Wallarm API request examples¶
The following are some examples of Wallarm API use. You can also generate code examples via the API Reference UI for the US cloud or EU cloud. Experienced users can also use the browser’s Developer console (“Network” tab) to quickly learn which API endpoints and requests are used by the UI of your Wallarm account to fetch data from the public API. To find information about how to open the Developer console, you can use the official browser documentation (Safari, Chrome, Firefox, Vivaldi).
Get the first 50 attacks detected in the last 24 hours¶
Please replace TIMESTAMP
with the date 24 hours ago converted to the Unix Timestamp format.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
curl -v -X POST "https://api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
Get a large number of attacks (100 and more)¶
For attack and hit sets containing 100 or more records, it is best to retrieve them in smaller pieces rather than fetching large datasets all at once, in order to optimize performance. The corresponding Wallarm API endpoints support cursor-based pagination with 100 records per page.
This technique involves returning a pointer to a specific item in the dataset and then on subsequent requests, the server returns results after the given pointer. To enable cursor pagination, include "paging": true
in the request parameters.
The following are examples of API calls for retrieving all attacks detected since <TIMESTAMP>
using the cursor pagination:
This request returns information on the latest 100 attacks detected, arranged from the most recent to the earliest. In addition, the response includes a cursor
parameter that contains a pointer to the next set of 100 attacks.
To retrieve the next 100 attacks, use the same request as before but include the cursor
parameter with the pointer value copied from the response of the previous request. This allows the API to know where to start returning the next set of 100 attacks from, e.g.:
curl -k 'https://api.wallarm.com/v2/objects/attack' \
-X POST \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"cursor":"<POINTER_FROM_PREVIOUS_RESPONSE>", "paging": true, "filter": {"clientid": [<YOUR_CLIENT_ID>], "vulnid": null, "time": [[<TIMESTAMP>, null]], "!state": "falsepositive"}}'
curl -k 'https://us1.api.wallarm.com/v2/objects/attack' \
-X POST \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{"cursor":"<POINTER_FROM_PREVIOUS_RESPONSE>", "paging": true, "filter": {"clientid": [<YOUR_CLIENT_ID>], "vulnid": null, "time": [[<TIMESTAMP>, null]], "!state": "falsepositive"}}'
To retrieve further pages of results, execute requests including the cursor
parameter with the value copied from the previous response.
Below is the Python code example for retrieving attacks using cursor paging:
import json
from pprint import pprint as pp
import requests
client_id = <YOUR_CLIENT_ID>
ts = <TIMESTAMP> # UNIX time
url = "https://api.wallarm.com/v2/objects/attack"
headers = {
"X-WallarmApi-Token": "<YOUR_TOKEN>",
"Content-Type": "application/json",
}
payload = {
"paging": True,
"filter": {
"clientid": [client_id],
"vulnid": None,
"time": [[ts, None]],
"!state": "falsepositive",
},
}
while True:
response = requests.post(url, headers=headers, json=payload)
data = response.json()
cursor = data.get("cursor")
if not cursor:
break
pp(data)
payload["cursor"] = cursor
import json
from pprint import pprint as pp
import requests
client_id = <YOUR_CLIENT_ID>
ts = <TIMESTAMP> # UNIX time
url = "https://us1.api.wallarm.com/v2/objects/attack"
headers = {
"X-WallarmApi-Token": "<YOUR_TOKEN>",
"X-WallarmAPI-Secret": "<YOUR_SECRET_KEY>",
"Content-Type": "application/json",
}
payload = {
"paging": True,
"filter": {
"clientid": [client_id],
"vulnid": None,
"time": [[ts, None]],
"!state": "falsepositive",
},
}
while True:
response = requests.post(url, headers=headers, json=payload)
data = response.json()
cursor = data.get("cursor")
if not cursor:
break
pp(data)
payload["cursor"] = cursor
Get the first 50 incidents confirmed in the last 24 hours¶
The request is very similar to the previous example for a list of attacks; the "!vulnid": null
term is added to this request. This term instructs the API to ignore all attacks without specified vulnerability ID, and this is how the system distinguishes between attacks and incidents.
Please replace TIMESTAMP
with the date 24 hours ago converted to the Unix Timestamp format.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"\!vulnid\": null, \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
curl -v -X POST "https://api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"\!vulnid\": null, \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
Get the first 50 vulnerabilities in the status "active" within the last 24 hours¶
Please replace TIMESTAMP
with the date 24 hours ago converted to the Unix Timestamp format.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/vuln" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"limit\":50, \"offset\":0, \"filter\":{\"clientid\":[YOUR_CLIENT_ID], \"testrun_id\":null, \"validated\":true, \"time\":[[TIMESTAMP, null]]}}"
curl -v -X POST "https://api.wallarm.com/v1/objects/vuln" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"limit\":50, \"offset\":0, \"filter\":{\"clientid\":[YOUR_CLIENT_ID], \"testrun_id\":null, \"validated\":true, \"time\":[[TIMESTAMP, null]]}}"
Get all configured rules¶
Get only conditions of all rules¶
Get rules attached to a specific condition¶
To point to a specific condition, use its ID - you can get it when requesting conditions of all rules (see above).
Create the virtual patch to block all requests sent to /my/api/*
¶
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}"
curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"clientid\": YOUR_CLIENT_ID, \"type\": \"vpatch\", \"action\": [ {\"type\":\"equal\",\"value\":\"my\",\"point\":[\"path\",0]}, {\"type\":\"equal\",\"value\":\"api\",\"point\":[\"path\",1]}], \"validated\": false, \"point\": [ [ \"header\", \"HOST\" ] ], \"attack_type\": \"any\"}"
Create the virtual patch for a specific application instance ID to block all requests sent to /my/api/*
¶
An application should be configured before sending this request. Specify an ID of an existing application in action.point[instance].value
.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}"
curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"vpatch\",\"action\":[{\"point\":[\"instance\"],\"type\":\"equal\",\"value\":\"-1\"},{\"point\":[\"path\",0],\"type\":\"equal\",\"value\":\"my\"},{\"point\":[\"path\",1],\"type\":\"equal\",\"value\":\"api\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"point\":[[\"header\",\"HOST\"]],\"attack_type\":\"any\"}"
Create a rule to consider the requests with specific value of the X-FORWARDED-FOR
header as attacks¶
The following request will create the custom attack indicator based on the regexp ^(~(44[.]33[.]22[.]11))$
.
If requests to domain MY.DOMAIN.COM
have the X-FORWARDED-FOR: 44.33.22.11
HTTP header, the Wallarm node will consider them to be scanner attacks and block attacks if the corresponding filtration mode has been set.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"regex\",\"action\":[{\"point\":[\"header\",\"HOST\"],\"type\":\"equal\",\"value\":\"MY.DOMAIN.NAME\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"comment\":\"comment\",\"point\":[[\"header\",\"X-FORWARDED-FOR\"]],\"attack_type\":\"scanner\",\"regex\":\"^\(~\(44[.]33[.]22[.]11\)\)$\"}"
curl -v -X POST "https://api.wallarm.com/v1/objects/hint/create" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"type\":\"regex\",\"action\":[{\"point\":[\"header\",\"HOST\"],\"type\":\"equal\",\"value\":\"MY.DOMAIN.NAME\"}],\"clientid\":YOUR_CLIENT_ID,\"validated\":false,\"comment\":\"comment\",\"point\":[[\"header\",\"X-FORWARDED-FOR\"]],\"attack_type\":\"scanner\",\"regex\":\"^\(~\(44[.]33[.]22[.]11\)\)$\"}"
Create the rule setting filtration mode to monitoring for the specific application¶
The following request will create the rule setting the node to filter traffic going to the application with ID 3
in the monitoring mode.
curl 'https://us1.api.wallarm.com/v1/objects/hint/create' -H 'X-WallarmApi-Token: <YOUR_TOKEN>' -H "accept: application/json" -H "Content-Type: application/json" --data-raw '{"clientid":<YOUR_CLIENT_ID>,"type":"wallarm_mode","mode":"monitoring","validated":false,"action":[{"point":["instance"],"type":"equal","value":"3"}]}'
curl 'https://api.wallarm.com/v1/objects/hint/create' -H 'X-WallarmApi-Token: <YOUR_TOKEN>' -H "accept: application/json" -H "Content-Type: application/json" --data-raw '{"clientid":<YOUR_CLIENT_ID>,"type":"wallarm_mode","mode":"monitoring","validated":false,"action":[{"point":["instance"],"type":"equal","value":"3"}]}'
Delete rule by its ID¶
You can copy the rule ID to be deleted when getting all configured rules. Also, a rule ID has been returned in response to the rule creation request, in the id
response parameter.
API calls to get, populate and delete IP list objects¶
Below are some examples of the API calls to get, populate and delete IP list objects.
API request parameters¶
Parameters to be passed in the API requests to read and change IP lists:
Parameter | Description |
---|---|
X-WallarmApi-Token | Token to access Wallarm API, copy it from Wallarm Console → Settings → API tokens. |
clientid | ID of an account in Wallarm Cloud to populate/read IP list. |
ip_rule.list | The IP list type to add objects, can be: black (for denylist), white (for allowlist), gray (for graylist). |
ip_rule.rule_type | The type of objects to add to the list:
|
ip_rule.subnet ( rule_type:"ip_range" ) | IP or subnet to add to the list, e.g. "1.1.1.1" . |
ip_rule.source_values (for other rule_type values) | One of the options:
|
ip_rule.pools | Array of application IDs to allow or restrict access for IPs, e.g. [3,4] for applications IDs 3 and 4 or [0] for all applications. |
ip_rule.expired_at | Unix Timestamp date for IPs to be removed from the list. The maximum value is forever (33223139044 ). |
reason | Reason to allow or restrict access for IPs. |
force | If true and some objects specified in the request are already in the IP list, the script will overwrite them. |
Add to the list the entries from the .csv
file¶
To add to the list the IPs or subnets from the .csv
file, use the following bash script:
#!/bin/bash
UUID="<YOUR_UUID>"
SECRET="<YOUR_SECRET_KEY>"
CLIENT="<YOUR_CLIENT_ID>"
LIST="<TYPE_OF_IP_LIST>"
PATH_TO_CSV_FILE="<PATH_TO_CSV_FILE>" # path to the CSV file with IPs or subnets
APPLICATIONS="<APP_IDS_THROUGH_COMMA>"
REMOVE_DATE="TIMESTAMP_REMOVE_DATE"
REASON='<REASON>'
API="us1.api.wallarm.com"
index=0
while read line; do
subnets[$index]="$line"
index=$(($index+1))
done < "$PATH_TO_CSV_FILE"
for i in ${subnets[@]}; do
currentDate=`date -u +%s`
time=$REMOVE_DATE
remove_date=$(($currentDate+$time))
curl -X POST \
https://$API/v4/ip_rules \
-H "Content-Type: application/json" \
-H "X-WallarmApi-Token: <YOUR_TOKEN>" \
-d '{
"clientid": '$CLIENT',
"ip_rule": {
"list": "'$LIST'",
"rule_type": "ip_range",
"subnet": "'$i'",
"expired_at": '$remove_date',
"pools": [
'$APPLICATIONS'
],
"reason": "'"$REASON"'"
},
"force": false
}'
done
#!/bin/bash
UUID="<YOUR_UUID>"
SECRET="<YOUR_SECRET_KEY>"
CLIENT="<YOUR_CLIENT_ID>"
LIST="<TYPE_OF_IP_LIST>"
PATH_TO_CSV_FILE="<PATH_TO_CSV_FILE>" # path to the CSV file with IPs or subnets
APPLICATIONS="<APP_IDS_THROUGH_COMMA>"
REMOVE_DATE="TIMESTAMP_REMOVE_DATE"
REASON='<REASON>'
API="api.wallarm.com"
index=0
while read line; do
subnets[$index]="$line"
index=$(($index+1))
done < "$PATH_TO_CSV_FILE"
for i in ${subnets[@]}; do
currentDate=`date -u +%s`
time=$REMOVE_DATE
remove_date=$(($currentDate+$time))
curl -X POST \
https://$API/v4/ip_rules \
-H "Content-Type: application/json" \
-H "X-WallarmApi-Token: <YOUR_TOKEN>" \
-d '{
"clientid": '$CLIENT',
"ip_rule": {
"list": "'$LIST'",
"rule_type": "ip_range",
"subnet": "'$i'",
"expired_at": '$remove_date',
"pools": [
'$APPLICATIONS'
],
"reason": "'"$REASON"'"
},
"force": false
}'
done
Add to the list a single IP or subnet¶
To add particular IPs or subnets to the IP list, send the following request for each IP/subnet:
curl 'https://us1.api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"force":false,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>","pools":[<ARRAY_OF_APP_IDS>],"expired_at":<TIMESTAMP_REMOVE_DATE>,"rule_type":"ip_range","subnet":"<IP_OR_SUBNET>"}}'
curl 'https://api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"force":false,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>","pools":[<ARRAY_OF_APP_IDS>],"expired_at":<TIMESTAMP_REMOVE_DATE>,"rule_type":"ip_range","subnet":"<IP_OR_SUBNET>"}}'
Add to the list multiple countries¶
curl 'https://us1.api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","rule_type":"country","source_values":[<ARRAY_OF_COUNTRIES_REGIONS>],"pools":[<ARRAY_OF_APP_IDS>],"expired_at":"<TIMESTAMP_REMOVE_DATE>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>"},"force":false}'
curl 'https://api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","rule_type":"country","source_values":[<ARRAY_OF_COUNTRIES_REGIONS>],"pools":[<ARRAY_OF_APP_IDS>],"expired_at":"<TIMESTAMP_REMOVE_DATE>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>"},"force":false}'
Add to the list multiple proxy services¶
curl 'https://us1.api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","rule_type":"proxy_type","source_values":[<ARRAY_OF_PROXY_SERVICES>],"pools":[<ARRAY_OF_APP_IDS>],"expired_at":"<TIMESTAMP_REMOVE_DATE>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>"},"force":false}'
curl 'https://api.wallarm.com/v4/ip_rules' \
-H 'X-WallarmApi-Token: <YOUR_TOKEN>' \
-H "accept: application/json" \
-H "Content-Type: application/json" \
--data-raw '{"clientid":<YOUR_CLIENT_ID>,"ip_rule":{"list":"<TYPE_OF_IP_LIST>","rule_type":"proxy_type","source_values":[<ARRAY_OF_PROXY_SERVICES>],"pools":[<ARRAY_OF_APP_IDS>],"expired_at":"<TIMESTAMP_REMOVE_DATE>","reason":"<REASON_TO_ADD_ENTRIES_TO_LIST>"},"force":false}'
Delete an object from the IP list¶
Objects are deleted from IP lists by their IDs.
To get an object ID, request the IP list contents and copy objects.id
of the required object from a response:
Having the object ID, send the following request to delete it from the list:
You can delete multiple objects at once passing their IDs as an array in the deletion request.