Using search and filters¶
Wallarm provides convenient methods for searching detected attacks, incidents and vulnerabilities. In the Events section of Wallarm Console, there are the following search methods available:
Filters to select filtering criteria
Search field to input search queries with attributes and modifiers similar to human language
The values set in the filters are automatically duplicated in the search field, and vice versa.
Any search query or a filter combination can be saved by clicking Save a query.
Available filters are presented in Wallarm Console in multiple forms:
Filters panel that is expanded and collapsed using the Filter button
Quick filters for excluding or showing only events with the specific parameter values
When values of different filters are selected, the results will meet all those conditions. When different values for the same filter are specified, the results will meet any of those conditions.
The search field accepts queries with attributes and modifiers similar to human language which makes submitting queries intuitive. For example:
attacks xss: to search for all XSS-attacks
attacks today: to search for all attacks that happened today
vulns sqli: to search for SQL-injection vulnerabilities
vulns 11/01/2020-11/10/2020: to search for vulnerabilities within a certain period of time
xss 12/14/2020: to search for all vulnerabilities, suspicions, attacks, and incidents of cross‑site scripting on 14 December 2020
p:xss 12/14/2020: to search for all vulnerabilities, suspicions, attacks, and incidents of all types within the xss HTTP request parameter (i.e.
http://localhost/?xss=attack-here) as of 14 December 2020
attacks 9-12/2020: to search for all attacks from September to December 2020
rce /catalog/import.php: to search for all RCE attacks, incidents, and vulnerabilities on
/catalog/import.phppath since yesterday
When values of different parameters are specified, the results will meet all those conditions. When different values for the same parameter are specified, the results will meet any of those conditions.
Setting the attribute value to NOT
To negate the attribute value, please use
! before the attribute or modifier name. For example:
attacks !ip:188.8.131.52 to show all attacks originated from any IP address excluding
Below you will find the list of attributes and modifiers available for use in search queries.
Search by object type¶
Specify in the search string:
attacks: to search only for the attacks that are not aimed at known vulnerabilities.
incidents: to search only for incidents (attacks exploiting a known vulnerability).
vulnerabilities: to search only for vulnerabilities.
Search by attack type or vulnerability type¶
Specify in the search string:
sqli: to search for SQL injection attacks/vulnerabilities.
xss: to search for Cross Site Scripting attacks/vulnerabilities.
rce: to search for OS Commanding attacks/vulnerabilities.
brute: to search for brute-force attacks.
ptrav: to search for path traversal attacks.
crlf: to search for CRLF injection attacks/vulnerabilities.
redir: to search for open redirect vulnerabilities.
nosqli: to search for NoSQL injection attacks/vulnerabilities.
data_bomb: to search for logic bomb attacks.
ssti: to search for Server‑Side Template Injections.
invalid_xml: to search for usage of unsafe XML header.
overlimit_res: to search for attacks aimed at overlimiting of computational resources.
xxe: to search for XML External Entity attacks.
vpatch: to search for virtual patches.
dirbust: to search for forced browsing attacks.
ldapi: to search for LDAP injection attacks/vulnerabilities.
scanner: to search for port scanner attacks/vulnerabilities.
infoleak: to search for attacks/vulnerabilities of information disclosure.
mail_injection: to search for Email Injections.
ssi: to search for SSI Injections.
overlimit_res: to search for attacks of the resource overlimiting type.
experimental: to search for experimental attacks detected based on custom regular expression.
An attack or vulnerability name can be specified in both uppercase and lowercase letters:
SQLi are equally correct.
Search by known attacks (CVE and well‑known exploits)¶
known: to search for requests that precisely attack since they exploit CVE vulnerabilities or other well‑known vulnerability types.
To filter attacks by certain CVE or another well‑known vulnerability type, you can pass the appropriate tag in addition to the tag
knownor separate from it. For example:
CVE-2004-2402 CVE-2018-6008to search for attacks exploiting the CVE-2004-2402 and CVE-2018-6008 vulnerabilities.
!known: potential false positives. These requests may contain little‑known exploits or the context turning the exploits into legitimate parameter values.
To filter attacks by CVE and well‑known exploits, quick filters by event types and CVE and exploits can be used.
Search hits by API protocols¶
To filter hits by API protocols, use the
This tag allows the following values:
Search by the attack target or the vulnerability target¶
Specify in the search string:
client: to search for clients' data attacks/vulnerabilities.
database: to search for database attacks/vulnerabilities.
server: to search for app server attacks/vulnerabilities.
Search by risk level¶
Specify the risk level in the search string:
low: low risk level.
medium: medium risk level.
high: high risk level.
Search by vulnerability identifier¶
To search for a certain vulnerability, specify its identifier. It can be specified in two ways:
or in abbreviated form:
Search by vulnerability status¶
Specify vulnerability status in the search string. Vulnerability can have one of the three statuses:
open: currently relevant vulnerability
closed: fixed vulnerability
Search by event time¶
Specify time period in the search string. If the period is not specified, the search is conducted within the events that occurred during the last 24 hours.
There are the following methods to specify the period:
By date and time (seconds are disregarded):
11/10/2020 11:12-01/14/2020 12:14
With relation to a certain moment of time:
Using string aliases:
yesterdayequal to yesterday's date
todayequal to today's date
last <unit>equal to the period from the entire past unit start to current date and time
yearor the number of these units can be used as
<unit>. For example:
last 3 monthor
last 3 months.
this <unit>equal to current unit
yearcan be used as
<unit>. For example:
this weekwill return events detected on Monday, Tuesday and Wednesday this week if today is Wednesday.
Date and time format depends on the settings specified in your profile:
MM/DD/YYYY if MDY is selected
DD/MM/YYYY if DMY is selected
13:00if 24‑hour is ticked
1pmif 24‑hour is unticked
The month can be specified as both number and name:
Jan for January. The year can be specified in both full form (
2020) and shortened form (
20). If the year is not specified in the date, then the current year is used.
Search by IP address¶
To search by IP address, use the
ip: prefix, after which you can specify
A specific IP address, for example
192.168.0.1—in this case, all attacks and incidents will be found for which the source address of the attack corresponds to this IP address.
An expression describing a range of IP addresses.
A total number of IP addresses related to an attack or incident.
Search by IP address range¶
To set a required range of IP addresses, you can use
An explicit IP address range:
A part of an IP address:
192.168.0.0-192.168.255.255. Redundant format with the
*modifier is allowed—
An IP address or part of it with a range of values inside the last octet in the expression:
When using a range of values within an octet, a dot is not set at the end.
Subnet prefixes (CIDR notation):
You can combine the above methods for defining IP address ranges. To do this, list all the necessary ranges with the ip: prefix separately.
ip:192.168.0.0/24 ip:10.10. ip:10.0.10.0-128
Search by number of IP addresses¶
It is possible to search by the total number of IP addresses that are related to an attack or an incident (only for attacks and incidents):
ip:1000+ last month—search for attacks and incidents over the past month for which the number of unique IP addresses is more than 1000 (equivalent to
attacks incidents ip:1000+ last month).
xss ip:100+—search for all cross‑site scripting attacks and incidents. The search result will be empty if the number of attacking IP addresses (with the XSS attack type) is less than 100.
xss p:id ip:100+—search for all XSS attacks and incidents related to the id parameter (
?id=aaa). This will return results only if the number of different IP addresses exceeds 100.
Search by the data center the IP address belongs to¶
To search by the data center, to which the IP address originated the attacks belongs, use the
This attribute value can be:
torfor the Tor network
proxyfor the public or web proxy server
azurefor Microsoft Azure
gcefor Google Cloud Platform
Search by the country or region in which the IP address is registered¶
To search by the country or the region, in which the IP address originated the attacks is registered, use the
The country/region name should be passed to the attribute in the format corresponding to the standard ISO 3166-1 in uppercase or lowercase letters. For example:
country:cn for attacks originated from China.
Search by server response status¶
To search by server response status, specify
Response status can be specified as:
a number from 100 to 999.
«N–M» range, where N and M are figures from 100 to 999.
«N+» and «N-» ranges, where N is a number from 100 to 999.
Search by server response size¶
To search by the server response size, use the
You can search for any integer value. Figures above 999 can be specified without a prefix. The «N–M», «N+» and «N-» ranges can be specified, where figures above 999 can also be specified without a prefix.
Search by HTTP request method¶
To search by HTTP request method, specify the
To search for
OPTIONS: if upper-case is used, then the search string can be specified without a prefix. For all other values, a prefix should be specified.
Search by a number of hits within attack/incident¶
To search attacks and incidents by a number of hits, specify the
For example, you can search for attacks that have more than 100 hits:
attacks N:>100. Or search for attacks with less than 10 hits with
Search by domain¶
To search by domain, use the
Any string, that may be a domain of the second or a higher level can be specified without a prefix. Any string can be specified with a prefix.
You may use masks within a domain. The symbol
* replaces any number of characters; the symbol
? replaces any single character.
Search by path¶
To search by path, use the
Strings that start with
/ are processed without a prefix. Any string can be specified with a prefix.
Search by application¶
To search by the application to which the attack was sent or in which a vulnerability was found, use the
app: prefix (the former
pool: prefix is still supported but not recommended).
The attribute value is the application name set on the Applications tab in the Settings section. For example:
Search by parameter or parser¶
To search by parameter or parser, use the
parameter: prefix, or the
= suffix. If using the suffix, a string that does not start with
/ is considered to be a parameter (wherein the ending
= character is not included in the value).
Possible attribute values:
Name of the aimed parameter.
For example, if you need to find attacks aimed at the
xssparameter but not at XSS-attacks (for instance, SQL-injection attack having
xssin the GET-parameter), then specify
attacks sqli p:xssin the search string.
Name of the parser used by Wallarm node to read the parameter value. The name must be in uppercase.
attacks p:*BASE64to find attacks aimed at any parameter parsed by the base64 parser.
Sequence of parameters and parsers.
attacks p:"POST_JSON_DOC_HASH_from"to find attacks sent in the
fromparameter in the JSON body of a request.
You may use masks within a value. The symbol
* replaces any number of characters, the symbol
? replaces any single character.
Search for anomalies in attacks¶
To search for anomalies in attacks, use the
To refine an anomaly search, use the following parameters:
attacks sqli a:size will search for all SQL-injection attacks, that have response size anomalies in their requests.
Search by request identifier¶
To search for attacks and incidents by request identifier, specify the
request_id parameter has the following value form:
a79199bcea606040cc79f913325401fb. In order to make it easier to read, this parameter has been replaced by the placeholder abbreviation
<requestId> in the examples below.
attacks incidents request_id:<requestId>: to search for an attack or an incident with the
attacks incidents !request_id:<requestId>: to search for attacks and incidents with the
request_idnot equal to
attacks incidents request_id: to search for attacks and incidents with any
attacks incidents !request_id: to search for attacks and incidents without any
Search for sampled hits¶
To search for the sampled hits, add
sampled to the search string.