Malicious Transactions
List all malicious transactions
Request
Definition
GET /api/v1/alerts/{alert_id}/transactions
Headers
-
AuthorizationrequiredAuthentication token with privileges to view the resource.
Bearer {token}
Query string parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
paginate | boolean | Yes | If the result must be paginated. |
page | integer | Yes if paginate is true | Page index. |
page_size | integer | Yes if paginate is true | Number of items displayed per page. |
timestamp_start | integer | No | Filters malicious transactions performed after the specified date. |
timestamp_end | integer | No | Filters malicious transactions performed before the specified date. |
client_address_list | array<string> | No | Filters malicious transactions where the client address matches at least one item specified in the list. |
last_hop_list | array<string> | No | Filters the results where the last node traversed by the client matches one of the IP addresses in the list. |
server_address_list | array<string> | No | Filters malicious transactions where the server address matches at least one item specified in the list. |
method_list | array<string> | No | Filters malicious transactions that contain one of the methods in the list. |
path_search | string | No | Filters malicious transactions whose request path matches all or part of the string entered. |
protocol_version_list | string | No | Filters malicious transactions where the protocol_version matches one of those in the list. |
status_code_list | object | No | Filters malicious transactions where the status_code matches one of those in the list. |
status_code_start | boolean | No | Filters the results that contain a status code greater than or equal to the one entered. |
status_code_end | object | No | Filters the results that contain a status code less than or equal to the one entered. |
request_size_start | string | No | Determines the beginning of a range of integers to retrieve transactions whose request has a size contained in the range. |
request_size_end | integer | No | Determines the end of a range of integers to retrieve transactions whose request has a size contained in the range. |
response_size_start | string | No | Determines the beginning of a range of integers to retrieve transactions whose request has a size contained in the range. |
response_size_end | string | No | Determines the end of a range of integers to retrieve transactions whose request has a size contained in the range. |
rq_host_search | string | No | Filters transactions whose rq_host matches all or part of the string entered. |
rq_host_list | array<string> | No | Filters malicious transactions where rq_host matches one of the list items. |
rq_user_agent_search | String | No | Filters malicious transactions where rq_user_agent matches all or part of the string entered. |
rq_referer_search | String | No | Filters results whose Referer header matches all or part of the string entered. |
rq_authorization_search | String | No | Filters malicious transactions where rq_authorization matches all or part of the string entered. |
country_list | array<string> | No | Filters malicious transactions where country_list matches one of the list items. |
as_number_list | array<integer> | No | Filters malicious transactions where as_number matches one of the list items. |
traffic_source_list | array<string> | No | Filters malicious transactions where traffic_source matches one of the list items. |
Response
Status codes
| Status code | Message |
|---|---|
| 200 | "List of transactions" |
| 400 | "Error with pagination fields" |
| 400 | "Error retrieving transactions." |
| 403 | "Forbidden" |
Body
- Attributes
- Example
-
data.transactions.alert_idstringAlert ID.
-
data.transactions.timestampintegerDate and time when the transaction took place in UNIX format (microseconds).
-
data.transactions.protocol_versionstringProtocol version used to perform transaction.
-
data.transactions.idstringTransaction ID.
-
data.transactions.rq_hoststringHost header specified in the request.
-
data.transactions.request_bodystringRequest body.
-
data.transactions.rq_headersobjectRequest headers.
-
data.transactions.methodstringRequest method.
-
data.transactions.response_bodystring,Response body.
-
data.transactions.networkstringNetwork of which the client IP address that performed request is part.
-
data.transactions.citystringCity where the client that performed the request is located.
-
data.transactions.latitudestringLatitude where client that performed the request is located.
-
data.transactions.response_sizeintegerResponse data dimension.
-
data.transactions.traffic_sourcestringTraffic source that processed the request.
-
data.transactions.request_sizeintegerRequest data dimension.
-
data.transactions.rq_cookiearray<array<string>>Request cookies.
-
data.transactions.server_addressstringServer that processed the transaction.
-
data.transactions.rq_user_agentstringRequest user agent.
-
data.transactions.pathstringPath to which the request was sent.
-
data.transactions.rq_authorizationstringRequest authorizations.
-
data.transactions.alert_set_idstringAlert set ID.
-
data.transactions.last_hopstringIdentifies the last node traversed by the client that made the request before reaching the server.
-
data.transactions.continentstringContinent where the client is located.
-
data.transactions.timestamp_humanstringTransaction date in a user-friendly format.
-
data.transactions.server_portintegerPort of server that processed the request.
-
data.transactions.longitudestringLongitude where the client is located.
-
data.transactions.parametersarray<array<string>>Request query string parameters.
-
data.transactions.countrystringCountry where the client is located.
-
data.transactions.status_codeintegerResponse status code.
-
data.transactions.as_organizationstringName of the Autonomous System associated with the client that made the request.
-
data.transactions.rp_headersobjectResponse headers.
-
data.transactions.rq_refererstringReferer header in the request.
-
data.transactions.as_numberintegerNumber of the Autonomous System associated with the client that made the request.
-
data.transactions.client_addressstringClient IP address.
-
data.transactions.last_hop_portintegerIdentifies the port of the last node traversed by the client that made the request before reaching the server.
-
data.transactions.statestringState where client is located.
{
"data": {
"transactions": [
{
"timestamp": 1650634812000000,
"protocol_version": "HTTP/1.1",
"alert_id": "TEST",
"id": "A8xxxxx6iv5TWxxxxxHMML1Gxxxxx0Cw",
"rq_host": "xxxxxxxx.it:80",
"request_body": null,
"rq_headers": {
"Content-Type": "multipart/form-data; boundary=------------------------bf306965d0463b55",
"Cookie": "da50dfc3fa8ff276db29ee7d74b0fa73=xxxxx",
"Host": "xxxxxxxx.it:80",
"Referer": "https://xxxxxxxxxxx.it/en",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
"X-Forwarded-For": "10.4.3.0"
},
"method": "OPTIONS",
"response_body": null,
"network": null,
"city": null,
"latitude": null,
"response_size": 0,
"traffic_source": null,
"request_size": null,
"rq_cookie": [
[
"da50dfc3fa8ff276db29ee7d74b0fa73",
"p73enm81k009i5jpvrcrdbnmti"
]
],
"server_address": "223.204.228.218",
"rq_user_agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36",
"path": "/example/of/path",
"rq_authorization": null,
"alert_set_id": "xxxxxxjdjHGJsXXxxxxx",
"last_hop": "10.1.2.0",
"continent": null,
"timestamp_human": "2022-04-22T13:40:12.000000Z",
"server_port": 3537,
"longitude": null,
"parameters": [
[
"fbclid",
"IwAR2zzktr4Zq22tVNf6clWk4VZZLf6Z_5RGdoSq4mOOSJAR6BN9QH5HdDR6M"
]
],
"country": null,
"status_code": 200,
"as_organization": null,
"rp_headers": null,
"rq_referer": "https://xxxxxxxxxxx.it/en",
"as_number": null,
"client_address": "10.7.2.6",
"last_hop_port": 48477,
"state": null
}
]
},
"message": "List of transactions",
"pagination": {
"cursor": null,
"has_next": false,
"page_size": 25
},
"status": "ok"
}