You can search for virtually any attribute of attacks, incidents, and vulnerabilities.
Wallarm is equipped with a query language similar to human language, which makes submitting queries intuitive. Queries can be refined using special modifiers, which are described below.
When values of different parameters are specified, the results will meet all those conditions. When different values for the same parameter are specified, the results will meet any of those conditions.
To search within a single application, specify in the search string
<application name> is set on the Applications tab in the Settings section.
Examples of search requests:
attacks xss: to search for all XSS-attacks.
attacks today: to search for all attacks that happened today.
vulns sqli: to search for SQL-injection vulnerabilities.
vulns 01/01/2019-01/10/2019: to search for vulnerabilities within a certain period of time.
xss 01/14/2019: to search for all vulnerabilities, suspicions, attacks, and incidents of cross-site scripting on 14 January 2019.
p:xss 01/14/2019: to search for all vulnerabilities, suspicions, attacks, and incidents of all types within the xss HTTP request parameter (i.e. http://localhost/?xss=attack-here) as of 14 January 2019.
attacks 2-9/2018: to search for all attacks from February to September 2018.
rce /catalog/import.php: to search for all RCE attacks, incidents, and vulnerabilities on
/catalog/import.phppath since yesterday.
In addition to using the search string, you can retrieve data using filters (see Using Filters).
Parameters you enter into the search string will automatically duplicate in the filters and vice versa.
Any search query or combination of filters can be saved using the Save as template button and quickly accessed later with the Searches drop-down list.
- Type of object
- Type of attack or vulnerability
- Aim of attack or vulnerability
- Severity level
- Vulnerability identifier
- Vulnerability status
- IP address
- Server response status
- Server response size
- HTTP request method
- Request identifier
Specify in the search string:
attacks: to search only for the attacks that are not aimed at known vulnerabilities.
incidents: to search only for incidents (attacks exploiting a known vulnerability).
vulnerabilities: to search only for vulnerabilities.
Specify in the search string:
sqli: to search for SQL injection attacks/vulnerabilities.
xss: to search for Cross Site Scripting attacks/vulnerabilities.
rce: to search for OS Commanding attacks/vulnerabilities.
brute: to search for brute-force attacks.
ptrav: to search for path traversal attacks.
crlf: to search for CRLF injection attacks/vulnerabilities.
redir: to search for open redirect vulnerabilities.
nosqli: to search for NoSQL injection attacks/vulnerabilities.
logic_bomb: to search for logic bomb attacks.
overlimit_res: to search for attacks aimed at overlimiting of computational resources.
xxe: to search for XML External Entity attacks.
vpatch: to search for virtual patches.
dirbust: to search for forced browsing attacks.
ldapi: to search for LDAP injection attacks/vulnerabilities.
scanner: to search for port scanner attacks/vulnerabilities.
info: to search for attacks/vulnerabilities of information disclosure.
An attack or vulnerability name can be specified in both uppercase and lowercase letters:
SQLi are equally correct.
Specify in the search string:
client: to search for client data attacks/vulnerabilities.
database: to search for database attacks/vulnerabilities.
server: to search for app server attacks/vulnerabilities.
Specify the risk level in the search string:
low: low risk level.
medium: medium risk level.
high: high risk level.
To search for a certain vulnerability, specify its identifier. It can be specified in two ways:
- either fully:
- or in abbreviated form:
Specify vulnerability status in the search string. Vulnerability can have one of the three statuses:
open: currently relevant vulnerability;
closed: fixed vulnerability;
falsepositive: vulnerability marked as false.
Specify time range in the search string. If the time interval is not specified, the search is conducted within the events occurred during the last 24 hours. Use the following data format: MM/DD/YYYY (for example,
01/14/2014). If year is not specified, the current year is used. Thus,
01/14 is the same as
Usage of string aliases is possible:
yesterday: always equal to yesterday's date.
today: always equal to today's date.
You can also specify the following intervals for the search:
- by date:
- by time (seconds are disregarded):
01/10/2019 11:12-01/14/2019 12:14
- with relation to a certain moment of time:
To search by IP address, use the
ip: prefix, after which you can specify
- A specific IP address, for example
192.168.0.1—in this case, all attacks and incidents will be found for which the source address of the attack corresponds to this IP address.
- An expression describing a range of IP addresses.
- A total number of IP addresses related to an attack or incident.
To set a required range of IP addresses, you can use
- An explicit IP address range:
- A part of an IP address:
192.168.0.0-192.168.255.255. Redundant format with the
*modifier is allowed—
An IP address or part of it with a range of values inside the last octet in the expression:
Subnet prefixes (CIDR notation):
You can combine the above methods for defining IP address ranges. To do this, list all the necessary ranges with the ip: prefix separately.
ip:192.168.0.0/24 ip:10.10. ip:10.0.10.0-128
It is possible to search by the total number of IP addresses that are related to an attack or an incident (only for attacks and incidents):
ip:1000+ last month—search for attacks and incidents over the past month for which the number of unique IP addresses is more than 1000 (equivalent to
attacks incidents ip:1000+ last month).
xss ip:100+—search for all cross-site scripting attacks and incidents. The search result will be empty if the number of attacking IP addresses (with the XSS attack type) is less than 100.
xss p:id ip:100+—search for all XSS attacks and incidents related to the id parameter (
?id=aaa). This will return results only if the number of different IP addresses exceeds 100.
To search by server response status, specify
Response status can be specified as:
- a number from 100 to 999.
- «N–M» range, where N and M are figures from 100 to 999.
- «N+» and «N-» ranges, where N is a number from 100 to 999.
To search by the server response size, use the
You can search for any integer value. Figures above 999 can be specified without a prefix. The «N–M», «N+» and «N-» ranges can be specified, where figures above 999 can also be specified without a prefix.
To search by HTTP request method, specify the
To search for
OPTIONS: if upper-case is used, then the search string can be specified without a prefix. For all other values, a prefix should be specified.
To search by domain, use the
Any string, that may be a domain of the second or a higher level can be specified without a prefix. Any string can be specified with a prefix.
You may use masks within a domain. The symbol
* replaces any number of characters; the symbol
? replaces any single character.
To search by path, use the
Strings that start with
/ are processed without a prefix. Any string can be specified with a prefix.
To search by parameter, use the
parameter: prefix and also the
For example, if you need to find attacks aimed at the
xss parameter but not at XSS-attacks (for instance, SQL-injection attack having
xss in the GET-parameter), specify
attacks p:xss in the search string.
A string that does not start with
/ and ends with
= is considered to be a parameter (wherein the ending
= character is not included in the value). Any string can be specified with a prefix.
To search for anomalies in attacks, use the
To refine an anomaly search, use the following parameters:
attacks sqli a:size will search for all SQL-injection attacks, that have response size anomalies in their requests.
To search for attacks and incidents by request identifier, specify the
request_id parameter has the following value form:
a79199bcea606040cc79f913325401fb. To make it easier to read, in the examples below this parameter has been replaced by the placeholder abbreviation
attacks incidents request_id:<requestId>: to search for an attack or an incident with the
attacks incidents !request_id:<requestId>: to search for attacks and incidents with the
request_idnot equal to
attacks incidents request_id: to search for attacks and incidents with any
attacks incidents !request_id: to search for attacks and incidents without any