of risks	integer	1
event_num	Number of events	integer	2
struct_baseline	Parameter structure	object	['{"key":"Trace-Id","location":"request_header","format":"string","required":"true"}', '{"key":"pageNum","location":"request_query","format":"integer","required":"true"}', '{"key":"tlogTraceId","location":"response_header","format":"integer","required":"true"}', '{"key":"Strict-Transport-Security","location":"request_header","format":"string","required":"true"}', '{"key":"X-Forwarded-ClientSrcPort","location":"request_header","format":"integer","required":"true"}', '{"key":"Trace-State","location":"request_header","format":"string","required":"true"}', '{"key":"auth","location":"request_header","format":"string","required":"true"}', '{"key":"Access-Control-Max-Age","location":"response_header","format":"integer","required":"true"}', '{"key":"Enterprise-Hash","location":"request_header","format":"string","required":"true"}', '{"key":"X-Request-ID","location":"request_header","format":"string","required":"true"}', '{"key":"postName","location":"request_query","format":"string","required":"true"}', '{"key":"pageSize","location":"request_query","format":"integer","required":"true"}']
matched_hosts	Protected object	object []	['*.aliyun.com-waf']
hosts	Domain Name	object []	['api.aliyun.com']
server_port	Port	object []	['443']
server_location	Country of origin server	object []	['CN']
api_id	Unique API ID	string	af418cb31036015fddea71b48d06aa4b
log_type	Log type	string	asset
request_header	Request Header	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	Request URL parameter	string	?token=7464f593205896e23b1286ba7532dcff
request_body	Request Body	string	xxx=1
response_header	Response Header	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	Response Body	string	xxxx
example_timestamp	Sample timestamp	long	1718546694
example_traceid	Sample trace ID	string	784e2ca717213678365778292e58de

Risk information logs

Trigger condition: When new risk information is detected, the risk information logs are delivered to your specified Logstore.

Risk information log fields

Field Name	Description	Format	Example
user_id	Customer UID	string	123456
service_host	Domain Name	string	api.aliyun.com
api_format	API path	string	/api/v1/login
request_method	Request method	string	POST
api_tag	Business Purpose	object []	['LoginAPI']
abnormal_tag	Risk Name	string	Risk_DefaultPasswd
abnormal_type	Risk type (Custom/Built-in)	string	default
abnormal_level	Risk level	string	medium
abnormal_discover_ts	Risk discovery time	long	1716343432
abnormal_info	Risk information	object	{'default_passwd':'aliyun123'}
api_id	Unique API ID	string	2c0f97e10b586208039e60671150bd9b
abnormal_id	Unique risk ID	string	8cfccc0e8c3d41aa1221e94a2fdeffe3
log_type	Log type	string	risk
matched_hosts	Protected object	object []	['*.aliyun.com-waf']
request_header	Request Header	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	Request URL parameter	string	?token=7464f593205896e23b1286ba7532dcff
request_body	Request Body	string	xxx=1
response_header	Response Header	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	Response Body	string	xxxx
example_timestamp	Sample timestamp	long	1718546694
example_traceid	Sample trace ID	string	784e2ca717213678365778****58de

Attack event information logs

Trigger conditions:

When a new attack event is detected, the new attack event information logs are delivered to your specified Logstore.
If the attack continues, the attack event information logs are delivered to your specified Logstore at 10-minute intervals.

Attack event information log fields

Field Name

Description

Format

Example

user_id

Customer UID

string

123456

service_host

Domain Name

string

api.aliyun.com

matched_host

Protected object

string

api.aliyun.com-waf

host

Domain Name

string

api.aliyun.com

api_format

API path

string

/api/admin/login

request_method

Request method

string

POST

api_tag

Business Purpose

object []

['AdminService', 'LoginService']

event_tag

Event Name

string

Event_LoginCollision

event_origin

Event type (Custom/Built-in)

string

default

event_level

Event level

string

high

start_ts

Attack start time

long

1713886210

end_ts

Attack end time

long

1713887817

attack_cnt

Total attacks

integer

147

attack_ip_info

Attacker IP information

object []

['{'ip':'103.44.XX.XXX'', 'country_id':'HK', 'region_id':'-', 'cnt':'147'']

api_id

Unique API ID

string

4dfc73b37d2d645fe2ca7f45c08f7398

event_id

Event ID

string

f09f6802e9b57a58ebb9f1bea212027e

log_type

Log type

string

event

request_data

Request data sample

JSON

{'1002':['John Doe','Jane Smith','Chen Liu'],'1004':['13200000001','15200000002']}

response_data

Response data sample

JSON

{'postarg.userId':['lisi111','zhangsan123'],'postarg.corpId':['wx1111111'],'postarg.externalUserid':['wm7_KpDgOm6Bm-BGA']}

Log subscription field value descriptions

To understand the meaning of field values in the logs or view their corresponding descriptions on the console during log analysis or querying, refer to the following tables. The Description column shows the name of the log field as it appears in the WAF console.

Lifecycle (api_status)

Field Value	Description
NewbornInterface	New
OfflineInterface	Inactive
normal	Normal

Service Object (api_type)

Field Value	Description
PublicAPI	Public Service
ThirdpartAPI	Third-party Cooperation
InternalAPI	Internal Office

Business Purpose (api_tag)

Field Value	Description
LoginByUserPasswd	Log on with username and password
LoginByPhoneCode	Log on with phone verification code
LoginByMailCode	Log on with email verification code
WeChatLogin	Log on with WeChat
AliPayLogin	Log on with Alipay
OAuthLogin	OAuth authentication
OIDCLogin	OIDC authentication
SAMLLogin	SAML authentication
SSOLogin	SSO authentication
LoginAPI	Logon Service
LogoutAPI	Log off
RegisterByUserPasswd	Register with username and password
RegisterByPhoneCode	Register with phone verification code
RegisterByMailCode	Register with email verification code
WeChatRegister	Register with WeChat
AliPayRegister	Register with Alipay
RegisterAPI	Registration Service
SendSMS	Send text message
SendMail	Send email
ResetPasswd	Reset password
CheckVerifyCode	Verify verification code
CheckStatus	Check status
QueryOrder	Query order
ExportOrder	Export order
UpdateOrder	Update order
PayOrder	Pay order
QueryLog	Log query
UploadLog	Log upload
DownloadLog	Log export
LogService	Log Service
GraphQL	GraphQL
SqlService	SQL Service
FileUpload	File upload
FileDownload	File download
FileService	File Service
AdminService	Backend Management
DashBoard	Dashboard
MonitorService	Monitoring Service
SendInfo	Send information
CheckInfo	Check data
QueryInfo	Query data
UploadInfo	Upload data
DownloadInfo	Download data
AddInfo	Add data
EditInfo	Edit data
UpdateInfo	Update data
ShareInfo	Share data
DeleteInfo	Delete data
SyncInfo	Synchronize data
SubmitInfo	Submit data
CopyInfo	Copy data
AuditInfo	Audit data
SaveInfo	Save data
CancelOp	Cancel
StartOp	Start
BatchOp	Batch processing
PauseOp	Pause
BindOp	Bind
DebugOp	Debug
SetOp	Settings
ShutDown	Shutdown

Request/Response Sensitive Data Type (api_sensitive_req, api_sensitive_res)

Field value	Description
1000	ID card (the Chinese mainland)
1001	Debit card
1002	Name (Simplified Chinese)
1003	Address (the Chinese mainland)
1004	Mobile number (the Chinese mainland)
1005	Mailbox
1006	Passport number (the Chinese mainland)
1007	Exit-Entry Permit for Hong Kong and Macao
1008	License plate number (the Chinese mainland)
1009	Phone number (the Chinese mainland)
1010	Officer ID card
1011	Gender
1012	Ethnicity
1013	Province (the Chinese mainland)
1014	City (the Chinese mainland)
1015	ID card (Hong Kong (China))
1016	Name (Traditional Chinese)
1017	Name (English)
1018	ID card (Malaysia)
1019	ID card (Singapore)
1020	Credit or Debit Card
1022	SWIFT code
1023	SSN
1024	Phone number (United States)
1025	Religious belief
2000	IP address
2001	MAC address
2002	Java Database Connectivity (JDBC) connection string
2003	PEM certificate
2004	Private key
2005	AccessKey ID
2006	AccessKeySecret
2007	IPv6 address
2009	Date
2010	IMEI
2011	Mobile Equipment Identifier (MEID)
2013	Linux passwd file
2014	Linux shadow file
2015	URL
4000	Business license number
4001	Tax registration number
4002	Organization code
4003	Unified Social Credit Code
4004	Vehicle Identification Number (VIN)

Risk Type (risk)

Field Value	Description
RiskType_Specification	Security Specification
Risk_UnsafeHttpMethod	Unsafe HTTP method
Risk_WeakSignAlgorithm	Weak JWT signature algorithm
Risk_UrlParam	Parameter is a URL
RiskType_Account	Account Security
Risk_PasswdUnencrypt	Password transmitted in plaintext
Risk_WeakPasswd	Weak password allowed
Risk_InternalWeakPasswd	Weak password in internal application
Risk_DefaultPasswd	Default password exists
Risk_PasswdResponse	Returns plaintext password
Risk_PasswdCookie	Password stored in cookie
Risk_LoginRestrict	Logon API lacks restrictions
Risk_LoginPrompt	Unreasonable logon failure prompt
Risk_PasswdUrl	Username and password transmitted in URL
RiskType_Control	Access Control
Risk_InternalAPI	Internal application accessible from the Internet
Risk_SourceRestrict	API does not restrict access source
Risk_ClientRestrict	API does not restrict access tool
Risk_SpeedRestrict	API does not restrict access rate
RiskType_Permission	Permission Management
Risk_WeakToken	Weak authentication credential
Risk_UnauthSensitive	Sensitive API not authenticated
Risk_UnauthInternalAPI	Internal API allows unauthenticated access
Risk_TokenUrl	Credential information transmitted in URL
Risk_AkLeak	AccessKey information leak
RiskType_Sensitive	Data Protection
Risk_SensitiveTypeExcessive	Returns excessive types of sensitive data
Risk_SensitiveNumExcessive	Returns excessive amount of sensitive data
Risk_InvalidDesensitize	Sensitive data not effectively masked
Risk_ServerInfoLeak	Server sensitive information leak
Risk_InternalIPLeak	Internal network IP address leak
Risk_SensitiveURL	Sensitive data transmitted in URL
RiskType_Design	API Design
Risk_ParamTraverse	Request parameter can be traversed
Risk_PageSize	Returned data volume can be modified
Risk_SqlAPI	Database query
Risk_RceAPI	Command execution API
Risk_SmsContent	Arbitrary text message content sending
Risk_MailContent	Arbitrary email content sending
Risk_SmsVerifyCodeLeak	Text message verification code leak
Risk_MailVerifyCodeLeak	Email verification code leak
Risk_FileDownload	Specified file download
Risk_ExceptionLeak	Application exception information leak
Risk_ExceptionSql	Database exception information leak

Event Type (event)

Field Value	Description
Event_AbnormalFrequency	Abnormally high-frequency access
Event_ExceptionIPInvoke	Abnormal IP accessing internal API
Event_ExceptionRegionInvoke	Abnormal region accessing internal API
Event_ExceptionClientInvoke	Access using abnormal tool
Event_ExceptionTimeInvoke	Access during abnormal time period
Event_AbnormalParamValue	Access with abnormal parameter value
Event_InternalLoginWeakPasswd	Internal application logon with weak password
Event_LoginAccountBruteForce	Brute-force username
Event_LoginPasswdBruteForce	Brute-force logon password
Event_LoginCollision	Dictionary attack
Event_MobileVerifyBruteForce	Brute-force text message verification code
Event_MailVerifyBruteForce	Brute-force email verification code
Event_AbnormalRegister	Batch registration
Event_SMSInterfaceAbuse	Malicious consumption of text message resources
Event_EmailInterfaceAbuse	Malicious consumption of email resources
Event_AbnormalExport	Batch download
Event_DataTraverse	Traversing and scraping API data
Event_WebAttackAPI	Malicious attack on API
Event_ObtainSensitiveUnauthorized	Unauthorized access to sensitive data
Event_ObtainSensitiveExcessive	Obtaining large amounts of sensitive data
Event_CrossborderIPSensitiveExcessive	Overseas IP obtaining large amounts of sensitive data
Event_ExceptionResponse	API returns abnormal error message
Event_ExceptionSql	API returns database error message
Event_SystemInfoResponse	API returns system sensitive information
Event_AbnormalStatus	Abnormal API response status

9. Effective object configuration

Subscription WAF

API Security provides three switches at the protected object or protected object group level:

The Basic Detection switch: This switch is enabled by default. It controls whether all built-in and custom detection policies are effective.
The Compliance Check switch: This switch is disabled by default. It can be enabled only after the Basic Detection switch is enabled. It controls whether the Compliance Check feature is effective.
The Tracing and Auditing switch: This switch is disabled by default. It can be enabled only after the Basic Detection switch is enabled. It controls whether the Tracing and Auditing feature is effective.

Pay-as-you-go WAF

API Security provides one switch at the protected object or protected object group level:

The Basic Detection switch: This switch controls whether all built-in and custom detection policies are effective. To disable the API Security feature, you can turn off the Basic Detection switch for all protected objects and protected object groups.