DescribeApisecEvents - Web Application Firewall - Alibaba Cloud Documentation Center

Retrieves a list of API security events.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:DescribeApisecEvents

get

*All Resource

*

acs:ResourceGroupId

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call DescribeInstance to query the ID of the WAF instance.	waf_v2_public_cn-5y***d31
EventId	string	No	The ID of the API security event.	18ba94fea9***e66ba0557b7b91
ApiFormat	string	No	The API.	/apisec/v1/***.php
MatchedHost	string	No	The domain name or IP address of the API.	a.***.com
EventTag	string	No	The event type. Note Call DescribeApisecRules to query the supported event types.	ObtainSensitiveUnauthorized
StartTs	integer	No	The start of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1683648000
EndTs	integer	No	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1683703260
OrderKey	string	No	The field to use for sorting. Valid values: allCnt: the number of attacks. startTs: the start time of the event. endTs: the end time of the event.	startTs
OrderWay	string	No	The sorting order. Valid values: desc: descending order. This is the default value. asc: ascending order.	desc
PageNumber	integer	No	The page number. Default value: 1.	1
PageSize	integer	No	The number of entries per page. Default value: 10.	10
ApiTag	string	No	The business purpose of the API. Note Call DescribeApisecRules to query the supported business purposes.	SendMail
Origin	string	No	The source of the event type. Valid values: custom: custom. default: built-in.	default
EventLevel	string	No	The event level. Valid values: high: important. medium: medium. low: low.	low
UserStatus	string	No	The event status. Valid values: toBeConfirmed: to be confirmed. confirmed: confirmed. actioned: handled. ignored: ignored.	ignored
AttackIp	string	No	The attack IP address.	42.224..
ApiId	string	No	The ID of the API.	820b860***6205da93b935b28
ClusterId	string	No	The ID of the hybrid cloud cluster. Note This parameter is available only for hybrid cloud scenarios. Call DescribeHybridCloudClusters to query information about hybrid cloud clusters.	428
RegionId	string	No	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
ResourceManagerResourceGroupId	string	No	The ID of the resource group.	rg-acfm***q
EventScope	string	No	The dimension of the security event. Valid values: ip: IP security event. This is the default value. account: account security event.	ip
Account	string	No	The account information.	1818743389962696

Response elements

Element	Type	Description	Example
	object	The response.
TotalCount	integer	The total number of returned entries.	3
RequestId	string	The request ID.	12F4CC8F-7E9F-5E4D-BF7C-BD1EDDE0C282
Data	array<object>	The list of security events.
	object	The information about the security event.
Origin	string	The source of the event type. Valid values: custom: custom. default: built-in.	custom
EventLevel	string	The event level. Valid values: high: important. medium: medium. low: low.	medium
StartTs	integer	The start of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1683648000
EventInfo `deprecated`	string	The event details. This parameter is a string that is converted from a JSON object. The JSON object contains the following parameters: ip_info: the information about the attack IP address. For more information, see the AttackIpInfo response parameter. rule_id: the ID of the rule that corresponds to the event. rule_tag: the information about the rule that corresponds to the event.	{ "ip_info": [ { "ip": "112.224.143.", "country_id": "CN", "region_id": "-", "cnt": "4" } ], "rule_id": "837", "rule_tag": "interface returns a large amount of sensitive information" }
ApiFormat	string	The API.	/apisec/v1/register.php
ApiTag	string	The business purpose of the API. Note Call DescribeApisecRules to query the supported business purposes.	SendMail
UserStatus	string	The event status. Valid values: toBeConfirmed: to be confirmed. confirmed: confirmed. actioned: handled. ignored: ignored.	toBeConfirmed
Follow	integer	Indicates whether the event is followed. Valid values: 1: The event is followed. 0: The event is not followed.	0
RequestData `deprecated`	string	An example of the API request data. This parameter is a string that is converted from a JSON object.	{}
EventId	string	The event ID.	c82cb276847e9c96f9597d9f4b0cdcff
AttackIp `deprecated`	string	The attack IP address. Important This parameter is deprecated. Use the AttackIps parameter instead.	104.234.140.**
AttackIpInfo `deprecated`	string	The information about the attack IP address. This parameter is a string that is converted from a JSON object. The JSON object contains the following parameters: ip: the IP address. country_id: the country. region_id: the region. cnt: the number of attacks.	[ { "ip": "72...119", "country_id": "US", "region_id": "", "cnt": "2100" } ]
EndTs	integer	The end of the time range to query. The value is a UNIX timestamp. Unit: seconds.	1683703260
AttackCntInfo `deprecated`	string	The information about the number of attacks. This parameter is a string that is converted from a JSON object. In the JSON object, the key is a timestamp in seconds, and the value is the number of attacks.	{ "1717498320": 500, "1717498380": 529, "1717498440": 20 }
AllCnt	integer	The number of attacks.	10
RemoteRegion	string	The region where the attack IP address is located.	110000
ResponseData `deprecated`	string	An example of the API response data. This parameter is a string that is converted from a JSON object.	{}
AttackClient	string	The attack client.	Chrome
EventTag	string	The event type. Note Call DescribeApisecRules to query the supported event types.	ObtainSensitiveUnauthorized
MatchedHost	string	The domain name or IP address of the API.	a.***.com
Note	string	The remarks.	Notify
ApiId	string	The ID of the API that is associated with the security event.	2ecc1cf67b91853bc55545052ccf06a8
RemoteCountry	string	The country where the attack IP address is located.	US
AttackIps `deprecated`	array	The list of attack IP addresses.
	string	The attack IP address.	104.234.140.**
AttackerList	array	The list of attackers for the event.
	string	The attacker for the event. Note If the value of EventScope is ip, this parameter indicates the attacker IP address. If the value of EventScope is account, this parameter indicates the attacker account.	1.1.1.1

Examples

Success response

JSON format

{
  "TotalCount": 3,
  "RequestId": "12F4CC8F-7E9F-5E4D-BF7C-BD1EDDE0C282",
  "Data": [
    {
      "Origin": "custom",
      "EventLevel": "medium",
      "StartTs": 1683648000,
      "EventInfo": "{\n    \"ip_info\": [\n        {\n            \"ip\": \"112.224.143.**\",\n            \"country_id\": \"CN\",\n            \"region_id\": \"-\",\n            \"cnt\": \"4\"\n        }\n    ],\n    \"rule_id\": \"837**\",\n    \"rule_tag\": \"interface returns a large amount of sensitive information\"\n}\n",
      "ApiFormat": "/apisec/v1/register.php",
      "ApiTag": "SendMail",
      "UserStatus": "toBeConfirmed",
      "Follow": 0,
      "RequestData": "{}",
      "EventId": "c82cb276847e9c96f9597d9f4b0cdcff",
      "AttackIp": "104.234.140.**",
      "AttackIpInfo": "[\n    {\n        \"ip\": \"72.*.*.119\",\n        \"country_id\": \"US\",\n        \"region_id\": \"\",\n        \"cnt\": \"2100\"\n    }\n]",
      "EndTs": 1683703260,
      "AttackCntInfo": "{\n    \"1717498320\": 500,\n    \"1717498380\": 529,\n    \"1717498440\": 20\n}",
      "AllCnt": 10,
      "RemoteRegion": "110000",
      "ResponseData": "{}",
      "AttackClient": "Chrome",
      "EventTag": "ObtainSensitiveUnauthorized",
      "MatchedHost": "a.***.com",
      "Note": "Notify",
      "ApiId": "2ecc1cf67b91853bc55545052ccf06a8",
      "RemoteCountry": "US",
      "AttackIps": [
        "104.234.140.**\n"
      ],
      "AttackerList": [
        "1.1.1.1"
      ]
    }
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.