How to retrieve Baleen waf logs?

POST https://console.baleen.cloud/api/logs/waf-logs

Retrieves a limited amount of waf logs in a timerange with optional filtering

 

Authorization

 

  • The user must be authentificated using his personal access token

  • The baleen namespace must be set within the cookie baleen-namespace

Resquest format

Query Params

Param

Required/Optional

Type

Description

Param

Required/Optional

Type

Description

start

optional

long

The timestamp (in seconds) to collect data from

end

optional

long

The timestamp (in seconds) to collect data to

size

optional

integer

The page size of log entries to retrieve. Between 1 and 100.

page

optional

0

The page number of log entries to retrieve

Body Params

filters object description

This object is an optional array allowing to define the filters to apply on the waf logs using the following parameters.

Param

Type

Description

Param

Type

Description

field

enum

The field targeted to filter the logs

Has to be one of the following value :

  • “ruleId”

operator

enum

The operator used to filter the logs

Has to be one of the following value :

  • “equals” : this option allows to retrieve logs whose the mentioned field is strictly equal to the indicated value.

value

string

The value considered to filter the logs

 

Response format

Successful request

200 OK

Field

Type

Description

Field

Type

Description

transaction

object

 

 

transaction object description

This object gathers information about the threat(s) identified by the OWASP ruleset

Field

Type

Description

Field

Type

Description

clientIP

string

 

clientPort

integer

 

hostIP

string

 

hostPort

integer

 

messages

object[]

 

producer

object

 

request

object

 

response

object

 

serverId

String

 

timeStamp

string

 

uniqueId

string

 

 

messages object description

This array helps to understand why the request is seen as a threat : there is a messages occurrence for each OWASP rule triggered

Field

Type

Description

Field

Type

Description

details

object

 

message

string

 

 

details object description

This object gives precise details about the rule triggered (its ID and severity) and the reason of the trigger

Field

Type

Description

Field

Type

Description

accuracy

string

 

data

string

 

file

string

 

lineNumber

string

 

match

string

 

maturity

string

 

reference

string

 

rev

string

 

ruleId

string

 

severity

string

 

tags

string[]

 

ver

string

 

 

producer object description

This object gives information about ModSecurity : the producer of the waf log.

Field

Type

Description

Field

Type

Description

components

string[]

 

connector

string

 

modsecurity

string

 

secrulesEngine

string

 

 

request object description

This object gathers information about the initial HTTP request

Field

Type

Description

Field

Type

Description

headers

string[]

 

httpVersion

number

 

method

string

 

uri

string

 

 

response object description

This object gathers information about the HTTP response

Field

Type

Description

Field

Type

Description

headers

string[]

 

httpCode

string

 

 

Unsuccessful request

400 Bad request

500 Internal server error

Example

 

The following example shows an API call retrieving security events created after a request triggered the rule 920320 between April 25th 2023 3PM and April 25th 2023 8PM.

Query

POST https://console.baleen.cloud/api/logs/waf-logs?start=1682427600&end=1682445600&page=0&size=100

Request body

{ "filters": [ { "field": "ruleId", "value": "920320", "operator": "equals" } ] }

Response body

[ { "transaction": { "clientPort": 33150, "request": { "headers": { "BLN-REQUEST-FATE-ACTION": "pass", "x-request-id": "cbe396108b24cef402c1f2a63341ac73", "clientipaddrwaf": "62.122.15.8", "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "BLN-CATEGORY": "pass", "Bln-Debug-Path": "62.122.15.8, 5.182.212.100, 172.26.168.169", "X-Forwarded-Proto": "https", "Host": "www.cdiscount.com", "rlnclientipaddr": "62.122.15.8", "BLN-REQUEST-FATE": "pass", "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "bln-cache": "Pass", "x-real-ip": "62.122.15.8", "X-Varnish": "8501481", "x-envoy-external-address": "62.122.15.8", "tracestate": "48903d45-6ba3c989@dt=fw4;c;e407b10e;cfa21;1;0;0;104;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01", "traceparent": "00-8c9a7ddd174e98d607fe01b9523deda6-4fc7a694e35fd96f-01", "X-Forwarded-For": "62.122.15.8, 5.182.212.100", "x-dynatrace": "FW4;1805896073;12;-469257970;850465;1;1217412421;260;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01", "accept-encoding": "gzip, deflate" }, "method": "GET", "httpVersion": 1, "uri": "/DisplayRwdHeader.mvc/0/0" }, "hostIp": "172.26.69.15", "uniqueId": "1682445600", "timeStamp": "2023-04-25T18:00:00.0Z", "hostPort": 80, "response": { "headers": { "server": "", "Server": "", "X-OneAgent-JS-Injection": "true", "X-ruxit-JS-Agent": "true", "Access-Control-Allow-Origin": "https://clients.cdiscount.com", "Connection": "keep-alive", "Date": "Tue, 25 Apr 2023 18:00:00 GMT", "X-AspNetMvc-Version": "5.2", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "X-Robots-Tag": "noindex,nofollow", "Cache-Control": "private", "Access-Control-Allow-Credentials": "true", "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:", "Content-Encoding": "gzip", "X-CDHOSTNAME": "aa01srvweb035", "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT", "Vary": "User-Agent,Accept-Encoding", "Content-Length": "3257", "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw", "X-XSS-Protection": "1; mode=block", "Content-Type": "text/html; charset=utf-8", "X-Powered-By": "ASP.NET" }, "httpCode": 200 }, "producer": { "components": [ "OWASP_CRS/3.3.0\"" ], "secrulesEngine": "DetectionOnly", "connector": "ModSecurity-nginx v1.0.2", "modsecurity": "ModSecurity v3.0.6 (Linux)" }, "messages": [ { "details": { "reference": "", "severity": "5", "ver": "OWASP_CRS/3.3.0", "rev": "", "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", "data": "", "maturity": "0", "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )", "accuracy": "0", "ruleId": "920320", "lineNumber": "1265", "tags": [ "application-multi", "language-multi", "platform-multi", "attack-protocol", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10", "paranoia-level/2" ] }, "message": "Missing User Agent Header" } ], "clientIP": "172.27.166.19", "serverId": "f992b18f7d6d4a6594c6e21e55a04cd407bde175" } }, { "transaction": { "clientPort": 37440, "request": { "headers": { "BLN-REQUEST-FATE-ACTION": "pass", "x-request-id": "b2eeb0aee3ab5a5faacbbd133cfd32d1", "clientipaddrwaf": "62.122.15.8", "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "BLN-CATEGORY": "pass", "Bln-Debug-Path": "62.122.15.8, 5.182.212.55, 172.26.208.62", "X-Forwarded-Proto": "https", "Host": "www.cdiscount.com", "rlnclientipaddr": "62.122.15.8", "BLN-REQUEST-FATE": "pass", "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "bln-cache": "Pass", "x-real-ip": "62.122.15.8", "X-Varnish": "38007545", "x-envoy-external-address": "62.122.15.8", "tracestate": "48903d45-6ba3c989@dt=fw4;12;5215a8ff;d25c1;7;0;0;271;5b62;2h02;3hfe07cce1;4h0ce43f;5h01", "traceparent": "00-76f37da11fbe74cee637e0556e4172c2-ee3a5beb736e9e75-01", "X-Forwarded-For": "62.122.15.8, 5.182.212.55", "x-dynatrace": "FW4;1805896073;18;1377151231;861633;7;1217412421;625;5b62;2h02;3hfe07cce1;4h0ce43f;5h01", "accept-encoding": "gzip, deflate" }, "method": "GET", "httpVersion": 1, "uri": "/DisplayRwdHeader.mvc/0/0" }, "hostIp": "172.26.147.157", "uniqueId": "1682445600", "timeStamp": "2023-04-25T18:00:00.0Z", "hostPort": 80, "response": { "headers": { "server": "", "Server": "", "X-OneAgent-JS-Injection": "true", "X-ruxit-JS-Agent": "true", "Access-Control-Allow-Origin": "https://clients.cdiscount.com", "Connection": "keep-alive", "Date": "Tue, 25 Apr 2023 18:00:00 GMT", "X-AspNetMvc-Version": "5.2", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "X-Robots-Tag": "noindex,nofollow", "Cache-Control": "private", "Access-Control-Allow-Credentials": "true", "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:", "Content-Encoding": "gzip", "X-CDHOSTNAME": "aa01srvweb031", "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT", "Vary": "User-Agent,Accept-Encoding", "Content-Length": "3257", "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw", "X-XSS-Protection": "1; mode=block", "Content-Type": "text/html; charset=utf-8", "X-Powered-By": "ASP.NET" }, "httpCode": 200 }, "producer": { "components": [ "OWASP_CRS/3.3.0\"" ], "secrulesEngine": "DetectionOnly", "connector": "ModSecurity-nginx v1.0.2", "modsecurity": "ModSecurity v3.0.6 (Linux)" }, "messages": [ { "details": { "reference": "", "severity": "5", "ver": "OWASP_CRS/3.3.0", "rev": "", "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", "data": "", "maturity": "0", "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )", "accuracy": "0", "ruleId": "920320", "lineNumber": "1265", "tags": [ "application-multi", "language-multi", "platform-multi", "attack-protocol", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10", "paranoia-level/2" ] }, "message": "Missing User Agent Header" } ], "clientIP": "172.26.207.247", "serverId": "88af048ef2a922ff725849cdfd5d45c46fc51c28" } } ... ]