Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

POST https://console.baleen.cloud/api/logs/waf-logs

Retrieves a limited amount of waf logs in a timerange with optional filtering

Authorization

  • The user must be authentificated using his personal access token

  • The baleen namespace must be set within the cookie baleen-namespace

Resquest format

Query Params

Param

Required/Optional

Type

Description

start

optional

long

The timestamp (in seconds) to collect data from

end

optional

long

The timestamp (in seconds) to collect data to

size

optional

integer

The page size of log entries to retrieve. Between 1 and 100.

page

optional

0

The page number of log entries to retrieve

Body Params

filters object description

Optional array allowing to define the filters to apply on the waf logs using the following parameters

Param

Type

Description

field

enum

The field targeted to filter the logs

Has to be one of the following value :

  • “ruleId”

operator

enum

The operator used to filter the logs

Has to be one of the following value :

  • “equals” : this option allows to retrieve logs whose the mentioned field is strictly equal to the indicated value.

value

string

The value considered to filter the logs

Response format

Successful request

200 OK

Field

Type

Description

transaction

object

transaction object description

Field

Type

Description

clientIP

string

clientPort

integer

hostIP

string

hostPort

integer

messages

object[]

producer

object

request

object

response

object

serverId

String

timeStamp

string

uniqueId

string

messages object description

Field

Type

Description

details

object

message

string

details object description

Field

Type

Description

accuracy

string

data

string

file

string

lineNumber

string

match

string

maturity

string

reference

string

rev

string

ruleId

string

severity

string

tags

string[]

ver

string

producer object description

Field

Type

Description

components

string[]

connector

string

modsecurity

string

secrulesEngine

string

request object description

Field

Type

Description

headers

string[]

httpVersion

number

method

string

uri

string

response object description

Field

Type

Description

headers

string[]

httpCode

string

Unsuccessful request

Example

The following example shows an API call retrieving security events created after a request triggered the rule 920320 between April 25th 2023 3PM and April 25th 2023 8PM.

Query

POST https://console.baleen.cloud/api/logs/waf-logs?start=1682427600&end=1682445600&page=0&size=100

Request body

{
  "filters": [
    {
      "field": "ruleId",
      "value": "920320",
      "operator": "equals"
    }
  ]
}

Response body

[
  {
        "transaction": {
            "clientPort": 33150,
            "request": {
                "headers": {
                    "BLN-REQUEST-FATE-ACTION": "pass",
                    "x-request-id": "cbe396108b24cef402c1f2a63341ac73",
                    "clientipaddrwaf": "62.122.15.8",
                    "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
                    "BLN-CATEGORY": "pass",
                    "Bln-Debug-Path": "62.122.15.8, 5.182.212.100, 172.26.168.169",
                    "X-Forwarded-Proto": "https",
                    "Host": "www.cdiscount.com",
                    "rlnclientipaddr": "62.122.15.8",
                    "BLN-REQUEST-FATE": "pass",
                    "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
                    "bln-cache": "Pass",
                    "x-real-ip": "62.122.15.8",
                    "X-Varnish": "8501481",
                    "x-envoy-external-address": "62.122.15.8",
                    "tracestate": "48903d45-6ba3c989@dt=fw4;c;e407b10e;cfa21;1;0;0;104;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01",
                    "traceparent": "00-8c9a7ddd174e98d607fe01b9523deda6-4fc7a694e35fd96f-01",
                    "X-Forwarded-For": "62.122.15.8, 5.182.212.100",
                    "x-dynatrace": "FW4;1805896073;12;-469257970;850465;1;1217412421;260;fc13;2h02;3h1b28d6e8;4h0cb7cd;5h01",
                    "accept-encoding": "gzip, deflate"
                },
                "method": "GET",
                "httpVersion": 1,
                "uri": "/DisplayRwdHeader.mvc/0/0"
            },
            "hostIp": "172.26.69.15",
            "uniqueId": "1682445600",
            "timeStamp": "2023-04-25T18:00:00.0Z",
            "hostPort": 80,
            "response": {
                "headers": {
                    "server": "",
                    "Server": "",
                    "X-OneAgent-JS-Injection": "true",
                    "X-ruxit-JS-Agent": "true",
                    "Access-Control-Allow-Origin": "https://clients.cdiscount.com",
                    "Connection": "keep-alive",
                    "Date": "Tue, 25 Apr 2023 18:00:00 GMT",
                    "X-AspNetMvc-Version": "5.2",
                    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
                    "X-Robots-Tag": "noindex,nofollow",
                    "Cache-Control": "private",
                    "Access-Control-Allow-Credentials": "true",
                    "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:",
                    "Content-Encoding": "gzip",
                    "X-CDHOSTNAME": "aa01srvweb035",
                    "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT",
                    "Vary": "User-Agent,Accept-Encoding",
                    "Content-Length": "3257",
                    "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw",
                    "X-XSS-Protection": "1; mode=block",
                    "Content-Type": "text/html; charset=utf-8",
                    "X-Powered-By": "ASP.NET"
                },
                "httpCode": 200
            },
            "producer": {
                "components": [
                    "OWASP_CRS/3.3.0\""
                ],
                "secrulesEngine": "DetectionOnly",
                "connector": "ModSecurity-nginx v1.0.2",
                "modsecurity": "ModSecurity v3.0.6 (Linux)"
            },
            "messages": [
                {
                    "details": {
                        "reference": "",
                        "severity": "5",
                        "ver": "OWASP_CRS/3.3.0",
                        "rev": "",
                        "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
                        "data": "",
                        "maturity": "0",
                        "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )",
                        "accuracy": "0",
                        "ruleId": "920320",
                        "lineNumber": "1265",
                        "tags": [
                            "application-multi",
                            "language-multi",
                            "platform-multi",
                            "attack-protocol",
                            "OWASP_CRS",
                            "capec/1000/210/272",
                            "PCI/6.5.10",
                            "paranoia-level/2"
                        ]
                    },
                    "message": "Missing User Agent Header"
                }
            ],
            "clientIP": "172.27.166.19",
            "serverId": "f992b18f7d6d4a6594c6e21e55a04cd407bde175"
        }
    },
    {
        "transaction": {
            "clientPort": 37440,
            "request": {
                "headers": {
                    "BLN-REQUEST-FATE-ACTION": "pass",
                    "x-request-id": "b2eeb0aee3ab5a5faacbbd133cfd32d1",
                    "clientipaddrwaf": "62.122.15.8",
                    "x-ssl-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
                    "BLN-CATEGORY": "pass",
                    "Bln-Debug-Path": "62.122.15.8, 5.182.212.55, 172.26.208.62",
                    "X-Forwarded-Proto": "https",
                    "Host": "www.cdiscount.com",
                    "rlnclientipaddr": "62.122.15.8",
                    "BLN-REQUEST-FATE": "pass",
                    "BLN-SSL-ja3-hash": "7c410ce832e848a3321432c9a82e972b",
                    "bln-cache": "Pass",
                    "x-real-ip": "62.122.15.8",
                    "X-Varnish": "38007545",
                    "x-envoy-external-address": "62.122.15.8",
                    "tracestate": "48903d45-6ba3c989@dt=fw4;12;5215a8ff;d25c1;7;0;0;271;5b62;2h02;3hfe07cce1;4h0ce43f;5h01",
                    "traceparent": "00-76f37da11fbe74cee637e0556e4172c2-ee3a5beb736e9e75-01",
                    "X-Forwarded-For": "62.122.15.8, 5.182.212.55",
                    "x-dynatrace": "FW4;1805896073;18;1377151231;861633;7;1217412421;625;5b62;2h02;3hfe07cce1;4h0ce43f;5h01",
                    "accept-encoding": "gzip, deflate"
                },
                "method": "GET",
                "httpVersion": 1,
                "uri": "/DisplayRwdHeader.mvc/0/0"
            },
            "hostIp": "172.26.147.157",
            "uniqueId": "1682445600",
            "timeStamp": "2023-04-25T18:00:00.0Z",
            "hostPort": 80,
            "response": {
                "headers": {
                    "server": "",
                    "Server": "",
                    "X-OneAgent-JS-Injection": "true",
                    "X-ruxit-JS-Agent": "true",
                    "Access-Control-Allow-Origin": "https://clients.cdiscount.com",
                    "Connection": "keep-alive",
                    "Date": "Tue, 25 Apr 2023 18:00:00 GMT",
                    "X-AspNetMvc-Version": "5.2",
                    "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
                    "X-Robots-Tag": "noindex,nofollow",
                    "Cache-Control": "private",
                    "Access-Control-Allow-Credentials": "true",
                    "Content-Security-Policy": "default-src * data: 'unsafe-eval' 'unsafe-inline' blob:",
                    "Content-Encoding": "gzip",
                    "X-CDHOSTNAME": "aa01srvweb031",
                    "Set-Cookie": "cache_cdn=;path=/;expires=Tue, 25 Apr 2023 18:59:59 GMT",
                    "Vary": "User-Agent,Accept-Encoding",
                    "Content-Length": "3257",
                    "DataFromMvcToDotNet": "7ZTNTgIxEMd3-RZRXoG7m4YFVuDAaQke_CKBYCIh0l1GU-luSdvFwAP4pMZHUBMP2i4gR43xYrRNpzOT5j_tr00N0zCMN9X0rFshoQy4EyJ8FoUSdTgO4I7xKboAD7ksmLEQQims0gC4ICxs2aisu1VyIyojDq0QIskxtUrdyKPEP4ZFn00hbE1s23MmdrlawZWGA420rtn5vBQ6nft91okobTN5BhK1scQdzoI4v8ppqX2dbxNfql1hvkjdJ76h3QNOMCVL7FHYao0rw2FvISQEqCc5CW-sUqCUOSXeFkTtqyC8eh07vnNoN6s1KDeaI2sjfu7dgi9_Vnykb1SPnaQyaW3-yazIaBZ7J0TIsX1wRVQZUdhEgiyhuAnmq1Jq-aO53o_LKIUYgkBHECo2PlKVBphG0MWE_2ouw1EuF7-YlDLmemR1EHvaST78CRKpV_U3_o2j6gtPTmGRnuvjmIlMRiWK7evZpfoQRM_nZCZFJhs_ghdFRZPJ583nrfv04e6-Aw",
                    "X-XSS-Protection": "1; mode=block",
                    "Content-Type": "text/html; charset=utf-8",
                    "X-Powered-By": "ASP.NET"
                },
                "httpCode": 200
            },
            "producer": {
                "components": [
                    "OWASP_CRS/3.3.0\""
                ],
                "secrulesEngine": "DetectionOnly",
                "connector": "ModSecurity-nginx v1.0.2",
                "modsecurity": "ModSecurity v3.0.6 (Linux)"
            },
            "messages": [
                {
                    "details": {
                        "reference": "",
                        "severity": "5",
                        "ver": "OWASP_CRS/3.3.0",
                        "rev": "",
                        "file": "/etc/openresty/templated_conf/../modsecurity/coreruleset/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf",
                        "data": "",
                        "maturity": "0",
                        "match": "Matched \"Operator `Eq' with parameter `0' against variable `REQUEST_HEADERS:User-Agent' (Value: `0' )",
                        "accuracy": "0",
                        "ruleId": "920320",
                        "lineNumber": "1265",
                        "tags": [
                            "application-multi",
                            "language-multi",
                            "platform-multi",
                            "attack-protocol",
                            "OWASP_CRS",
                            "capec/1000/210/272",
                            "PCI/6.5.10",
                            "paranoia-level/2"
                        ]
                    },
                    "message": "Missing User Agent Header"
                }
            ],
            "clientIP": "172.26.207.247",
            "serverId": "88af048ef2a922ff725849cdfd5d45c46fc51c28"
        }
    }
    ...
]
  • No labels