How to configure API security policies - Web Application Firewall

This topic describes the built-in and custom policies of the API security module. The module has a built-in detection mechanism. You can configure detection policies for your API assets based on your business requirements. You can configure the policies on the following tabs in the Web Application Firewall (WAF) console: Risk Detection Configurations, Security Event Configurations, Sensitive Data-related Configurations, Authentication Credential Configurations, Business Purpose, Configure Whitelist, Lifecycle Management, Log Subscription Configurations, and Applicable Object Configurations. After you configure the policies, the module can detect risks in a more accurate manner with a higher recall rate. You can handle the detected risks to prevent your API assets from being attacked.

1. Risk Detection Configurations

Risks refer to API security risks or security threats that are caused by development, management, or configuration defects. Security risks differ from security events. Security risks can be detected regardless of whether attacks are initiated. Security events can be detected only when attacks are initiated and alerts are generated.

Built-in policies

On the Risk Detection Configurations tab of the Policy Configurations tab, you can view the built-in policies. You can also change the status and risk level of a built-in policy. The risk level can be Low Risk, Medium Risk, or High Risk.

Custom policies

On the Risk Detection Configurations tab, you can configure up to 20 custom policies. To create a custom policy, perform the following steps:

On the API Security page, choose Policy Configurations > Risk Detection Configurations.

In the left-side section of the tab that appears, click New to the right of Custom Policy. In the panel that appears, configure the parameters. The following table describes the parameters.

Parameter	Description
Risk Status	The status of the policy. By default, the switch is turned on.
Risk Name	The risk name. You can specify a custom value. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	The suggestion on how to handle the detected risks. You can specify a value based on your business requirements.
Risk Level	The risk level. Valid values: Low Risk, Medium Risk, and High Risk.
Check Configurations	The detection conditions. You can specify up to 10 conditions based on your business requirements.

The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a detection condition.

Note

You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

Condition settings

Match Field	Sub-condition (input or selection required)	Logical Operator	Match Content
Domain Name	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
API	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Method	Not supported	Equals One of Multiple Values Does Not Equal Any Value	You can select multiple request methods from the drop-down list, such as GET, POST, DELETE, and PUT.
User-Agent	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Referer	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Communication Protocol	Not supported	Equals	You can select HTTP or HTTPS from the drop-down list.
Request Content-Type	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Length	Not supported	Equals Value Less Than Value Greater Than	You can enter an integer in the range of 0 to 8192.
Response Content-Type	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Response Length	Not supported	Equals Value Less Than Value Greater Than	You can enter an integer in the range of 0 to 8192.
HTTP Status Code	Not supported	Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Header	Custom Header	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value
Cookie Parameter	Custom Cookie-Exact	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value	-
GET Parameter	Custom Parameter	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value	-
POST Parameter	Custom Post-Arg	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value	-
Response Header	Response Header	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value	-
Response Parameter	Response Parameter	Exists Does Not Exist Length Equal To Length Less Than Length Greater Than Contains One of Multiple Values Does Not Contain Any Value	-
Purpose	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can select multiple purposes from the drop-down list. Note For more information about purposes, see What are the purposes of API calls that are classified by the API security module?
Service Object	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can select multiple service objects from the drop-down list. Note For more information about service objects, see What are the objects for which APIs are called to provide services?
Authentication	Not supported	Equals	You can select Yes or No from the drop-down list.
Request Sensitive Data Type	Not supported	Contains One of Multiple Values Does Not Contain Any Value Category Count Greater Than	You can select multiple sensitive data types from the drop-down list. If you select Category Count Greater Than as the logical operator, enter an integer in the range of 0 to 8192.
Sensitivity Level of Request Sensitive Data	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can select multiple sensitivity levels from the drop-down list. Valid values: S1, S2, S3, and S4.
Response Sensitive Data Type	Not supported	Contains One of Multiple Values Does Not Contain Any Value Category Count Greater Than	You can select multiple sensitive data types from the drop-down list. If you select Category Count Greater Than as the logical operator, enter an integer in the range of 0 to 8192.
Sensitivity Level of Response Sensitive Data	Not supported	Contains One of Multiple Values Does Not Contain Any Value	You can select multiple sensitivity levels from the drop-down list. Valid values: S1, S2, S3, and S4.
Response Sensitive Data	You can select multiple response-related sensitive data types from the drop-down list.	Greater Than	You can enter an integer in the range of 0 to 8192.
Source Location	Not supported	Equals	You can select Chinese Mainland or Outside Chinese Mainland from the drop-down list.
Source IP Address	Not supported	Belongs To Does Not Belong To	You can enter an IP address or a CIDR block. Example: 1.1.X.X/24. You can enter up to 50 items. Separate the items with commas (,) and press the Enter key to confirm each item. Regular expressions are not supported.

After you configure the parameters, click OK to save the configurations.

2. Security Event Configurations

Security events are generated when errors occur during API calls or when attacks are initiated. For example, a security event is generated when a brute-force attack is initiated against the logon API or an SMS flood attack is initiated by abusing the SMS sending API. The built-in detection mechanism detects events based on IP addresses. If events have the same CIDR block, API, and type and are generated on the same day, the events are aggregated, and one alert is generated for the events.

Built-in policies

After an alert is triggered by a built-in policy of security events, no new alert is triggered if attacks are continuously initiated from the same IP address. However, the attack time of the triggered alert is updated, and the severity is changed based on the volume of the attack traffic.

On the Security Event Configurations tab of the Policy Configurations tab, you can view the built-in policies. You cannot modify or delete the policies.

Custom policies

On the Security Event Configurations tab, you can configure up to 10 custom policies. To create a custom policy, perform the following steps:

On the API Security page, choose Policy Configurations > Security Event Configurations.

In the left-side section of the tab that appears, click New to the right of Custom Policy. In the panel that appears, configure the parameters. The following table describes the parameters.

Parameter	Description
Event Status	The status of the policy. By default, the switch is turned on.
Event Name	The event name. You can specify a custom value. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Suggestions	The suggestion on how to handle the detected events. You can specify a value based on your business requirements.
Event Level	The risk level. Valid values: Low Risk, Medium Risk, and High Risk.
Match Condition	The detection conditions. You can specify up to 10 conditions based on your business requirements. Note If you specify multiple conditions, the policy is considered hit only when all conditions are matched.
Statistical Period	The statistical period. Maximum value: 15. Unit: minutes.
Requests	The number of requests. Valid values: positive integers.
Data Statistics	The counting conditions. You can specify up to 10 conditions based on your business requirements.

For more information about how to configure the Match Field, Logical Operator, and Match Content parameters to specify a detection condition, see Condition settings in the "1. Risk Detection Configurations" section of this topic.

Note

You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a counting condition.

Condition settings

Match Field	Sub-condition (input or selection required)	Logical Operator	Match Content
Status Code Statistics	Enter an integer in the range of 100 to 600.	Value Greater Than	Enter an integer in the range of 0 to 8192.
Request Header	Custom Header	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer in the range of 0 to 8192.
Cookie Parameter	Custom Cookie-Exact	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer in the range of 0 to 8192.
GET Parameter	Custom Parameter	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer in the range of 0 to 8192.
POST Parameter	Custom Post-Arg	Distinct Less Than Distinct Equals Distinct Greater Than	Enter an integer in the range of 0 to 8192.
Response Sensitive Data Type	Select response-related sensitive data types from the drop-down list.	Distinct Greater Than	Enter an integer in the range of 0 to 8192.
Sensitivity Level of Response Sensitive Data	Select response-related sensitivity levels from the drop-down list.	Distinct Greater Than	Enter an integer in the range of 0 to 8192.

Note

By default, the API security module performs sampling analysis on sensitive data in responses. If you want to specify Response Sensitive Data Type or Sensitivity Level of Response Sensitive Data as the match field of a detection condition in a custom policy, you must turn on Tracing and Auditing for the protected objects on the Policy Configurations > Applicable Object Configurations tab. This ensures that all information about sensitive data in responses is recorded and analyzed for the protected objects.

After you configure the parameters, click OK to save the configurations.

3. Sensitive Data-related Configurations

On the Sensitive Data-related Configurations tab of the Policy Configurations tab, you can search, filter, and view the built-in policies.

De-identification Display

The Sensitive Data-related Configuration tab provides the De-identification Display switch. By default, the switch is turned off.

If you turn on the switch, the system masks the related information before the information is displayed.

In the Risk Details and API Details panels, the system replaces sensitive data in the Sample Request and Sample Response sections with {{Phone}}. You can go to the panels on the Risk Detection tab.
In the Event Details panel, the system replaces sensitive data in the Sample Request Data and Sample Response Data sections with {}. You can go to the panel on the Security Events tab.
In the sample data, Request Cookie is masked as {{Cookie}}, Request Header that contains Token is masked as {{XXXToken}}, and Response SetCookie is masked as {{SetCookie}}.

The switch takes effect on the following data:

Risk Details and API Details: The switch takes effect only on new sample request data and sample response data.
Event Details: The switch takes effect on both new and existing sample request data and sample response data.

Built-in policies

You cannot modify or delete a built-in policy. You can only change the status of a built-in policy.

Custom policies

If you define custom sensitive data in your business, you can configure custom policies to detect the sensitive data. On the Sensitive Data-related Configurations tab, you can configure up to 20 custom policies. To create a custom policy, perform the following steps:

On the API Security page, choose Policy Configurations > Sensitive Data-related Configurations.

Click Create Policy. In the panel that appears, configure the parameters. The following table describes the parameters. You can create a custom policy in Basic or Expert mode.

Parameter	Description
Name	The name of the policy. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Mode	The detection mode of the policy. Valid values: Basic: In this mode, you need to only perform simple configurations. If you select Basic, you must configure the Characters and Length parameters. Characters: You can select Numeric, Uppercase Letters, and Lowercase Letters. You can select multiple options. Length: You can specify a length range. You must specify integers as the start and end values. The start value must be in the range of 6 to 63, and the end value must be in the range of 7 to 64. Expert: In this mode, you can specify a regular expression. If you select Expert, you must enter a regular expression to detect sensitive data. To prevent misdetection, make sure that the regular expression can match at least six characters.
Sensitivity Level	The sensitivity level of data that can be detected. Valid values: S1, S2, S3, and S4. Note For more information about the types of sensitive data, see What types of sensitive data can be detected by the API security module?

After you configure the parameters, click OK to save the configurations.

4. Authentication Credential Configurations

If you use unconventional fields as authentication fields in your business or specify weak names for authentication fields, such as by using only digits, we recommend that you configure custom authentication credentials. The API security module has a built-in mechanism that identifies authentication credentials. You can configure the required parameters to help the mechanism check whether authentication credentials are included in requests. This helps improve API security and the identification accuracy of authentication risks.

On the API Security page, choose Policy Configurations > Authentication Credential Configurations.

Click Create Policy. In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

Parameter

Description

Name

The name of the policy.

The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

Match Condition

The match conditions. You must configure the Match Field, Logical Operator, and Match Content parameters to specify a condition. You can specify up to 10 conditions. You must specify a condition in which the Match Field parameter is set to Request Header, Request Cookie, Request Query, or Request Body.

Note

If you specify multiple conditions, the policy is considered hit only when all conditions are matched.

The following table describes the Match Field, Logical Operator, and Match Content parameters that you must configure to specify a match condition.

Note

You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

Condition settings

Match Field	Sub-condition (input or selection required)	Logical Operator	Match Content
Domain Name	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
API	Not supported	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Header	Custom Header	Exists Length Equal To Length Less Than Length Greater Than
Request Cookie	Custom Cookie-Exact	Exists Length Equal To Length Less Than Length Greater Than
Request Query	Custom Parameter	Exists Length Equal To Length Less Than Length Greater Than
Request Body	Custom Post-Arg	Exists Length Equal To Length Less Than Length Greater Than

5. Business Purpose

The API security module provides the following types of business purpose policies:

Built-in policies

The module provides built-in policies for various scenarios, including data update, data sharing, text message sending, and information sending. You cannot modify or delete a built-in policy. You can only change the status of a built-in policy. You can enable or disable a built-in policy based on your business requirements.

Custom policies

If the built-in policies do not meet your business requirements, you can configure custom policies based on URL and parameter name patterns to improve the detection accuracy of API risks.

On the API Security page, choose Policy Configurations > Business Purpose.
Click the Custom Policy card. Then, click Create Policy. In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

Note

You can specify up to 50 items for the Match Content parameter. Press the Enter key to confirm each item.

Condition settings

Match Field	Logical Operator	Match Content
Domain Name	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
API	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Header Parameter Name	Equals One of Multiple Values Contains One of Multiple Values	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Cookie Parameter Name	Equals One of Multiple Values Contains One of Multiple Values	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Query Parameter Name	Equals One of Multiple Values Contains One of Multiple Values	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Body Parameter Name	Equals One of Multiple Values Contains One of Multiple Values	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
Request Sensitive Data Type	Equals One of Multiple Values Contains One of Multiple Values	You can select multiple request-related sensitive data types from the drop-down list.
Response Sensitive Data Type	Equals One of Multiple Values Contains One of Multiple Values	You can select multiple response-related sensitive data types from the drop-down list.
Response Parameter Name	Equals One of Multiple Values Contains One of Multiple Values	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

6. Configure Whitelist

On the Configure Whitelist tab of the Policy Configurations tab, you can configure separate whitelists for risks and security events to reduce alerts. For example, you can configure a whitelist to mute alerts for egress IP addresses of your office network, which helps improve the operational efficiency of your business.

On the API Security page, choose Policy Configurations > Configure Whitelist.
Click Create Policy. In the panel that appears, enter the name of the whitelist policy that you want to create and select the type of the whitelist policy that you want to configure. You can select Risk Detection or Security Events.

Specify match conditions based on the whitelist policy type that you select.

Note

You can specify up to 10 match conditions.

Match conditions for a whitelist policy of the Risk Detection type

Match Field

Logical Operator

Match Content

Domain Name

Contains One of Multiple Values

Does Not Contain Any Value

Equals One of Multiple Values

Does Not Equal Any Value

You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

API

Contains One of Multiple Values

Does Not Contain Any Value

Equals One of Multiple Values

Does Not Equal Any Value

You can enter up to 50 items. Press the Enter key to confirm each item that you enter.

Match conditions for a whitelist policy of the Security Events type

Match Field	Logical Operator	Match Content
Domain Name	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
API	Contains One of Multiple Values Does Not Contain Any Value Equals One of Multiple Values Does Not Equal Any Value	You can enter up to 50 items. Press the Enter key to confirm each item that you enter.
IP	Belongs To Does Not Belong To	You can enter an IP address or a CIDR block. Example: 1.1.X.X/24. You can enter up to 50 items. Separate the items with commas (,) and press the Enter key to confirm each item. Regular expressions are not supported.

Select the types of risks or security events whose alerts you want to mute. Then, click OK.
Note
The system supports built-in and custom types. You can select multiple types.

7. Lifecycle Management

You can specify the number of daily API calls and the number of consecutive days during which the API is not called to determine whether an API is a deactivated API. On the Lifecycle Management tab of the Policy Configurations tab, you can specify a standard to identify deactivated APIs. This way, you can handle the APIs at the earliest opportunity. This prevents attackers from exploiting deactivated APIs.

On the API Security page, choose Policy Configurations > Lifecycle Management.
Specify a standard to identify deactivated APIs and click OK.
- Click Built-in Model.
  If you select Built-in Model, the API security module considers APIs that are not called within the previous 30 days or APIs whose calls significantly decrease as deactivated APIs.
- Click Custom. Then, specify the number of daily API calls and the number of consecutive days during which the API is not called. The maximum number of consecutive days allowed is 31.
  If you select Custom, the API security module considers APIs whose number of daily API calls is less than the specified number within the specified consecutive days as deactivated APIs.

8. Log Subscription Configurations

After you configure log subscription settings for a specific log type, a log subscription task is generated. When trigger conditions of log delivery are met, the task delivers related logs to the Simple Log Service Logstore that you specify. You can create the required Logstore in the Simple Log Service console. The API security module supports the following log types: AssetInformation, riskInformation, and Attack EventInformation. You can use Simple Log Service to manage the logs in a centralized manner.

Note

WAF instances in the Chinese mainland can deliver logs only to Simple Log Service Logstores in the Chinese mainland. WAF instances outside the Chinese mainland can deliver logs only to Simple Log Service Logstores outside the Chinese mainland.

Create a service-linked role

If no service-linked roles are created for WAF, you must create a service-linked role before you can use the log subscription feature of the API security module. Then, WAF can assume the role to access other cloud resources. For more information, see Service-linked roles. If the role already exists, skip this step.

Configure log subscription settings

Log on to the Simple Log Service console and create a project and a Logstore to which you want to deliver logs. Perform this step before you configure log subscription settings. If the project and Logstore already exist and meet the naming requirements, skip this step.
Note
When you select a Logstore to which you want to deliver logs, you cannot select the Logstores that are automatically created by Simple Log Service or the Logstores named waf-logstore, wafng-logstore, and wafnew-logstore.
Log on to the WAF console and go to the Log Subscription tab. On this tab, you can configure log subscription settings for AssetInformation, riskInformation, and Attack EventInformation. If you want to query and analyze logs that are delivered to the Logstore in the Simple Log Service console, enable indexing for the Logstore. For more information, see Create indexes.
Select the log type for which you want to configure log subscription settings and click Configure in the related section.
In the dialog box that appears, select the region of the Logstore to which logs are delivered, the project to which the Logstore belongs, and the Logstore. Then, click OK. When trigger conditions are met and logs are generated, the log subscription task delivers the logs to Simple Log Service. Then, you can go to the Simple Log Service console and access the selected Logstore to query and analyze the logs. You can also use the data transformation feature of Simple Log Service to mask log data. For more information, see Overview of data transformation (new version).
If you want to disable the log subscription task, turn off Status on the Log Subscription tab. If you no longer require delivered logs after you disable the task and you want to prevent fees generated by log storage, delete the selected Logstore in the Simple Log Service console. For more information, see How do I deactivate Simple Log Service or stop being billed for Simple Log Service?

The following sections describe the trigger conditions of a log subscription task and the details of log fields.

Important

You are charged additional fees for the project, Logstore, and indexes that you create in the Simple Log Service console. The fees are included in the bills of Simple Log Service. For more information about the billable items and pricing of Simple Log Service, see Billing overview of Simple Log Service.
After you create the project and Logstore, you are charged even if your log subscription task is disabled. Therefore, if you confirm that the Logstore is no longer required, delete the Logstore at the earliest opportunity. For more information, see Why am I charged even if I only create projects and Logstores?

Logs of the AssetInformation type

Trigger conditions of the log subscription task:

If new API assets are detected, logs of the AssetInformation type are immediately delivered.
If no new API assets are detected, logs of the AssetInformation type are delivered at 1-hour intervals.

Fields in the logs of the AssetInformation type

Field	Description	Type	Example
user_id	The user ID.	string	123456
service_host	The domain name.	string	api.aliyun.com
api_format	The API path.	string	/api/v1/getuserbyid/${param}
request_method	The request method.	string	GET
api_tag	The business purpose.	object []	['QueryInfo']
api_type	The service object.	object []	['PublicAPI']
auth_key	The authentication field.	object []	['id_token', 'access_token']
api_status	The lifecycle.	string	NewbornInterface
api_sensitive_level	The sensitivity level of the API.	string	L1
api_sensitive_req	The sensitive data type in the request.	object []	['1014', '1017', '1002']
api_sensitive_res	The sensitive data type in the response.	object []	['1009', '1013', '1003', '1014', '1002']
farthest_ts	The first detection time.	long	1713237135
lastest_ts	The last active time.	long	1716452318
abnormal_num	The number of risks.	integer	1
event_num	The number of events.	integer	2
struct_baseline	The parameter structure.	object	['{"key":"Trace-Id","location":"request_header","format":"string","required":"true"}', '{"key":"pageNum","location":"request_query","format":"integer","required":"true"}', '{"key":"tlogTraceId","location":"response_header","format":"integer","required":"true"}', '{"key":"Strict-Transport-Security","location":"request_header","format":"string","required":"true"}', '{"key":"X-Forwarded-ClientSrcPort","location":"request_header","format":"integer","required":"true"}', '{"key":"Trace-State","location":"request_header","format":"string","required":"true"}', '{"key":"auth","location":"request_header","format":"string","required":"true"}', '{"key":"Access-Control-Max-Age","location":"response_header","format":"integer","required":"true"}', '{"key":"Enterprise-Hash","location":"request_header","format":"string","required":"true"}', '{"key":"X-Request-ID","location":"request_header","format":"string","required":"true"}', '{"key":"postName","location":"request_query","format":"string","required":"true"}', '{"key":"pageSize","location":"request_query","format":"integer","required":"true"}']
matched_hosts	The protected object.	object []	['*.aliyun.com-waf']
hosts	The domain name.	object []	['api.aliyun.com']
server_port	The port.	object []	['443']
server_location	The country where the origin server is located.	object []	['CN']
api_id	The unique ID of the API.	string	af418cb31036015fddea71b48d06aa4b
log_type	The log type.	string	asset
request_header	The request header.	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	The request URL parameters.	string	?token=7464f593205896e23b1286ba7532dcff
request_body	The request body.	string	xxx=1
response_header	The response header.	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	The response body.	string	xxxx
example_timestamp	The timestamp of the sample.	long	1718546694
example_traceid	The trace ID of the sample.	string	784e2ca717213678365778292e58de

Logs of the riskInformation type

Trigger conditions of the log subscription task: If new API risks are detected, logs of the riskInformation type are delivered to the Logstore that you specify.

Fields in the logs of the riskInformation type

Field	Description	Type	Example
user_id	The user ID.	string	123456
service_host	The domain name.	string	api.aliyun.com
api_format	The API path.	string	/api/v1/login
request_method	The request method.	string	POST
api_tag	The business purpose.	object []	['LoginAPI']
abnormal_tag	The risk name.	string	Risk_DefaultPasswd
abnormal_type	The risk type, which can be custom or built-in.	string	default
abnormal_level	The risk level.	string	medium
abnormal_discover_ts	The time when the risk was detected.	long	1716343432
abnormal_info	The risk information.	object	{'default_passwd':'aliyun123'}
api_id	The unique ID of the API.	string	2c0f97e10b586208039e60671150bd9b
abnormal_id	The unique ID of the risk.	string	8cfccc0e8c3d41aa1221e94a2fdeffe3
log_type	The log type.	string	risk
matched_hosts	The protected object.	object []	['*.aliyun.com-waf']
request_header	The request header.	JSON	{"Connection":"Keep-Alive","Host":"api.aliyun.com","eagleeye-rpcid":"0.1"}
querystring	The request URL parameters.	string	?token=7464f593205896e23b1286ba7532dcff
request_body	The request body.	string	xxx=1
response_header	The response header.	JSON	{"Accept-Ranges":["bytes","bytes"],"Cache-Control":"private, max-age=21600, no-transform"}
response_body	The response body.	string	xxxx
example_timestamp	The timestamp of the sample.	long	1718546694
example_traceid	The trace ID of the sample.	string	784e2ca717213678365778****58de

Logs of the Attack EventInformation type

Trigger conditions of the log subscription task:

If new attack events are detected, logs of the Attack EventInformation type are delivered to the Logstore that you specify.
If an attack continues, logs of the Attack EventInformation type are continuously delivered to the Logstore that you specify at 10-minute intervals.

Fields in the logs of the Attack EventInformation type

Field

Description

Type

Example

user_id

The user ID.

string

123456

service_host

The domain name.

string

api.aliyun.com

matched_host

The protected object.

string

api.aliyun.com-waf

host

The domain name.

string

api.aliyun.com

api_format

The API path.

string

/api/admin/login

request_method

The request method.

string

POST

api_tag

The business purpose.

object []

['AdminService', 'LoginService']

event_tag

The event name.

string

Event_LoginCollision

event_origin

The event type, which can be custom or built-in.

string

default

event_level

The event level.

string

high

start_ts

The start time of the attack.

long

1713886210

end_ts

The end time of the attack.

long

1713887817

attack_cnt

The total number of attacks.

integer

147

attack_ip_info

The IP address information about the attack.

object []

['{'ip':'103.44.XX.XXX'', 'country_id':'HK', 'region_id':'-', 'cnt':'147'']

api_id

The unique ID of the API.

string

4dfc73b37d2d645fe2ca7f45c08f7398

event_id

The event ID.

string

f09f6802e9b57a58ebb9f1bea212027e

log_type

The log type.

string

event

request_data

The sample request data.

JSON

{'1002':['Alice','Tony','Tom'],'1004':['13200000001','15200000002']}

response_data

The sample response data.

JSON

{'postarg.userId':['Alice','Tony'],'postarg.corpId':['wx1111111'],'postarg.externalUserid':['wm7_KpDgOm6Bm-BGA']}

Values of log subscription fields

If you want to learn more about the values of fields in the delivered logs when you query and analyze the logs, you can refer to the following tables. The Description column in the following tables provides the display names of the field values in the WAF console.

Lifecycle (values of the api_status field)

Value	Description
NewbornInterface	New
OfflineInterface	Deactivated
normal	Normal

Service object (values of the api_type field)

Value	Description
PublicAPI	Public Service
ThirdpartAPI	Cooperation with Third-party Partner
InternalAPI	Internal Office

Business purpose (values of the api_tag field)

Value	Description
LoginByUserPasswd	Account Password-based Logon
LoginByPhoneCode	Mobile Verification Code-based Logon
LoginByMailCode	Email Verification Code-based Logon
WeChatLogin	WeChat Logon
AliPayLogin	Alipay Logon
OAuthLogin	OAuth Authentication
OIDCLogin	OIDC Authentication
SAMLLogin	SAML Authentication
SSOLogin	SSO Authentication
LoginAPI	Logon
LogoutAPI	Logoff
RegisterByUserPasswd	Account Password-based Registration
RegisterByPhoneCode	Mobile Verification Code-based Registration
RegisterByMailCode	Email Verification Code-based Registration
WeChatRegister	WeChat Registration
AliPayRegister	Alipay Registration
RegisterAPI	Registration Service
SendSMS	Short Message Sending
SendMail	Mail Sending
ResetPasswd	Password Reset
CheckVerifyCode	Verification Code Verification
CheckStatus	Status Check
QueryOrder	Order Query
ExportOrder	Order Export
UpdateOrder	Order Update
PayOrder	Order Payment
QueryLog	Log Query
UploadLog	Log Reporting
DownloadLog	Log Export
LogService	Log Service
GraphQL	GraphQL
SqlService	SQL Service
FileUpload	File Upload
FileDownload	File Download
FileService	File Service
AdminService	Background Management
DashBoard	Dashboard
MonitorService	Monitoring Service
SendInfo	Information Sending
CheckInfo	Data Check
QueryInfo	Data Query
UploadInfo	Data Upload
DownloadInfo	Data Download
AddInfo	Data Addition
EditInfo	Data Modification
UpdateInfo	Data Update
ShareInfo	Data Sharing
DeleteInfo	Data Deletion
SyncInfo	Data Synchronization
SubmitInfo	Data Submission
CopyInfo	Data Copy
AuditInfo	Data Auditing
SaveInfo	Data Saving
CancelOp	Cancel
StartOp	Start
BatchOp	Batch Processing
PauseOp	Suspension
BindOp	Add
DebugOp	Debugging
SetOp	Settings
ShutDown	Disable

Sensitive data types in requests and responses (values of the api_sensitive_req and api_sensitive_res fields)

Value	Description
1000	ID Card Number (Chinese Mainland)
1001	Debit Card
1002	Full Name (Simplified Chinese)
1003	Address (Chinese Mainland)
1004	Mobile Number (Chinese Mainland)
1005	Email Address
1006	Passport Number (Chinese Mainland)
1007	Mainland Travel Permit for Hong Kong and Macao Residents
1008	License Plate Number (Chinese Mainland)
1009	Phone Number (Chinese Mainland)
1010	Military Officer Card
1011	Gender
1012	Ethnic Group
1013	Province (Chinese Mainland)
1014	City (Chinese Mainland)
1015	ID Card Number (Hong Kong, China)
1016	Full Name (Traditional Chinese)
1017	Full Name (English)
1018	ID Card Number (Malaysia)
1019	ID Card Number (Singapore)
1020	Lending Bank Card
1022	SWIFT Code
1023	SSN
1024	Telephone Number (United States)
1025	Religious Belief
2000	IP Address
2001	MAC Address
2002	JDBC Connection String
2003	PEM Certificate
2004	Private Key
2005	AccessKey ID
2006	AccessKey Secret
2007	IPv6 Address
2009	Date
2010	IMEI
2011	MEID
2013	Linux Password File
2014	Linux Shadow File
2015	URL
4000	Business License Number
4001	Tax Registration Certificate Number
4002	Organization Code
4003	Unified Social Credit Code
4004	Vehicle Identification Number

Risk types (values of the risk field)

Value	Description
RiskType_Specification	Security and Specifications
Risk_UnsafeHttpMethod	Insecure HTTP Methods
Risk_WeakSignAlgorithm	JWT Weak Signature Algorithm
Risk_UrlParam	Parameter as URL
RiskType_Account	Account Security
Risk_PasswdUnencrypt	Password Plaintext Transmission
Risk_WeakPasswd	Weak Password Tolerance
Risk_InternalWeakPasswd	Weak Password Vulnerability in Internal Application
Risk_DefaultPasswd	Presence of Default Passwords
Risk_PasswdResponse	Return of Plaintext Password
Risk_PasswdCookie	Password Storage in Cookies
Risk_LoginRestrict	Unrestricted Logon
Risk_LoginPrompt	Unreasonable Logon Failure Prompt
Risk_PasswdUrl	URL-based Account Password Transmission
RiskType_Control	Access Control
Risk_InternalAPI	Internal Application Accessible from the Internet
Risk_SourceRestrict	Unrestricted Access Sources
Risk_ClientRestrict	Unrestricted Access Tools
Risk_SpeedRestrict	Unrestricted Access Rate
RiskType_Permission	Permission Management
Risk_WeakToken	Weak Authentication Credential
Risk_UnauthSensitive	Unauthenticated Access to Sensitive API
Risk_UnauthInternalAPI	Unauthorized Access to Internal API
Risk_TokenUrl	URL-based Credential Transmission
Risk_AkLeak	AccessKey Pair Information Leak
RiskType_Sensitive	Data Protection
Risk_SensitiveTypeExcessive	Excessive Types of Sensitive Data in Response
Risk_SensitiveNumExcessive	Excessive Sensitive Data in Response
Risk_InvalidDesensitize	Inadequate Data De-identification
Risk_ServerInfoLeak	Leak of Sensitive Server Information
Risk_InternalIPLeak	Internal IP Address Leak
Risk_SensitiveURL	URL-based Sensitive Data Transmission
RiskType_Design	API Design
Risk_ParamTraverse	Request Parameter Traversability
Risk_PageSize	Modifiable Volume of Returned Data
Risk_SqlAPI	Database Query
Risk_RceAPI	Command Execution API
Risk_SmsContent	Arbitrary Short Message Sending
Risk_MailContent	Arbitrary Email Content Sending
Risk_SmsVerifyCodeLeak	Leak of Short Message Verification Code
Risk_MailVerifyCodeLeak	Email Verification Code Leak
Risk_FileDownload	Specified File Download
Risk_ExceptionLeak	Application Exception Information Leak
Risk_ExceptionSql	Database Exception Information Leak

Event types (values of the event field)

Value	Description
Event_AbnormalFrequency	Abnormal High-frequency Access
Event_ExceptionIPInvoke	Access to Internal API from Unusual IP Address
Event_ExceptionRegionInvoke	Access to Internal API from Unusual Location
Event_ExceptionClientInvoke	Access using Anomalous Tools
Event_ExceptionTimeInvoke	Access During Unusual Time Period
Event_AbnormalParamValue	Access using Abnormal Parameter Values
Event_InternalLoginWeakPasswd	Weak Password-based Logon to Internal Application
Event_LoginAccountBruteForce	Brute-force Attack Against Username
Event_LoginPasswdBruteForce	Brute-force Attack Against Password
Event_LoginCollision	Dictionary Attack
Event_MobileVerifyBruteForce	Brute-force Attack Against Short Message Verification Code
Event_MailVerifyBruteForce	Brute-force Attack Against Email Verification Code
Event_AbnormalRegister	Batch Registration
Event_SMSInterfaceAbuse	Malicious Consumption of Short Message Resources
Event_EmailInterfaceAbuse	Malicious Consumption of Email Resources
Event_AbnormalExport	Batch Download
Event_DataTraverse	Data Crawling
Event_WebAttackAPI	API Attack
Event_ObtainSensitiveUnauthorized	Unauthorized Access to Sensitive Data
Event_ObtainSensitiveExcessive	Mass Sensitive Data Access
Event_CrossborderIPSensitiveExcessive	Mass Sensitive Data Access by IP Addresses Outside China
Event_ExceptionResponse	Return of Error Message
Event_ExceptionSql	Return of Database Error Message
Event_SystemInfoResponse	Return of Sensitive System Information
Event_AbnormalStatus	Abnormal Response

9. Applicable Object Configurations

The API security module provides the following switches for protected objects and protected object groups:

Switch: specifies whether to enable all built-in and custom policies.
Compliance Check: specifies whether to enable the compliance check feature. You can turn on this switch only when Switch is turned on.
Tracing and Auditing: specifies whether to enable the tracing and auditing feature. You can turn on this switch only when Switch is turned on.

After you add a domain name or an instance to WAF, you can configure the switches. The default settings of the switches vary based on the billing method.

By default, if you use the subscription billing method, Switch is turned on, and Compliance Check and Tracing and Auditing are turned off.
By default, if you use the pay-as-you-go billing method, Switch is turned off.

You can go to the Policy Configurations > Applicable Object Configurations page to turn on or turn off Switch, Compliance Check, and Tracing and Auditing.