POST https://console.baleen.cloud/api/logs/waf-logs
Retrieves a limited amount of waf logs in a timerange with optional filtering
Authorization
The user must be authentificated using his personal access token
The baleen namespace must be set within the cookie baleen-namespace
Resquest format
Query Params
Param | Required/Optional | Type | Description |
---|---|---|---|
start | optional | long | The timestamp (in seconds) to collect data from |
end | optional | long | The timestamp (in seconds) to collect data to |
size | optional | integer | The page size of log entries to retrieve. Between 1 and 100. |
page | optional | 0 | The page number of log entries to retrieve |
Body Params
filters object[] (optional)
Array allowing to define the filters to apply on the waf logs using the following parameters
Param | Type | Description |
---|---|---|
field | enum | The field targeted to filter the logs Has to be one of the following value :
|
operator | enum | The operator used to filter the logs Has to be one of the following value :
|
value | string | The value considered to filter the logs |
Response format
Successful request
200 OK
Field | Required/Optional | Type | Description |
---|---|---|---|
timestamp | required | ISO 8601 GMT | ISO 8601 uses the 24-hour clock system |
status | required | HTTP status | Hypertext Transfer Protocol (HTTP) response status codes |
remoteAddr | optional | IP address | client IP proxy or client IP address |
upstream | optional | IP address | Baleen proxy-out IP address |
scheme | required | URI Scheme | |
requestFateAction | optional | Baleen BotDetection Fate Action | Baleen Botdetection action for this request |
bodyBytesSent | required | Byte data type | request body size |
botCategory | optional | Baleen Bot Category | Bot Category assigned to this request |
httpHost | required | URL scheme | Request Host header value |
httpUserAgent | optional | String | Request User-Agent header value |
remoteUser | optional | IP address | |
requestTime | optional | Duration (Seconds) | Request processing time |
clientIP | required | IP address | Client IP adress |
httpXForwardedFor | optional | comma separated IP addresses | identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer |
httpReferrer | optional | URL scheme | Request Referer header value |
upstreamResponseTime | optional | Duration (Second) | Origine response time for this request |
requestFate | optional | Baleen Bot Detection Action | Baleen action for this request |
requestJa3 | optional | string | Device TLS fingerprint |
sslProtocol | required | string | Client TLS protocol |
serverProtocol | required | string | |
requestURI | required | URI scheme | Request ressource identifier |
requestMethod | required | HTTP Request Method | |
requestArgs | optional | string | Request URI query strings |
requestISP | optional | string | Client Internet Service Provider |
requestCountry | optional | string | country code ISO3166-1 format |
requestConnectionType | optional | string | |
requestionIsAnonymousProxy | optional | Boolean | Tells if this request was made using an anonymous proxy like à VPN |
responseContentType | optional | string | Response Content Type Header |
Unsuccessful request
Example
The following example shows an API call retrieving security events created after a request triggered the rule 920320 between April 25th 2023 3PM and April 25th 2023 8PM.
Query
POST https://console.baleen.cloud/api/logs/waf-logs?start=1682427600&end=1682445600&page=0&size=100
Request body
{ "filters": [ { "field": "ruleId", "value": "920320", "operator": "equals" } ] }
Response body
[ { "transaction": { "clientPort": 33150, "request": { "headers": { "BLN-REQUEST-FATE-ACTION": "pass", "x-request-id": "cbe396108b24cef402c1f2a63341ac73", "clientipaddrwaf": "62.122.15.8", "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "BLN-CATEGORY": "pass", "Bln-Debug-Path": "62.122.15.8, 5.182.212.100, 172.26.168.169", "X-Forwarded-Proto": "https", "Host": "www.cdiscount.com", "rlnclientipaddr": "62.122.15.8", "BLN-REQUEST-FATE": "pass", "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "bln-cache": "Pass", "x-real-ip": "62.122.15.8", "X-Varnish": "8501481", "x-envoy-external-address": "62.122.15.8", "tracestate": "48903d45-6ba3c989@dt=fw4;c;e407b10e;cfa21;1;0;0;104;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01", "traceparent": "00-8c9a7ddd174e98d607fe01b9523deda6-4fc7a694e35fd96f-01", "X-Forwarded-For": "62.122.15.8, 5.182.212.100", "x-dynatrace": "FW4;1805896073;12;-469257970;850465;1;1217412421;260;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01", "accept-encoding": "gzip, deflate" }, "method": "GET", "httpVersion": 1, "uri": "/DisplayRwdHeader.mvc/0/0" }, "hostIp": "172.26.69.15", "uniqueId": "1682445600", "timeStamp": "2023-04-25T18:00:00.0Z", "hostPort": 80, "response": { "headers": { "server": "", "Server": "", "X-OneAgent-JS-Injection": "true", "X-ruxit-JS-Agent": "true", "Access-Control-Allow-Origin": "https://clients.cdiscount.com", "Connection": "keep-alive", "Date": "Tue, 25 Apr 2023 18:00:00 GMT", "X-AspNetMvc-Version": "5.2", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "X-Robots-Tag": "noindex,nofollow", "Cache-Control": "private", "Access-Control-Allow-Credentials": "true", "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:", "Content-Encoding": "gzip", "X-CDHOSTNAME": "aa01srvweb035", "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT", "Vary": "User-Agent,Accept-Encoding", "Content-Length": "3257", "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw", "X-XSS-Protection": "1; mode=block", "Content-Type": "text/html; charset=utf-8", "X-Powered-By": "ASP.NET" }, "httpCode": 200 }, "producer": { "components": [ "OWASP_CRS/3.3.0\"" ], "secrulesEngine": "DetectionOnly", "connector": "ModSecurity-nginx v1.0.2", "modsecurity": "ModSecurity v3.0.6 (Linux)" }, "messages": [ { "details": { "reference": "", "severity": "5", "ver": "OWASP_CRS/3.3.0", "rev": "", "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", "data": "", "maturity": "0", "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )", "accuracy": "0", "ruleId": "920320", "lineNumber": "1265", "tags": [ "application-multi", "language-multi", "platform-multi", "attack-protocol", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10", "paranoia-level/2" ] }, "message": "Missing User Agent Header" } ], "clientIP": "172.27.166.19", "serverId": "f992b18f7d6d4a6594c6e21e55a04cd407bde175" } }, { "transaction": { "clientPort": 37440, "request": { "headers": { "BLN-REQUEST-FATE-ACTION": "pass", "x-request-id": "b2eeb0aee3ab5a5faacbbd133cfd32d1", "clientipaddrwaf": "62.122.15.8", "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "BLN-CATEGORY": "pass", "Bln-Debug-Path": "62.122.15.8, 5.182.212.55, 172.26.208.62", "X-Forwarded-Proto": "https", "Host": "www.cdiscount.com", "rlnclientipaddr": "62.122.15.8", "BLN-REQUEST-FATE": "pass", "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b", "bln-cache": "Pass", "x-real-ip": "62.122.15.8", "X-Varnish": "38007545", "x-envoy-external-address": "62.122.15.8", "tracestate": "48903d45-6ba3c989@dt=fw4;12;5215a8ff;d25c1;7;0;0;271;5b62;2h02;3hfe07cce1;4h0ce43f;5h01", "traceparent": "00-76f37da11fbe74cee637e0556e4172c2-ee3a5beb736e9e75-01", "X-Forwarded-For": "62.122.15.8, 5.182.212.55", "x-dynatrace": "FW4;1805896073;18;1377151231;861633;7;1217412421;625;5b62;2h02;3hfe07cce1;4h0ce43f;5h01", "accept-encoding": "gzip, deflate" }, "method": "GET", "httpVersion": 1, "uri": "/DisplayRwdHeader.mvc/0/0" }, "hostIp": "172.26.147.157", "uniqueId": "1682445600", "timeStamp": "2023-04-25T18:00:00.0Z", "hostPort": 80, "response": { "headers": { "server": "", "Server": "", "X-OneAgent-JS-Injection": "true", "X-ruxit-JS-Agent": "true", "Access-Control-Allow-Origin": "https://clients.cdiscount.com", "Connection": "keep-alive", "Date": "Tue, 25 Apr 2023 18:00:00 GMT", "X-AspNetMvc-Version": "5.2", "Strict-Transport-Security": "max-age=31536000; includeSubDomains", "X-Robots-Tag": "noindex,nofollow", "Cache-Control": "private", "Access-Control-Allow-Credentials": "true", "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:", "Content-Encoding": "gzip", "X-CDHOSTNAME": "aa01srvweb031", "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT", "Vary": "User-Agent,Accept-Encoding", "Content-Length": "3257", "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw", "X-XSS-Protection": "1; mode=block", "Content-Type": "text/html; charset=utf-8", "X-Powered-By": "ASP.NET" }, "httpCode": 200 }, "producer": { "components": [ "OWASP_CRS/3.3.0\"" ], "secrulesEngine": "DetectionOnly", "connector": "ModSecurity-nginx v1.0.2", "modsecurity": "ModSecurity v3.0.6 (Linux)" }, "messages": [ { "details": { "reference": "", "severity": "5", "ver": "OWASP_CRS/3.3.0", "rev": "", "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf", "data": "", "maturity": "0", "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )", "accuracy": "0", "ruleId": "920320", "lineNumber": "1265", "tags": [ "application-multi", "language-multi", "platform-multi", "attack-protocol", "OWASP_CRS", "capec/1000/210/272", "PCI/6.5.10", "paranoia-level/2" ] }, "message": "Missing User Agent Header" } ], "clientIP": "172.26.207.247", "serverId": "88af048ef2a922ff725849cdfd5d45c46fc51c28" } } ... ]