Get Event Log Entry

WAF Insights does not support automation via our REST API web service. If you are currently using WAF Insights, upgrade your WAF solution to take advantage of our REST API.

Retrieves a specific event log entry.

This endpoint only supports JSON.

Request

A request to retrieve an event log entry is described below.

HTTP Method Request URI

GET

https://api.transactcdn.com/v2/mcc/customers/AccountNumber/waf/eventlogs/EventID

Define the following terms when submitting the above request:

VariableA variable represents a value that must be replaced. A variable consists of either a URL segment (e.g., "0001" in /0001/) or a query string value (e.g., "3" in mediaTypes=3). Description

AccountNumber

Required

Replace this variable with a customer account number. This account number may be found in the upper left-hand corner of the TCC.

EventID

Required

Replace this variable with either of the following values:

  • Request ID: Represents the ID returned by the EVENT_ID variable. This variable may be used within a custom response to uniquely identify malicious requests.
  • Event Log Entry ID: Represents the ID of the desired event log entry.

    Use the Get Event Log Entries endpoint to retrieve a list of event log entries and their system-assigned IDs.

Request Headers

This endpointIdentifies a request's connection point to our REST API service. only takes advantage of common request headers.

Request Body

Request body parameters are not required by this endpoint.

Response

The response to the above request includes an HTTP status code, response headers, and a response body.

Status Code

A status code indicates whether the request was successfully performed.

Response Headers

The response for this endpoint only includes standard HTTP response headers.

View common response headers.

Response Body

The response body for a successful request reports:

This endpoint only returns event fields (e.g., Epoch Time or Matched On) that contain data. Therefore, the set of event fields returned by this endpoint may vary by event.

event Object

The event object contains a list of fields for the event returned by this endpoint.

Name Data Type Description

Acl ID

String

Reserved for future use.

Acl Name

String

Reserved for future use.

Action Type

String

Indicates the action that was triggered as a result of the violation.

Valid values are:

  • ALERT: This term has been deprecated in favor of NOP.
  • BLOCK_REQUEST: Indicates that the request that violated a rule was blocked.
  • BLOCK: This term has been deprecated in favor of BLOCK_REQUEST.
  • NOP: Indicates that an alert was generated in response to the rule violation.
  • REDIRECT_302: Indicates that the request that violated a rule was redirected to the URL associated with the instance defined by the Instance Name field.
  • CUSTOM_RESPONSE: Indicates that a custom response was returned to the client that submitted a request that violated a rule.

Bots ID

String

Reserved for future use.

Bots Name

String

Reserved for future use.

City Name

String

Identifies the city from which the request originated.

Client IP

String

Identifies the IP address of the client from which the violation originated.

Country Code

String

Identifies the country from which the request originated by its country code.

View a list of country codes.

Country Name

String

Identifies the country from which the request originated.

Epoch Time

Number

floating-point

Indicates the Unix time, in seconds, at which the violation took place.

Syntax:

Seconds.Microseconds

Sample value:

1473207640.345809

Event ID

String

Indicates the unique ID assigned to the event.

Pass this ID to the Get Event Log Entry endpoint to retrieve this event log entry.

Host

String

Indicates the hostname that was requested.

id

String

Indicates the hash value for the event's ID.

Instance Name

String

Indicates the name of the instance that activated the profile containing the rule that the requested violated.

Matched Data

Deprecated

String

This parameter has been deprecated.

Signature Detection Mode Only

Indicates the client-side data that triggered the violation.

Matched On

Deprecated

String

This parameter has been deprecated. This information may be found within the Sub Events object.

Signature Detection Mode Only

Indicates the variable that identifies where the violation was found.

Matched Value

Deprecated

String

This parameter has been deprecated. This information may be found within the Sub Events object.

Signature Detection Mode Only

Indicates the value of the variable defined in the Matched On parameter.

Profile Name

String

Indicates the name of the profile that triggered the violation.

Profile Type

String

Indicates whether the request was screened as a result of an instance’s production or audit profile. Valid values are:

PRODUCTION | AUDIT

Referer

String

Indicates the request’s referrer as defined by the Referer request header.

Referrer

Deprecated

String

This parameter has been replaced by the Referer parameter and is no longer included in the response.

Indicates the request’s referrer as defined by the Referer request header.

Rule ID

Deprecated

Integer

This parameter has been deprecated.

The ID for each rule that was violated is reported under the Sub Events parameter.

Rule Message

String

Provides the following basic information about the anomaly score violation(s).

Rule Policy

String

Indicates the name of the policy that was violated.

Rule Severity

Deprecated

Integer

This parameter has been deprecated. This information may be found within the Sub Events object.

Signature Detection Mode Only

Indicates the severity of the violation. This value may range from -1 to 6 where 6 represents the lowest severity level.

Rule Tags

String

Indicates the tags associated with the rule that the request violated. These tags may be used to determine whether a rule, access control, or global setting was violated.

Rules Config ID

String

Reserved for future use.

Rules Config Name

String

Reserved for future use.

Scope ID

String

Reserved for future use.

Scope Name

String

Reserved for future use.

Sub Event Count

Integer

Indicates the total number of sub events reported for the current event log entry.

Sub Events

Array

Objects

Contains a list of fields that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

Timestamp

String

Indicates the date and time (UTC) at which the violation took place.

Format:YYYY-MM-DDThh:mm:ss.ffffffZ

Learn more.

URL

String

Indicates the URL that was requested.

User Agent

String

Indicates the user agent that submitted the request that triggered the rule violation.

Sub Events Array

The Sub Events array contains an object that describe each sub event associated with the current event. A sub event is reported for each rule violation incurred by a request.

Name Data Type Description

Matched Data

String

This parameter has been deprecated.

Indicates the client-side data that triggered the violation.

Matched On

String

Indicates the variable that identifies where the violation was found.

View variable definitions.

Matched Value

String

Indicates the value of the variable defined in the Matched On parameter.

Rule ID

Integer

Indicates the ID for the rule that the request violated.

Rule Message

String

Provides a description of the rule that the request violated.

Rule Severity

Integer

Indicates the severity of the violation. This value may range from -1 to 6 where 6 represents the lowest severity level.

Total Anomaly Score

Integer

Indicates the total anomaly score for the current rule violation. This score is calculated by summing the anomaly score of the current rule violation with all rule violations reported above this sub event.

Errors

The response body for an unsuccessful request will contain an error response that provides additional information.

View common error messages.

Sample Request and Response

A sample JSON request is shown below.

GET https://api.transactcdn.com/v2/mcc/customers/0001/waf/eventlogs/veidK2wtEHpw4OQkoQKa3JI06QAeUKXwYqM_dgbsuvYwygOWO_uTVGQPxR5ELPpJ19wTpnflk7ynrIJzAMH2tA== HTTP/1.1

Authorization: TOK:12345678-1234-1234-1234-1234567890ab

Accept: application/json

Host:api.transactcdn.com

A sample JSON response is shown below.

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: application/json; charset=utf-8

Date: Thu, 15 Apr 2021 12:00:00 GMT

Content-Length: 1240

{
	"event" : {
		"Epoch Time" : 1473207640.345809,
		"Profile Type" : "PRODUCTION",
		"Sub Event Count" : 1,
		"Client IP" : "192.12.22.25",
		"Rule Tags" : [
			"OWASP_CRS/ANOMALY/EXCEEDED"
		],
		"Timestamp" : "2016-09-07T00:20:40.345809Z",
		"Rule Message" : "Inbound Anomaly Score Exceeded (Total Score: 5, SQLi=3, XSS=0): Last Matched Message: 981255-Detects MSSQL code execution and information gathering attempts",
		"URL" : "http://www.example.com/mywebpage.html",
		"Country Code" : "US",
		"Action Type" : "CUSTOM_RESPONSE",
		"Host" : "www.example.com",
		"Instance Name" : "My Instance",
		"Profile Name" : "My Profile",
		"Sub Events" : [{
				"Matched On" : "ARGS:a",
				"Rule Message" : "Detects MSSQL code execution and information gathering attempts",
				"Matched Data" : "'select *",
				"Total Anomaly Score" : 5,
				"Rule ID" : 981255,
				"Rule Severity" : 2,
				"Matched Value" : "'select * from site'"
			}
		],
		"User Agent" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
		"id" : "veidK2wtEHpw4OQkoQKa3JI06QAeUKXwYqM_dgbsuvYwygOWO_uTVGQPxR5ELPpJ19wTpnflk7ynrIJzAMH2tA=="
	}
}