WAF Insights does not support automation via our REST API web service. If you are currently using WAF Insights, upgrade your WAF solution to take advantage of our REST API.
Retrieves a specific event log entry.
This endpoint only supports JSON.
A request to retrieve an event log entry is described below.
HTTP Method | Request URI |
---|---|
GET |
https://api.edgecast.com/v2/mcc/customers/AccountNumber/waf/eventlogs/EventID |
Define the following terms when submitting the above request:
VariableA variable represents a value that must be replaced. A variable consists of either a URL segment (e.g., "0001" in /0001/) or a query string value (e.g., "3" in mediaTypes=3). | Description |
---|---|
Required |
|
Required |
Replace this variable with either of the following values:
|
This endpointIdentifies a request's connection point to our REST API service. only takes advantage of common request headers.
Request body parameters are not required by this endpoint.
The response to the above request includes an HTTP status code, response headers, and a response body.
A status code indicates whether the request was successfully performed.
The response for this endpoint only includes standard HTTP response headers.
The response body for a successful request reports:
This endpoint only returns event fields (e.g., Epoch Time or Matched On) that contain data. Therefore, the set of event fields returned by this endpoint may vary by event.
The event object contains a list of fields for the event returned by this endpoint.
Name | Data Type | Description |
---|---|---|
Acl ID |
String |
Reserved for future use. |
Acl Name |
String |
Reserved for future use. |
Action Type |
String |
Indicates the action that was triggered as a result of the violation. Valid values are:
|
Bots ID |
String |
Reserved for future use. |
Bots Name |
String |
Reserved for future use. |
City Name |
String |
Identifies the city from which the request originated. |
Client IP |
String |
Identifies the IP address of the client from which the violation originated. |
Country Code |
String |
Identifies the country from which the request originated by its country code. |
Country Name |
String |
Identifies the country from which the request originated. |
Epoch Time |
Number floating-point |
Indicates the Unix time, in seconds, at which the violation took place. Syntax: Seconds.Microseconds
Sample value: 1473207640.345809
|
Event ID |
String |
Indicates the unique ID assigned to the event. Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry. |
Host |
String |
Indicates the hostname that was requested. |
id |
String |
Indicates the hash value for the event's ID. |
Instance Name |
String |
Indicates the name of the instance that activated the profile containing the rule that the requested violated. |
Deprecated |
String |
This parameter has been deprecated. Signature Detection Mode Only Indicates the client-side data that triggered the violation. |
Deprecated |
String |
This parameter has been deprecated. This information may be found within the Sub Events object. Signature Detection Mode Only Indicates the variable that identifies where the violation was found. |
Deprecated |
String |
This parameter has been deprecated. This information may be found within the Sub Events object. Signature Detection Mode Only Indicates the value of the variable defined in the Matched On parameter. |
Profile Name |
String |
Indicates the name of the profile that triggered the violation. |
Profile Type |
String |
Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are: PRODUCTION | AUDIT
|
Referer |
String |
Indicates the request’s referrer as defined by the Referer request header. |
Referrer Deprecated |
String |
This parameter has been replaced by the Referer parameter and is no longer included in the response. Indicates the request’s referrer as defined by the Referer request header. |
Rule ID Deprecated |
Integer |
This parameter has been deprecated. The ID for each rule that was violated is reported under the Sub Events parameter. |
String |
Provides the following basic information about the anomaly score violation(s). Inbound Anomaly Score Exceeded (Total Score: #Represents the total anomaly score for the logged request., SQLi=#Represents the SQL injection attack score for the logged request., XSS=#Represents the cross-site scripting attack score for the logged request.): Last Matched Message: RuleIDRepresents the ID of the last rule that was violated by the request in question.-RuleMessageRepresents the message of the last rule that was violated by the request in question.
|
|
Rule Policy |
String |
Indicates the name of the policy that was violated. |
Deprecated |
Integer |
This parameter has been deprecated. This information may be found within the Sub Events object. Signature Detection Mode Only Indicates the severity of the violation. This value may range from -1 to 6 where 6 represents the lowest severity level. |
Rule Tags |
String |
Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated. |
Rules Config ID |
String |
Reserved for future use. |
Rules Config Name |
String |
Reserved for future use. |
Scope ID |
String |
Reserved for future use. |
Scope Name |
String |
Reserved for future use. |
Sub Event Count |
Integer |
Indicates the total number of sub events reported for the current event log entry. |
Array Objects |
Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request. |
|
Timestamp |
String |
Indicates the date and time (UTC) at which the violation took place. Format:YYYY-MM-DDThh:mm:ss.ffffffZ |
URL |
String |
Indicates the URL that was requested. |
User Agent |
String |
Indicates the user agent that submitted the request that triggered the rule violation. |
The Sub Events array contains an object that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.
Name | Data Type | Description |
---|---|---|
Matched Data |
String |
This parameter has been deprecated. Indicates the client-side data that triggered the violation. |
Matched On |
String |
Indicates the variable that identifies where the violation was found. |
Matched Value |
String |
Indicates the value of the variable defined in the Matched On parameter. |
Integer |
Indicates the ID for the rule that the request violated. |
|
Rule Message |
String |
Provides a description of the rule that the request violated. |
Rule Severity |
Integer |
Indicates the severity of the violation. This value may range from -1 to 6 where 6 represents the lowest severity level. |
Total Anomaly Score |
Integer |
Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event. View example.
The anomaly score incurred by each sub event in this example is listed below.
The total anomaly score for each sub event is listed below.
|
The response body for an unsuccessful request will contain an error response that provides additional information.
A sample JSON request is shown below.
GET https://api.edgecast.com/v2/mcc/customers/0001/waf/eventlogs/veidK2wtEHpw4OQkoQKa3JI06QAeUKXwYqM_dgbsuvYwygOWO_uTVGQPxR5ELPpJ19wTpnflk7ynrIJzAMH2tA== HTTP/1.1
Authorization: TOK:12345678-1234-1234-1234-1234567890ab
Accept: application/json
Host:api.edgecast.com
A sample JSON response is shown below.
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Thu, 15 Apr 2021 12:00:00 GMT
Content-Length: 1240
{ "event" : { "Epoch Time" : 1473207640.345809, "Profile Type" : "PRODUCTION", "Sub Event Count" : 1, "Client IP" : "192.12.22.25", "Rule Tags" : [ "OWASP_CRS/ANOMALY/EXCEEDED" ], "Timestamp" : "2016-09-07T00:20:40.345809Z", "Rule Message" : "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=3, XSS=0): Last Matched Message: 981255-Detects MSSQL code execution and information gathering attempts", "URL" : "http://www.example.com/mywebpage.html", "Country Code" : "US", "Action Type" : "CUSTOM_RESPONSE", "Host" : "www.example.com", "Instance Name" : "My Instance", "Profile Name" : "My Profile", "Sub Events" : [{ "Matched On" : "ARGS:a", "Rule Message" : "Detects MSSQL code execution and information gathering attempts", "Matched Data" : "'select *", "Total Anomaly Score" : 5, "Rule ID" : 981255, "Rule Severity" : 2, "Matched Value" : "'select * from site'" } ], "User Agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36", "id" : "veidK2wtEHpw4OQkoQKa3JI06QAeUKXwYqM_dgbsuvYwygOWO_uTVGQPxR5ELPpJ19wTpnflk7ynrIJzAMH2tA==" } }