How to retrieve Baleen waf logs?
- Patrick Téguia
POST https://console.baleen.cloud/api/logs/waf-logs
Retrieves a limited amount of waf logs in a timerange with optional filtering
Authorization
The user must be authentificated using his personal access token
The baleen namespace must be set within the cookie baleen-namespace
Resquest format
Query Params
Param | Required/Optional | Type | Description |
|---|---|---|---|
start | optional | long | The timestamp (in seconds) to collect data from |
end | optional | long | The timestamp (in seconds) to collect data to |
size | optional | integer | The page size of log entries to retrieve. Between 1 and 100. |
page | optional | 0 | The page number of log entries to retrieve |
Body Params
filters object description
This object is an optional array allowing to define the filters to apply on the waf logs using the following parameters.
Param | Type | Description |
|---|---|---|
field | enum | The field targeted to filter the logs Has to be one of the following value :
|
operator | enum | The operator used to filter the logs Has to be one of the following value :
|
value | string | The value considered to filter the logs |
Response format
Successful request
200 OK
Field | Type | Description |
|---|---|---|
transaction |
|
transaction object description
This object gathers information about the threat(s) identified by the OWASP ruleset
messages object description
This array helps to understand why the request is seen as a threat : there is a messages occurrence for each OWASP rule triggered
Field | Type | Description |
|---|---|---|
details |
| |
message | string |
|
details object description
This object gives precise details about the rule triggered (its ID and severity) and the reason of the trigger
Field | Type | Description |
|---|---|---|
accuracy | string |
|
data | string |
|
file | string |
|
lineNumber | string |
|
match | string |
|
maturity | string |
|
reference | string |
|
rev | string |
|
ruleId | string |
|
severity | string |
|
tags | string[] |
|
ver | string |
|
producer object description
This object gives information about ModSecurity : the producer of the waf log.
Field | Type | Description |
|---|---|---|
components | string[] |
|
connector | string |
|
modsecurity | string |
|
secrulesEngine | string |
|
request object description
This object gathers information about the initial HTTP request
Field | Type | Description |
|---|---|---|
headers | string[] |
|
httpVersion | number |
|
method | string |
|
uri | string |
|
response object description
This object gathers information about the HTTP response
Field | Type | Description |
|---|---|---|
headers | string[] |
|
httpCode | string |
|
Unsuccessful request
400 Bad request
500 Internal server error
Example
The following example shows an API call retrieving security events created after a request triggered the rule 920320 between April 25th 2023 3PM and April 25th 2023 8PM.
Query
POST https://console.baleen.cloud/api/logs/waf-logs?start=1682427600&end=1682445600&page=0&size=100Request body
{
"filters": [
{
"field": "ruleId",
"value": "920320",
"operator": "equals"
}
]
}Response body
[
{
"transaction": {
"clientPort": 33150,
"request": {
"headers": {
"BLN-REQUEST-FATE-ACTION": "pass",
"x-request-id": "cbe396108b24cef402c1f2a63341ac73",
"clientipaddrwaf": "62.122.15.8",
"x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
"BLN-CATEGORY": "pass",
"Bln-Debug-Path": "62.122.15.8, 5.182.212.100, 172.26.168.169",
"X-Forwarded-Proto": "https",
"Host": "www.cdiscount.com",
"rlnclientipaddr": "62.122.15.8",
"BLN-REQUEST-FATE": "pass",
"BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
"bln-cache": "Pass",
"x-real-ip": "62.122.15.8",
"X-Varnish": "8501481",
"x-envoy-external-address": "62.122.15.8",
"tracestate": "48903d45-6ba3c989@dt=fw4;c;e407b10e;cfa21;1;0;0;104;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01",
"traceparent": "00-8c9a7ddd174e98d607fe01b9523deda6-4fc7a694e35fd96f-01",
"X-Forwarded-For": "62.122.15.8, 5.182.212.100",
"x-dynatrace": "FW4;1805896073;12;-469257970;850465;1;1217412421;260;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01",
"accept-encoding": "gzip, deflate"
},
"method": "GET",
"httpVersion": 1,
"uri": "/DisplayRwdHeader.mvc/0/0"
},
"hostIp": "172.26.69.15",
"uniqueId": "1682445600",
"timeStamp": "2023-04-25T18:00:00.0Z",
"hostPort": 80,
"response": {
"headers": {
"server": "",
"Server": "",
"X-OneAgent-JS-Injection": "true",
"X-ruxit-JS-Agent": "true",
"Access-Control-Allow-Origin": "https://clients.cdiscount.com",
"Connection": "keep-alive",
"Date": "Tue, 25 Apr 2023 18:00:00 GMT",
"X-AspNetMvc-Version": "5.2",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Robots-Tag": "noindex,nofollow",
"Cache-Control": "private",
"Access-Control-Allow-Credentials": "true",
"Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:",
"Content-Encoding": "gzip",
"X-CDHOSTNAME": "aa01srvweb035",
"Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT",
"Vary": "User-Agent,Accept-Encoding",
"Content-Length": "3257",
"DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw",
"X-XSS-Protection": "1; mode=block",
"Content-Type": "text/html; charset=utf-8",
"X-Powered-By": "ASP.NET"
},
"httpCode": 200
},
"producer": {
"components": [
"OWASP_CRS/3.3.0\""
],
"secrulesEngine": "DetectionOnly",
"connector": "ModSecurity-nginx v1.0.2",
"modsecurity": "ModSecurity v3.0.6 (Linux)"
},
"messages": [
{
"details": {
"reference": "",
"severity": "5",
"ver": "OWASP_CRS/3.3.0",
"rev": "",
"file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"data": "",
"maturity": "0",
"match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )",
"accuracy": "0",
"ruleId": "920320",
"lineNumber": "1265",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/6.5.10",
"paranoia-level/2"
]
},
"message": "Missing User Agent Header"
}
],
"clientIP": "172.27.166.19",
"serverId": "f992b18f7d6d4a6594c6e21e55a04cd407bde175"
}
},
{
"transaction": {
"clientPort": 37440,
"request": {
"headers": {
"BLN-REQUEST-FATE-ACTION": "pass",
"x-request-id": "b2eeb0aee3ab5a5faacbbd133cfd32d1",
"clientipaddrwaf": "62.122.15.8",
"x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
"BLN-CATEGORY": "pass",
"Bln-Debug-Path": "62.122.15.8, 5.182.212.55, 172.26.208.62",
"X-Forwarded-Proto": "https",
"Host": "www.cdiscount.com",
"rlnclientipaddr": "62.122.15.8",
"BLN-REQUEST-FATE": "pass",
"BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
"bln-cache": "Pass",
"x-real-ip": "62.122.15.8",
"X-Varnish": "38007545",
"x-envoy-external-address": "62.122.15.8",
"tracestate": "48903d45-6ba3c989@dt=fw4;12;5215a8ff;d25c1;7;0;0;271;5b62;2h02;3hfe07cce1;4h0ce43f;5h01",
"traceparent": "00-76f37da11fbe74cee637e0556e4172c2-ee3a5beb736e9e75-01",
"X-Forwarded-For": "62.122.15.8, 5.182.212.55",
"x-dynatrace": "FW4;1805896073;18;1377151231;861633;7;1217412421;625;5b62;2h02;3hfe07cce1;4h0ce43f;5h01",
"accept-encoding": "gzip, deflate"
},
"method": "GET",
"httpVersion": 1,
"uri": "/DisplayRwdHeader.mvc/0/0"
},
"hostIp": "172.26.147.157",
"uniqueId": "1682445600",
"timeStamp": "2023-04-25T18:00:00.0Z",
"hostPort": 80,
"response": {
"headers": {
"server": "",
"Server": "",
"X-OneAgent-JS-Injection": "true",
"X-ruxit-JS-Agent": "true",
"Access-Control-Allow-Origin": "https://clients.cdiscount.com",
"Connection": "keep-alive",
"Date": "Tue, 25 Apr 2023 18:00:00 GMT",
"X-AspNetMvc-Version": "5.2",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Robots-Tag": "noindex,nofollow",
"Cache-Control": "private",
"Access-Control-Allow-Credentials": "true",
"Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:",
"Content-Encoding": "gzip",
"X-CDHOSTNAME": "aa01srvweb031",
"Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT",
"Vary": "User-Agent,Accept-Encoding",
"Content-Length": "3257",
"DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw",
"X-XSS-Protection": "1; mode=block",
"Content-Type": "text/html; charset=utf-8",
"X-Powered-By": "ASP.NET"
},
"httpCode": 200
},
"producer": {
"components": [
"OWASP_CRS/3.3.0\""
],
"secrulesEngine": "DetectionOnly",
"connector": "ModSecurity-nginx v1.0.2",
"modsecurity": "ModSecurity v3.0.6 (Linux)"
},
"messages": [
{
"details": {
"reference": "",
"severity": "5",
"ver": "OWASP_CRS/3.3.0",
"rev": "",
"file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
"data": "",
"maturity": "0",
"match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )",
"accuracy": "0",
"ruleId": "920320",
"lineNumber": "1265",
"tags": [
"application-multi",
"language-multi",
"platform-multi",
"attack-protocol",
"OWASP_CRS",
"capec/1000/210/272",
"PCI/6.5.10",
"paranoia-level/2"
]
},
"message": "Missing User Agent Header"
}
],
"clientIP": "172.26.207.247",
"serverId": "88af048ef2a922ff725849cdfd5d45c46fc51c28"
}
}
...
]