Attack Analysis¶
This article describes how you can analyze attacks detected by the Wallarm node and take actions regarding them.
Attack analysis¶
All the attacks detected by the Wallarm platform are displayed in the Attacks section of the Wallarm Console. You can filter the list by attack date, type and other criteria, expand any attack and its included requests for detailed analysis. If a detected attack turns out to be a false positive, you can immediately mark it as one to prevent alike false positives in future. Also, on the basis of the detected attacks, you can create rules and perform other Wallarm configurations to mitigate further alike threats. Additionally, if the active verification is enabled, check its status right in the attack list.
Consider the following:
-
Attack is a group of hits
-
Hit is a malicious request plus metadata added by node
-
Malicious payload is a part of request with attack sign
Read more on that terms in a Glossary.
Each attack details contain all necessary information for analysis, such as attack's hits and malicious payload summary. To simplify analysis, only unique hits are stored in the attack details. Repeated malicious requests are dropped from uploading to the Wallarm Cloud and not displayed. This process is called hit sampling.
Hit sampling does not affect the quality of attack detection and Wallarm node continues protect your applications and APIs even with hit sampling enabled.
False positives¶
False positive occurs when attack signs are detected in the legitimate request. To prevent the filtering node from recognizing such requests as attacks in future, you can mark all or specific requests of the attack as false positives.
If a false positive mark is added for the attack of the type different from information exposure, the rule disabling analysis of the same requests for detected attack signs) is automatically created. Note that it is not displayed Wallarm Console.
You can undo a false positive mark only within a few seconds after the mark was applied. If you decided to undo it later, this can be done only by sending a request to Wallarm technical support.
The default view of the attack list presents only actual attacks (without false positives) - to change that, under All attacks switch from Default view to With false positives or Only false positives.
API calls to get attacks¶
To get the attack details, you can call the Wallarm API directly besides using the Wallarm Console UI. Below is the example of the API call for getting the first 50 attacks detected in the last 24 hours.
Please replacing TIMESTAMP
with the date 24 hours ago converted to the Unix Timestamp format.
curl -v -X POST "https://us1.api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
curl -v -X POST "https://api.wallarm.com/v1/objects/attack" -H "X-WallarmApi-Token: <YOUR_TOKEN>" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"filter\": { \"clientid\": [YOUR_CLIENT_ID], \"time\": [[TIMESTAMP, null]] }, \"offset\": 0, \"limit\": 50, \"order_by\": \"last_time\", \"order_desc\": true}"
Getting 100 or more attacks
For attack and hit sets containing 100 or more records, it is best to retrieve them in smaller pieces rather than fetching large datasets all at once, in order to optimize performance. Explore the corresponding request example