# Wallarm API request examples The following are some examples of Wallarm API use. You can also generate code examples via the API Reference UI for the [US cloud](https://apiconsole.us1.wallarm.com/) or [EU cloud](https://apiconsole.eu1.wallarm.com/). Experienced users can also use the browser’s Developer console (“Network” tab) to quickly learn which API endpoints and requests are used by the UI of your Wallarm account to fetch data from the public API. ## Getting Your Client ID for Wallarm API Calls To make API calls to Wallarm's endpoints, you need to know your client ID (also called clientid). This is a unique identifier for your Wallarm account/tenant that must be included in most API requests. You can obtain your client ID by calling the `/v1/user` endpoint with your API token. Here's an example: **EU Cloud:** ```bash curl -X POST "https://api.wallarm.com/v1/user" \ -H "X-WallarmAPI-Token: YOUR_API_TOKEN" \ -H "Content-Type: application/json" \ -d "{}" ``` **ME Cloud:** ```bash curl -X POST "https://me1.api.wallarm.com/v1/user" \ -H "X-WallarmAPI-Token: YOUR_API_TOKEN" \ -H "Content-Type: application/json" \ -d "{}" ``` **US Cloud:** ```bash curl -X POST "https://us1.api.wallarm.com/v1/user" \ -H "X-WallarmAPI-Token: YOUR_API_TOKEN" \ -H "Content-Type: application/json" \ -d "{}" ``` This returns your user information including the client_id field. For instance, the response might look like: ``` { "status": 200, "body": { "id": 6874940, "client_id": 5, "client_name": "My Company", "enabled": true, ... } } ``` Once you have the client ID (in this example, 5), you can use it to fetch discovered APIs with endpoints like `/v4/clients/{client_id}/rules/endpoints`. The client ID is essential because Wallarm's API is multi-tenant, and this identifier tells the system which account's data you want to access. ## Get the first 50 attacks detected in the last 24 hours Please replace `TIMESTAMP` with the date 24 hours ago converted to the [Unix Timestamp](https://www.unixtimestamp.com/) format. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` ## Get a large number of attacks (100 and more) For attack and hit sets containing 100 or more records, it is best to retrieve them in smaller pieces rather than fetching large datasets all at once, in order to optimize performance. The corresponding Wallarm API endpoints support cursor-based pagination with 100 records per page. This technique involves returning a pointer to a specific item in the dataset and then on subsequent requests, the server returns results after the given pointer. To enable cursor pagination, include `"paging": true` in the request parameters. The following are examples of API calls for retrieving all attacks detected since `` using the cursor pagination: **EU Cloud:** ```bash curl -k 'https://api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` **ME Cloud:** ```bash curl -k 'https://me1.api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` **US Cloud:** ```bash curl -k 'https://us1.api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` This request returns information on the latest 100 attacks detected, arranged from the most recent to the earliest. In addition, the response includes a `cursor` parameter that contains a pointer to the next set of 100 attacks. To retrieve the next 100 attacks, use the same request as before but include the `cursor` parameter with the pointer value copied from the response of the previous request. This allows the API to know where to start returning the next set of 100 attacks from, e.g.: **EU Cloud:** ```bash curl -k 'https://api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"cursor":"", "paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` **ME Cloud:** ```bash curl -k 'https://me1.api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"cursor":"", "paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` **US Cloud:** ```bash curl -k 'https://us1.api.wallarm.com/v2/objects/attack' \ -X POST \ -H 'X-WallarmApi-Token: ' \ -H 'Content-Type: application/json' \ -d '{"cursor":"", "paging": true, "filter": {"clientid": [], "vulnid": null, "time": [[, null]], "!state": "falsepositive"}}' ``` To retrieve further pages of results, execute requests including the `cursor` parameter with the value copied from the previous response. Below is the Python code example for retrieving attacks using cursor paging: **EU Cloud:** ```python import json from pprint import pprint as pp import requests client_id = ts = # UNIX time url = "https://api.wallarm.com/v2/objects/attack" headers = { "X-WallarmApi-Token": "", "Content-Type": "application/json", } payload = { "paging": True, "filter": { "clientid": [client_id], "vulnid": None, "time": [[ts, None]], "!state": "falsepositive", }, } while True: response = requests.post(url, headers=headers, json=payload) data = response.json() cursor = data.get("cursor") if not cursor: break pp(data) payload["cursor"] = cursor ``` **ME Cloud:** ```python import json from pprint import pprint as pp import requests client_id = ts = # UNIX time url = "https://me1.api.wallarm.com/v2/objects/attack" headers = { "X-WallarmApi-Token": "", "Content-Type": "application/json", } payload = { "paging": True, "filter": { "clientid": [client_id], "vulnid": None, "time": [[ts, None]], "!state": "falsepositive", }, } while True: response = requests.post(url, headers=headers, json=payload) data = response.json() cursor = data.get("cursor") if not cursor: break pp(data) payload["cursor"] = cursor ``` **US Cloud:** ```python import json from pprint import pprint as pp import requests client_id = ts = # UNIX time url = "https://us1.api.wallarm.com/v2/objects/attack" headers = { "X-WallarmApi-Token": "", "X-WallarmAPI-Secret": "", "Content-Type": "application/json", } payload = { "paging": True, "filter": { "clientid": [client_id], "vulnid": None, "time": [[ts, None]], "!state": "falsepositive", }, } while True: response = requests.post(url, headers=headers, json=payload) data = response.json() cursor = data.get("cursor") if not cursor: break pp(data) payload["cursor"] = cursor ``` ## Get the first 50 incidents confirmed in the last 24 hours The request is very similar to the previous example for a list of attacks; the `"!vulnid": null` term is added to this request. This term instructs the API to ignore all attacks without specified vulnerability ID, and this is how the system distinguishes between attacks and incidents. Please replace `TIMESTAMP` with the date 24 hours ago converted to the [Unix Timestamp](https://www.unixtimestamp.com/) format. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"\!vulnid\": null, \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"\!vulnid\": null, \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"\!vulnid\": null, \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}" ``` ## Get the first 50 vulnerabilities in the status "active" within the last 24 hours Please replace `TIMESTAMP` with the date 24 hours ago converted to the [Unix Timestamp](https://www.unixtimestamp.com/) format. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/vuln" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"limit\":50, \"offset\":0, \"filter\":{\"clientid\":[YOUR_CLIENT_ID], \"testrun_id\":null, \"validated\":true, \"time\":[[TIMESTAMP, null]]}}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/vuln" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"limit\":50, \"offset\":0, \"filter\":{\"clientid\":[YOUR_CLIENT_ID], \"testrun_id\":null, \"validated\":true, \"time\":[[TIMESTAMP, null]]}}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/vuln" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"limit\":50, \"offset\":0, \"filter\":{\"clientid\":[YOUR_CLIENT_ID], \"testrun_id\":null, \"validated\":true, \"time\":[[TIMESTAMP, null]]}}" ``` ## Get all configured rules **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID]},\"order_by\": \"updated_at\",\"order_desc\": true,\"limit\": 1000,\"offset\": 0}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID]},\"order_by\": \"updated_at\",\"order_desc\": true,\"limit\": 1000,\"offset\": 0}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID]},\"order_by\": \"updated_at\",\"order_desc\": true,\"limit\": 1000,\"offset\": 0}" ``` ## Get only conditions of all rules **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/action" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID] }, \"offset\": 0, \"limit\": 1000}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/action" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID] }, \"offset\": 0, \"limit\": 1000}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/action" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID] }, \"offset\": 0, \"limit\": 1000}" ``` ## Get rules attached to a specific condition To point to a specific condition, use its ID - you can get it when requesting conditions of all rules (see above). **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID],\"actionid\": YOUR_CONDITION_ID},\"limit\": 1000,\"offset\": 0}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID],\"actionid\": YOUR_CONDITION_ID},\"limit\": 1000,\"offset\": 0}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\": [YOUR_CLIENT_ID],\"actionid\": YOUR_CONDITION_ID},\"limit\": 1000,\"offset\": 0}" ``` ## Create the virtual patch to block all requests sent to `/my/api/*` **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}" ``` **ME cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}" ``` ## Create the virtual patch for a specific application instance ID to block all requests sent to `/my/api/*` An application should be [configured](https://docs.wallarm.com/user-guides/settings/applications.md) before sending this request. Specify an ID of an existing application in `action.point[instance].value`. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}" ``` ## Create a rule to consider the requests with specific value of the `X-FORWARDED-FOR` header as attacks The following request will create the [custom attack indicator based on the regexp](https://docs.wallarm.com/user-guides/rules/regex-rule.md) `^(~(44[.]33[.]22[.]11))$`. If requests to domain `MY.DOMAIN.COM` have the `X-FORWARDED-FOR: 44.33.22.11` HTTP header, the Wallarm node will consider them to be scanner attacks and block attacks if the corresponding [filtration mode](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md) has been set. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"regex\",\"action\":[{\"point\":[\"header\",\"HOST\"],\"type\":\"equal\",\"value\":\"MY.DOMAIN.NAME\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"comment\":\"comment\",\"point\":[[\"header\",\"X-FORWARDED-FOR\"]],\"attack_type\":\"scanner\",\"regex\":\"^$~\(44[.]33[.]22[.]11$\)$\"}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"regex\",\"action\":[{\"point\":[\"header\",\"HOST\"],\"type\":\"equal\",\"value\":\"MY.DOMAIN.NAME\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"comment\":\"comment\",\"point\":[[\"header\",\"X-FORWARDED-FOR\"]],\"attack_type\":\"scanner\",\"regex\":\"^$~\(44[.]33[.]22[.]11$\)$\"}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"regex\",\"action\":[{\"point\":[\"header\",\"HOST\"],\"type\":\"equal\",\"value\":\"MY.DOMAIN.NAME\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"comment\":\"comment\",\"point\":[[\"header\",\"X-FORWARDED-FOR\"]],\"attack_type\":\"scanner\",\"regex\":\"^$~\(44[.]33[.]22[.]11$\)$\"}" ``` ## Create the rule setting filtration mode to monitoring for the specific application The following request will create the [rule setting the node to filter traffic](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md#conditioned-filtration-mode) going to the [application](https://docs.wallarm.com/user-guides/settings/applications.md) with ID `3` in the monitoring mode. **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v1/objects/hint/create' -H 'X-WallarmApi-Token: ' -H "accept: application/json" -H "Content-Type: application/json" --data-raw '{"clientid":,"type":"wallarm_mode","mode":"monitoring","validated":false,"action":[{"point":["instance"],"type":"equal","value":"3"}]}' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v1/objects/hint/create' -H 'X-WallarmApi-Token: ' -H "accept: application/json" -H "Content-Type: application/json" --data-raw '{"clientid":,"type":"wallarm_mode","mode":"monitoring","validated":false,"action":[{"point":["instance"],"type":"equal","value":"3"}]}' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v1/objects/hint/create' -H 'X-WallarmApi-Token: ' -H "accept: application/json" -H "Content-Type: application/json" --data-raw '{"clientid":,"type":"wallarm_mode","mode":"monitoring","validated":false,"action":[{"point":["instance"],"type":"equal","value":"3"}]}' ``` ## Delete rule by its ID You can copy the rule ID to be deleted when [getting all configured rules](#get-all-configured-rules). Also, a rule ID has been returned in response to the rule creation request, in the `id` response parameter. **US cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/delete" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\":[YOUR_CLIENT_ID],\"id\": YOUR_RULE_ID}}" ``` **EU cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://api.wallarm.com/v1/objects/hint/delete" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\":[YOUR_CLIENT_ID],\"id\": YOUR_RULE_ID}}" ``` **ME Cloud:** ```{.bash .wrapped-code} curl -v -X POST "https://me1.api.wallarm.com/v1/objects/hint/delete" -H "X-WallarmApi-Token: " -H "accept: application/json" -H "Content-Type: application/json" -d "{\"filter\":{\"clientid\":[YOUR_CLIENT_ID],\"id\": YOUR_RULE_ID}}" ``` ## API calls to get, populate and delete IP list objects Below are some examples of the API calls to get, populate and delete [IP list](https://docs.wallarm.com/user-guides/ip-lists/overview.md) objects. ### API request parameters Parameters to be passed in the API requests to read and change IP lists: | Parameter | Description | | --------- | ----------- | | `X-WallarmApi-Token` | Token to [access Wallarm API](https://docs.wallarm.com/api/overview.md#your-own-api-client), copy it from Wallarm Console → **Settings** → **API tokens**. | | `clientid` | ID of an account in Wallarm Cloud to populate/read IP list. | `ip_rule.list` | The IP list type to add objects, can be: `black` (for denylist), `white` (for allowlist), `gray` (for graylist). | | `ip_rule.rule_type` | The type of objects to add to the list:

`ip_range` if adding particular IPs or subnets
`country` if adding countries or regions
`proxy_type` if adding proxy services (`VPN`, `SES`, `PUB`, `WEB`, `TOR`)
`datacenter` for other source types (`rackspace`, `tencent`, `plusserver`, `ovh`, `oracle`, `linode`, `ibm`, `huawei`, `hetzner`, `gce`, `azure`, `aws`, `alibaba`)

| | `ip_rule.subnet`
(`rule_type:"ip_range"`) | IP or subnet to add to the list, e.g. `"1.1.1.1"`. | | `ip_rule.source_values`
(for other `rule_type` values) | One of the options:

If `rule_type:"country"` - array of countries in the [ISO-3166 format](https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes), e.g. `["AX","AL"]`.
If `rule_type:"proxy_type"` - array of proxy services, e.g. `["VPN","PUB"]`.
If `rule_type:"datacenter"` - array of other source types, e.g. `["rackspace","huawei"]`.

| | `ip_rule.pools` | Array of [application IDs](https://docs.wallarm.com/user-guides/settings/applications.md) to allow or restrict access for IPs, e.g. `[3,4]` for applications IDs 3 and 4 or `[0]` for all applications. | `ip_rule.expired_at` | [Unix Timestamp](https://www.unixtimestamp.com/) date for IPs to be removed from the list. The maximum value is forever (`33223139044`). | | `reason` | Reason to allow or restrict access for IPs. | `force` | If `true` and some objects specified in the request are already in the IP list, the script will overwrite them. | ### Getting content of IP lists To get the detailed information about the current state of IP lists: **US Cloud:** ```bash curl -X GET 'https://us1.api.wallarm.com/v4/ip_rules?offset=&limit=&filter%5Bclientid%5D=' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" ``` **EU Cloud:** ```bash curl -X GET 'https://api.wallarm.com/v4/ip_rules?offset=&limit=&filter%5Bclientid%5D=' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" ``` **ME Cloud:** ```bash curl -X GET 'https://me1.api.wallarm.com/v4/ip_rules?offset=&limit=&filter%5Bclientid%5D=' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" ``` Note that the API responses are paginated, with a limit of 300 items per request. You can specify the offset to fetch subsequent sets of data. For example, an offset of 600 with a limit of 300 will retrieve results 600 to 900. ### Add to the list the entries from the `.csv` file To add to the list the IPs or subnets from the `.csv` file, use the following bash script: **US Cloud:** ```bash #!/bin/bash UUID="" SECRET="" CLIENT="" LIST="" PATH_TO_CSV_FILE="" # path to the CSV file with IPs or subnets APPLICATIONS="" REMOVE_DATE="TIMESTAMP_REMOVE_DATE" REASON='' API="us1.api.wallarm.com" index=0 while read line; do subnets[$index]="$line" index=$(($index+1)) done < "$PATH_TO_CSV_FILE" for i in ${subnets[@]}; do currentDate=`date -u +%s` time=$REMOVE_DATE remove_date=$(($currentDate+$time)) curl -X POST \ https://$API/v4/ip_rules \ -H "Content-Type: application/json" \ -H "X-WallarmApi-Token: " \ -d '{ "clientid": '$CLIENT', "ip_rule": { "list": "'$LIST'", "rule_type": "ip_range", "subnet": "'$i'", "expired_at": '$remove_date', "pools": [ '$APPLICATIONS' ], "reason": "'"$REASON"'" }, "force": false }' done ``` **EU Cloud:** ```bash #!/bin/bash UUID="" SECRET="" CLIENT="" LIST="" PATH_TO_CSV_FILE="" # path to the CSV file with IPs or subnets APPLICATIONS="" REMOVE_DATE="TIMESTAMP_REMOVE_DATE" REASON='' API="api.wallarm.com" index=0 while read line; do subnets[$index]="$line" index=$(($index+1)) done < "$PATH_TO_CSV_FILE" for i in ${subnets[@]}; do currentDate=`date -u +%s` time=$REMOVE_DATE remove_date=$(($currentDate+$time)) curl -X POST \ https://$API/v4/ip_rules \ -H "Content-Type: application/json" \ -H "X-WallarmApi-Token: " \ -d '{ "clientid": '$CLIENT', "ip_rule": { "list": "'$LIST'", "rule_type": "ip_range", "subnet": "'$i'", "expired_at": '$remove_date', "pools": [ '$APPLICATIONS' ], "reason": "'"$REASON"'" }, "force": false }' done ``` **ME Cloud:** ```bash #!/bin/bash UUID="" SECRET="" CLIENT="" LIST="" PATH_TO_CSV_FILE="" # path to the CSV file with IPs or subnets APPLICATIONS="" REMOVE_DATE="TIMESTAMP_REMOVE_DATE" REASON='' API="me1.api.wallarm.com" index=0 while read line; do subnets[$index]="$line" index=$(($index+1)) done < "$PATH_TO_CSV_FILE" for i in ${subnets[@]}; do currentDate=`date -u +%s` time=$REMOVE_DATE remove_date=$(($currentDate+$time)) curl -X POST \ https://$API/v4/ip_rules \ -H "Content-Type: application/json" \ -H "X-WallarmApi-Token: " \ -d '{ "clientid": '$CLIENT', "ip_rule": { "list": "'$LIST'", "rule_type": "ip_range", "subnet": "'$i'", "expired_at": '$remove_date', "pools": [ '$APPLICATIONS' ], "reason": "'"$REASON"'" }, "force": false }' done ``` ### Add to the list a single IP or subnet To add particular IPs or subnets to the IP list, send the following request for each IP/subnet: **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"force":false,"ip_rule":{"list":"","reason":"","pools":[],"expired_at":,"rule_type":"ip_range","subnet":""}}' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"force":false,"ip_rule":{"list":"","reason":"","pools":[],"expired_at":,"rule_type":"ip_range","subnet":""}}' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"force":false,"ip_rule":{"list":"","reason":"","pools":[],"expired_at":,"rule_type":"ip_range","subnet":""}}' ``` ### Add to the list multiple countries **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"country","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"country","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"country","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` ### Add to the list multiple proxy services **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"proxy_type","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"proxy_type","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v4/ip_rules' \ -H 'X-WallarmApi-Token: ' \ -H "accept: application/json" \ -H "Content-Type: application/json" \ --data-raw '{"clientid":,"ip_rule":{"list":"","rule_type":"proxy_type","source_values":[],"pools":[],"expired_at":"","reason":""},"force":false}' ``` ### Delete an object from the IP list Objects are deleted from IP lists by their IDs. To get an object ID, request the IP list contents and copy `objects.id` of the required object from a response: **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v4/ip_rules?filter%5Bclientid%5D=&filter%5Blist%5D=&offset=0&limit=50' \ -H 'X-WallarmApi-Token: ' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v4/ip_rules?filter%5Bclientid%5D=&filter%5Blist%5D=&offset=0&limit=50' \ -H 'X-WallarmApi-Token: ' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v4/ip_rules?filter%5Bclientid%5D=&filter%5Blist%5D=&offset=0&limit=50' \ -H 'X-WallarmApi-Token: ' ``` Having the object ID, send the following request to delete it from the list: **US Cloud:** ```bash curl 'https://us1.api.wallarm.com/v4/ip_rules' \ -X 'DELETE' \ -H 'X-WallarmApi-Token: ' \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --data-raw '{"filter":{"clientid":,"id":[]}}' ``` **EU Cloud:** ```bash curl 'https://api.wallarm.com/v4/ip_rules' \ -X 'DELETE' \ -H 'X-WallarmApi-Token: ' \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --data-raw '{"filter":{"clientid":,"id":[]}}' ``` **ME Cloud:** ```bash curl 'https://me1.api.wallarm.com/v4/ip_rules' \ -X 'DELETE' \ -H 'X-WallarmApi-Token: ' \ -H 'accept: application/json' \ -H 'content-type: application/json' \ --data-raw '{"filter":{"clientid":,"id":[]}}' ``` You can delete multiple objects at once passing their IDs as an array in the deletion request.