search close
sites

API Documentation


Accessing the API

Base URL
                          https://dashboard.signalsciences.net/api/v0
                        
Examples

For examples on how to authenticate against and use the API, see Using our API.

auth

Log into the API

post /auth

Request

Form Parameters
Name
Type
Description
email
string required
password
string required min len 8

Responses

HTTP 200
Name
Type
Description
token
string

Token to be used in subsequent requests for authentication

Response Example
{
                          "token": "a3024fcf-0c8a-43d8-b70b-ed537fe50650"
                        }
                        
HTTP 401

Login failed

Log out the session

get /auth/logout

Request

No request parameters.

Responses

HTTP 302

Redirects to the login page

corps

List corps

get /corps

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
name
string

Identifying name of the corp

displayName
stringmin len 3 max len 100

Display name of the corp

smallIconURI
stringmax len 200

Small icon URI

created
string

Created RFC3339 date time

siteLimit
integer

Site limit

sites
uri
string

URI sub sites

authType
string

Authentication method

sessionMaxAgeDashboard
integerdefault 2592000 min len 60 max len 31536000

Dashboard session timeout (seconds)

Response Example
{
                          "data": [
                              {
                                  "name": "testcorp",
                                  "displayName": "Test Corporation",
                                  "smallIconURI": "",
                                  "created": "2014-12-09T10:43:54-08:00",
                                  "siteLimit": 5,
                                  "sites": {
                                      "uri": "/api/v0/corps/testcorp/sites"
                                  },
                                  "authType": "builtin",
                                  "sessionMaxAgeDashboard": 2592000,
                              }
                          ]
                        }
                        

Get corp by name

get /corps/{corpName}

Request

URI Parameters
Name
Type
Description
corpName
string required matching [0-9a-z_.-]+

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string

Identifying name of the corp

displayName
stringmin len 3 max len 100

Display name of the corp

smallIconURI
stringmax len 200

Small icon URI

created
string

Created RFC3339 date time

siteLimit
integer

Site limit

sites
uri
string

URI sub sites

authType
string

Authentication method

sessionMaxAgeDashboard
integerdefault 2592000 min len 60 max len 31536000

Dashboard session timeout (seconds)

Response Example
{
                              "name": "testcorp",
                              "displayName": "Test Corporation",
                              "smallIconURI": "",
                              "created": "2014-12-09T10:43:54-08:00",
                              "siteLimit": 5,
                              "sites": {
                                  "uri": "/api/v0/corps/testcorp/sites"
                              },
                              "authType": "builtin",
                              "sessionMaxAgeDashboard": 2592000,
                            }
                            

Update corp by name

patch /corps/{corpName}

Request

URI Parameters
Name
Type
Description
corpName
string required matching [0-9a-z_.-]+

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
displayName
stringmin len 3 max len 100

Display name of the corp

smallIconURI
stringmax len 200

Small icon URI

sessionMaxAgeDashboard
integerdefault 2592000 min len 60 max len 31536000

Dashboard session timeout (seconds)

Request Example
{
                              "displayName": "Test Corporation1"
                            }
                            

Responses

HTTP 200

Successful update

Name
Type
Description
name
string

Identifying name of the corp

displayName
stringmin len 3 max len 100

Display name of the corp

smallIconURI
stringmax len 200

Small icon URI

created
string

Created RFC3339 date time

siteLimit
integer

Site limit

sites
uri
string

URI sub sites

authType
string

Authentication method

sessionMaxAgeDashboard
integerdefault 2592000 min len 60 max len 31536000

Dashboard session timeout (seconds)

Response Example
{
                              "name": "testcorp",
                              "displayName": "Test Corporation1",
                              "smallIconURI": "",
                              "created": "2014-12-09T10:43:54-08:00",
                              "siteLimit": 5,
                              "sites": {
                                  "uri": "/api/v0/corps/testcorp/sites"
                              },
                              "authType": "builtin",
                              "sessionMaxAgeDashboard": 2592000,
                            }
                            
HTTP 400

Failed due to data input

Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid displayName - must be between 3 and 100 characters."}
                            

Get corp overview report

get /corps/{corpName}/reports/attacks

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

from
string default -7d

Number of days ago to begin the data window. Takes the format "-Nd" where N is the number of days (maximum 30).

until
string default now

Number of days ago to end the data window. Takes the format "-Nd" where N is the number of days (maximum 30).

Responses

HTTP 200
Name
Type
Description
data
overviewSite array
name
string

Identifying name of the site

displayName
string

Display name of the site

totalCount
integer

Total number of requests

attackCount
integer

Number of malicious requests

blockedCount
integer

Number of malicious requests blocked

flaggedCount
integer

Number of malicious requests that would have been blocked in blocking mode

flaggedIPCount
integer

Number of IPs that triggered blocking events due to malicious signals

topAttackTypes
topAttackType array
tagName
string

Attack tag name

tagCount
integer

Number of instances of this attack tag

totalCount
integer

Total attack tags seen (note - requests can have multiple tags)

topAttackSources
topAttackSource array
countryCode
string

Two-letter ISO country code (note - empty for "Unknown", "private" for "Private Network"

countryName
string

Descriptive country name

requestCount
integer

Number of requests originating from this country

totalCount
integer

Total attack requests

Response Example
{
                                  "data": [
                                    {
                                      "name":"www.example.com",
                                      "displayName":"Example Site",
                                      "totalCount":49285068291,
                                      "blockedCount":29184,
                                      "flaggedCount":0,
                                      "attackCount":43129,
                                      "previousPeriodAttackCount": 40218,
                                      "previousPeriodBlockedCount": 39190,
                                      "flaggedIPCount":15,
                                      "topAttackTypes":[
                                          {
                                              "tagName":"Attack Tooling",
                                              "tagCount":32551,
                                              "totalCount":49712
                                          },
                                          {
                                              "tagName":"CMDEXE",
                                              "tagCount":5065,
                                              "totalCount":49712
                                          },
                                          {
                                              "tagName":"XSS",
                                              "tagCount":4383,
                                              "totalCount":49712
                                          }
                                      ],
                                      "topAttackSources":[
                                          {
                                              "countryCode":"CA",
                                              "countryName":"Canada",
                                              "requestCount":12414,
                                              "totalCount":43129
                                          },
                                          {
                                              "countryCode":"private",
                                              "countryName":"Private Network",
                                              "requestCount":6204,
                                              "totalCount":43129
                                          },
                                          {
                                              "countryCode":"",
                                              "countryName":"",
                                              "requestCount":5322,
                                              "totalCount":43129
                                          }
                                      ]
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid parameter - from"}
                                

List corp activity events

get /corps/{corpName}/activity

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc) default desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer default 100 max 10000

The number of entries to be returned

page
integer

The page of the results - a maximum of 10000 requests in total will be returned

pretty
boolean

Pretty print the json output

events
one of (corpEvents,userEvents)

Filter on events

eventType
string

Filter on event type

Responses

HTTP 200
Name
Type
Description
totalCount
integer

Total number of matching documents

next
uri
string

Reference to the next page of data

data
activityevent array
id
string

Unique ID of the activity event

eventType
string

Event type

msgData
object

Data used to format the message

attachments
0
objectrequired
Title
string
Fields
0
objectrequired
Title
string
Value
string
Short
boolean
MarkdownFields
boolean
message
string

Message of the event

created
string

Created RFC3339 date time

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/activity?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "random-uuid-string",
                                      "eventType": "userMultiFactorAuthEnabled",
                                      "msgData": {},
                                      "message": "User (user@example.com) enabled 2FA",
                                      "attachments": [],
                                      "created": "2018-04-12T01:00:33Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid parameter - from"}
                                

List users in corp

get /corps/{corpName}/users

Request

Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
corpUser array
name
string

Full name of the user

email
string

Email of the user

announcements
uri
string

Reference to site announcements of the user

defaultDashboards
uri
string

Reference to default dashboards of the user

memberships
data
objectrequired
data
site
objectrequired
name
string
displayName
string
role
string
uri
string
uri
string

Reference to site memberships of the user

role
string

Role of the user (owner, admin, user, observer)

status
string

Status of the user

mfaEnabled
boolean

Whether this user has two-factor auth enabled or not

authStatus
string

Auth-specific status of the user

corpAuthType
string

Corp auth type of the user

created
string

Created RFC3339 date time

apiUser
boolean

Is the user an API user

Response Example
{
                                  "data": [
                                    {
                                      "name": "Test User",
                                      "email": "user@example.com",
                                      "announcements": {
                                          "uri": "/api/v0/user/announcements"
                                      },
                                      "defaultDashboards": {
                                          "uri": "/api/v0/user/defaultDashboards"
                                      },
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00",
                                    }
                                  ]
                                }
                                

Get corp user by email

get /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string required matching [0-9a-z_.-@]+
Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string

Full name of the user

email
string

Email of the user

announcements
uri
string

Reference to site announcements of the user

defaultDashboards
uri
string

Reference to default dashboards of the user

memberships
data
objectrequired
data
site
objectrequired
name
string
displayName
string
role
string
uri
string
uri
string

Reference to site memberships of the user

role
string

Role of the user (owner, admin, user, observer)

status
string

Status of the user

mfaEnabled
boolean

Whether this user has two-factor auth enabled or not

authStatus
string

Auth-specific status of the user

corpAuthType
string

Corp auth type of the user

created
string

Created RFC3339 date time

apiUser
boolean

Is the user an API user

Response Example
{
                                      "name": "Test User",
                                      "email": "user@example.com",
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "corpAuthType": "builtin",
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00"
                                      "apiUser": false
                                    }
                                    

Update corp user by email

patch /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string required matching [0-9a-z_.-@]+
Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

memberships
data
site
name
string

Name of the site

Request Example
{
                                      "role": "user",
                                      "memberships": {
                                        "data": [{
                                          "site": {
                                            "name": "staging"
                                          }
                                        }, {
                                          "site": {
                                            "name": "production"
                                          }
                                        }]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
name
string

Full name of the user

email
string

Email of the user

announcements
uri
string

Reference to site announcements of the user

defaultDashboards
uri
string

Reference to default dashboards of the user

memberships
data
objectrequired
data
site
objectrequired
name
string
displayName
string
role
string
uri
string
uri
string

Reference to site memberships of the user

role
string

Role of the user (owner, admin, user, observer)

status
string

Status of the user

mfaEnabled
boolean

Whether this user has two-factor auth enabled or not

authStatus
string

Auth-specific status of the user

corpAuthType
string

Corp auth type of the user

created
string

Created RFC3339 date time

apiUser
boolean

Is the user an API user

Response Example
{
                                      "name": "",
                                      "email": "user@example.com",
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "corpAuthType": "builtin",
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00"
                                      "apiUser": false
                                    }
                                    

Delete user from corp

delete /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string required matching [0-9a-z_.-@]+

Responses

HTTP 204

Delete successful

Invite user to corp

post /corps/{corpName}/users/{userEmail}/invite

Request

Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

memberships
data
site
name
string

Name of the site

Request Example
{
                                          "role": "user",
                                          "memberships": {
                                            "data": [{
                                              "site": {
                                                "name": "staging"
                                              }
                                            }, {
                                              "site": {
                                                "name": "production"
                                              }
                                            }]
                                          }
                                        }
                                        

Responses

HTTP 200
Name
Type
Description
name
string

Full name of the user

email
string

Email of the user

announcements
uri
string

Reference to site announcements of the user

defaultDashboards
uri
string

Reference to default dashboards of the user

memberships
data
objectrequired
data
site
objectrequired
name
string
displayName
string
role
string
uri
string
uri
string

Reference to site memberships of the user

role
string

Role of the user (owner, admin, user, observer)

status
string

Status of the user

mfaEnabled
boolean

Whether this user has two-factor auth enabled or not

authStatus
string

Auth-specific status of the user

corpAuthType
string

Corp auth type of the user

created
string

Created RFC3339 date time

apiUser
boolean

Is the user an API user

Response Example
{
                                          "name": "",
                                          "email": "example@example.com",
                                          "memberships": {
                                            "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                          }
                                          "role": "user",
                                          "status": "active"
                                          "mfaEnabled": false,
                                          "corpAuthType": "builtin",
                                          "authStatus": "none",
                                          "created": "2014-12-09T10:43:54-08:00"
                                          "apiUser": false
                                        }
                                        
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                        

List rules in corp

get /corps/{corpName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
totalCount
number

Total count of Corp Rules

data
corpRule array
id
string
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "data": {
                                    "totalCount": 1,
                                    "data": [
                                        {
                                            "id": "5e191909c931498586c6f537",
                                            "siteNames": [],
                                            "type": "request",
                                            "corpScope": "global",
                                            "enabled": true,
                                            "groupOperator": "all",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.1/8"
                                                }
                                            ],
                                            "actions": [
                                                {
                                                    "type": "block"
                                                }
                                            ],
                                            "requestlogging": "sampled",
                                            "reason": "foo",
                                            "expiration": "",
                                            "created": "2015-02-14T21:17:16Z",
                                            "updated": "2015-02-14T21:17:16Z"
                                        }
                                    ]
                                  }
                                }
                                

Create corp rule

post /corps/{corpName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                    "siteNames": [
                                        "staging",
                                        "production"
                                    ],
                                    "type": "signal",
                                    "groupOperator": "all",
                                    "conditions": [
                                        {
                                            "type": "single",
                                            "field": "ip",
                                            "operator": "equals",
                                            "value": "192.0.2.204"
                                        },
                                        {
                                            "type": "group",
                                            "groupOperator": "any",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.123"
                                                }
                                            ]
                                        }
                                    ],
                                    "actions": [
                                        {
                                            "type": "excludeSignal"
                                        }
                                    ],
                                    "requestlogging": "sampled",
                                    "enabled": true,
                                    "reason": "test",
                                    "signal": "SQLI",
                                    "expiration": "",
                                    "corpScope": "specificSites"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "id": "5e18ee76f13d66138c3e587c",
                                  "siteNames": [
                                    "staging",
                                    "production"
                                  ],
                                  "type": "signal",
                                  "corpScope": "specificSites",
                                  "enabled": true,
                                  "groupOperator": "all",
                                  "conditions": [
                                    {
                                      "type": "single",
                                      "field": "ip",
                                      "operator": "equals",
                                      "value": "233.252.0.31"
                                    },
                                    {
                                      "type": "group",
                                      "groupOperator": "any",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "192.0.2.63"
                                        }
                                      ]
                                    }
                                  ],
                                  "actions": [
                                    {
                                      "type": "excludeSignal"
                                    }
                                  ],
                                  "requestlogging": "sampled",
                                  "signal": "SQLI",
                                  "reason": "test",
                                  "expiration": ""
                                }
                                

Get corp rule by id

get /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "data": {
                                        "totalCount": 1,
                                        "data": {
                                                "id": "5e191909c931498586c6f537",
                                                "siteNames": [],
                                                "type": "request",
                                                "corpScope": "global",
                                                "enabled": true,
                                                "groupOperator": "all",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.1/8"
                                                    }
                                                ],
                                                "actions": [
                                                    {
                                                        "type": "block"
                                                    }
                                                ],
                                                "requestlogging": "sampled",
                                                "reason": "foo",
                                                "expiration": "",
                                                "created": "2015-02-14T21:17:16Z",
                                                "updated": "2015-02-14T21:17:16Z"
                                            }
                                      }
                                    }
                                    

Update corp rule

put /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                      "id": "5e1914acf13d663e6d0178ea",
                                      "siteNames": [
                                        "staging",
                                        "production"
                                      ],
                                      "type": "signal",
                                      "corpScope": "specificSites",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "198.51.100.76"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "203.0.113.156"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "requestlogging": "sampled",
                                      "signal": "SQLI",
                                      "reason": "Known malicious IPs",
                                      "expiration": ""
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion)

corpScope
string

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
type
string

(block, allow, exclude)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string

The signal id of the signal being excluded

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "5e18ee76f13d66138c3e587c",
                                      "siteNames": [
                                        "staging",
                                        "production"
                                      ],
                                      "type": "signal",
                                      "corpScope": "specificSites",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "233.252.0.101"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "192.0.2.86"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "requestlogging": "sampled",
                                      "signal": "SQLI",
                                      "reason": "test",
                                      "expiration": ""
                                    }
                                    

Delete rule from corp

delete /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Delete successful

Create corp signal tag

post /corps/{corpName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
shortName
stringmin len 3 max len 25

The display name of the signal tag

description
stringmax len 140

Optional signal tag description

Request Example
{
                                    "shortName": "example signal tag",
                                    "description": "An example of a custom signal tag"
                                }
                                

Responses

HTTP 200
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                    "shortName": "example signal tag",
                                    "tagName": "corp.example-signal-tag",
                                    "longName": "example signal tag",
                                    "description": "An example of a custom signal tag",
                                    "configurable": false,
                                    "informational": false,
                                    "needsResponse": false,
                                    "createdBy": "user@example.com",
                                    "created": "2020-02-06T23:28:54Z"
                                }
                                

List signal tags in corp

get /corps/{corpName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
corpSignalTag array
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                    "data": [
                                        {
                                            "shortName": "example signal tag",
                                            "tagName": "corp.example-signal-tag",
                                            "longName": "example signal tag",
                                            "description": "An example of a custom signal tag",
                                            "configurable": false,
                                            "informational": false,
                                            "needsResponse": false,
                                            "createdBy": "user@example.com",
                                            "created": "2020-02-06T23:28:54Z"
                                        },
                                        {
                                            "shortName": "test-signal",
                                            "tagName": "corp.test-signal",
                                            "longName": "Test Signal",
                                            "description": "This is a signal for use when testing",
                                            "configurable": false,
                                            "informational": false,
                                            "needsResponse": false,
                                            "createdBy": "user@example.com",
                                            "created": "2020-01-10T23:36:50Z"
                                        }
                                    ]
                                }
                                

Get corp signal tag by tagName

get /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required

Responses

HTTP 200
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                        "shortName": "example signal tag",
                                        "tagName": "corp.example-signal-tag",
                                        "longName": "example signal tag",
                                        "description": "An example of a custom signal tag",
                                        "configurable": false,
                                        "informational": false,
                                        "needsResponse": false,
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-06T23:28:54Z"
                                    }
                                    

Update corp signal tag

patch /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional signal tag description

Request Example
{
                                      "description": "An example of a custom signal tag - UPDATE"
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                        "shortName": "example signal tag",
                                        "tagName": "corp.example-signal-tag",
                                        "longName": "example signal tag",
                                        "description": "An example of a custom signal tag - UPDATE.",
                                        "configurable": false,
                                        "informational": false,
                                        "needsResponse": false,
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-06T23:28:54Z"
                                    }
                                    

Delete signal tag from corp

delete /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required

Responses

HTTP 204

Delete successful

Get all lists

get /corps/{corpName}/lists

Request

Responses

HTTP 200
Name
Type
Description
data
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "id": "corp.known-attackers",
                                      "name": "Known Attackers",
                                      "type": "ip",
                                      "description": "Malicious IPs we're tracking",
                                      "entries": [
                                        "198.51.100.165",
                                        "233.252.0.215",
                                        "192.0.2.186"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-06T18:57:55Z",
                                      "updated": "2018-08-13T15:26:01Z"
                                    },
                                    {
                                      "id": "corp.ofac-countries",
                                      "name": "OFAC Countries",
                                      "type": "country",
                                      "description": "Countries on the OFAC list",
                                      "entries": [
                                        "MM",
                                        "CI",
                                        "CU",
                                        "IR",
                                        "KP",
                                        "SY"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-03T20:50:54Z",
                                      "updated": "2018-08-03T20:50:59Z"
                                    }
                                  ]
                                }
                                

Create list

post /corps/{corpName}/lists

Request

Body (application/json)
Name
Type
Description
name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard, signal)

description
stringmax len 140

Optional list description

entries
string array

List entries

Request Example
{
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "192.0.2.186",
                                    "198.51.100.138",
                                    "233.252.0.174"
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "id": "corp.my-new-list",
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "192.0.2.186",
                                    "198.51.100.138",
                                    "233.252.0.174"
                                  ],
                                  "createdBy": "user@example.com",
                                  "created": "2018-08-16T17:38:27Z",
                                  "updated": "2018-08-16T17:38:27Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"List cannot be deleted because a rule uses it"}
                                

Get list by id

get /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "198.51.100.138",
                                        "233.252.0.174"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T17:38:27Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"id not found"}
                                    

Update list by id

patch /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional list description

entries
additions
string array

List additions

deletions
string array

List deletions

Request Example
{
                                      "entries": {
                                        "additions": [
                                          "192.0.2.19"
                                        ],
                                        "deletions": [
                                          "192.0.2.186",
                                          "233.252.0.174"
                                        ]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "198.51.100.138",
                                        "192.0.2.19"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"id not found"}
                                    

Replace list by id

put /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional list description

entries
string array

List entries

Request Example
{
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "233.252.0.174",
                                        "198.51.100.193"
                                      ]
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "233.252.0.174",
                                        "198.51.100.193"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Delete list

delete /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

List corp integrations

get /corps/{corpName}/integrations

Request

Responses

HTTP 200
Name
Type
Description
data
integration array
id
string

Unique id of the integration

name
string

Integration name

type
string

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string

Integration URL

fields
object,null
events
string array

Array of event types. View our https://docs.fastly.com/signalsciences/integrations to find out which events the service you are connecting allows.

active
boolean
note
string

Integration note

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

lastStatusCode
number
Response Example
{
                                  "data": [
                                    {
                                      "id": "556a8abb3dfaa4ff28000002",
                                      "name": "Slack message",
                                      "type": "slack",
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "fields": null,
                                      "events": [
                                        "corpUpdated"
                                      ],
                                      "active": true,
                                      "note": "Sample",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z",
                                      "lastStatusCode": 0
                                    }
                                  ]
                                }
                                

Create corp integration

post /corps/{corpName}/integrations

Request

Body (application/json)
Name
Type
Description
url
string

Integration URL

type
string

Corp integration types (mailingList, slack, microsoftTeams). Site integration types (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

events
string array

Array of event types. Visit https://docs.fastly.com/signalsciences/integrations to find out which events the service you are connecting allows.

note
string

Integration note

Request Example
{
                                  "url":"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                  "type":"slack",
                                  "events": [
                                    "corpUpdated"
                                  ],
                                  "note": ""
                                }
                                

Responses

HTTP 200
Name
Type
Description
ID
string

Unique ID of the integration

Type
string

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

URL
string

Integration URL

ExtraFields
string,null
Events
string array

Array of event types. Visit https://docs.fastly.com/signalsciences/integrations to find out which events the service you are connecting allows.

Active
boolean
CreatedBy
string

Email address of the user that created the integration

CreatedByID
string

ID of the user that created the integration

Note
string

Integration note

Created
string

Created RFC3339 date time

LastStatusCode
number
Response Example
{
                                    "ID": "5e2f5d17f13d66152d396956",
                                    "Type": "slack",
                                    "URL": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                    "ExtraFields": null,
                                    "Events": [
                                        "corpUpdated"
                                    ],
                                    "Active": true,
                                    "CreatedBy": "user@example.com",
                                    "CreatedByID": "5e222f75f13d666c9eaec7d9",
                                    "Note": "",
                                    "Created": "2020-01-27T21:58:47.608359Z",
                                    "LastStatusCode": 0
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Validation failed"}
                                

Get corp integration by id

get /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique id of the integration

name
string

Integration name

type
string

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string

Integration URL

fields
object,null
events
string array

Array of event types. View our https://docs.fastly.com/signalsciences/integrations to find out which events the service you are connecting allows.

active
boolean
note
string

Integration note

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

lastStatusCode
number
Response Example
{
                                        "id": "556a8abb3dfaa4ff28000002",
                                        "name": "Slack message",
                                        "type": "slack",
                                        "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                        "fields": null,
                                        "events": [
                                          "corpUpdated"
                                        ],
                                        "active": true,
                                        "note": "Sample",
                                        "createdBy": "user@example.com",
                                        "created": "2015-02-14T21:17:16Z",
                                        "lastStatusCode": 0
                                      }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Update corp integration by id

patch /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
url
string

Integration URL

events
string array

Array of event types. Visit https://docs.fastly.com/signalsciences/integrations to find out which events the service you are connecting allows.

Request Example
{
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "events": ["listCreated", "corpUpdated"]
                                    }
                                    

Responses

HTTP 204

Successful update

HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Validation failed"}
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Delete corp integration

delete /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Test corp integration by id

post /corps/{corpName}/integrations/{id}/test

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200

Test successful

HTTP 500

Test failed

List Cloudwaf instances

get /corps/{corpName}/cloudwafInstances

Request

Responses

HTTP 200
Name
Type
Description
data
cloudwafInstanceResponse array
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

Create CloudWAF instance

post /corps/{corpName}/cloudwafInstances

Request

Body (application/json)
Name
Type
Description
name
stringrequired

Friendly name to identify a CloudWAF instance.

description
stringrequired

Friendly description to identify a CloudWAF instance.

region
stringrequired

Region the CloudWAF Instance is being deployed to.(Supported region: "us-east-1", "us-west-1", "af-south-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-2", "us-west-2").

tlsMinVersion
stringrequired

TLS minimum version. Versions Available: "1.0", "1.2".

workspaceConfigs
object arrayrequired
siteName
stringrequired

Site name.

instanceLocation
stringrequired

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string arrayrequired

Specify the protocol or protocols required. ex. ["http", "https"], ["https"].

routes
object arrayrequired
certificateIds
string arrayrequired

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
stringrequired

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers. (default: false)

domains
string arrayrequired

List of domain or request URIs, up to 100 entries.

Request Example
{
                                  "name": "test",
                                  "description": "test",
                                  "region": "us-east-1",
                                  "tlsMinVersion": "1.2",
                                  "workspaceConfigs": [
                                    {
                                      "siteName": "www.example.com",
                                      "instanceLocation": "direct",
                                      "clientIPHeader": "",
                                      "listenerProtocols": ["https"],
                                      "routes": [
                                        {
                                          "certificateIds": ["id"],
                                          "domains": ["www.example.com"],
                                          "origin": "https://origin.example.com",
                                          "passHostHeader": false,
                                          "connectionPooling": true,
                                          "trustProxyHeaders": false
                                        }
                                      ]
                                    }
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

HTTP 400
Response Example
{"message": "An absolute URI including a scheme is required: unexpected origin, got = www.example.com"}
                                

Get CloudWAF instance by id

get /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string required

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

Response Example
{
                                      "id": "id1",
                                      "name": "website",
                                      "description": "a website",
                                      "region": "us-east-1",
                                      "tlsMinVersion": "1.2",
                                      "workspaceConfigs": [
                                        {
                                          "siteName": "www.example.com",
                                          "instanceLocation": "direct",
                                          "clientIPHeader": "",
                                          "listenerProtocols": ["https"],
                                          "routes": [
                                            {
                                              "certificateIds": ["id2"],
                                              "domains": ["www.example.com"],
                                              "origin": "https://www.origin.example.com",
                                              "passHostHeader": false,
                                              "id": "id3",
                                              "connectionPooling": true,
                                              "trustProxyHeaders": false
                                            }
                                          ]
                                        }
                                      ],
                                      "deployment": {
                                        "status": "done",
                                        "message": "",
                                        "egressIPs": [
                                          {
                                            "ip": "233.252.0.152",
                                            "status": "reachable",
                                            "updatedAt": "2021-04-08T17:10:58Z"
                                          }
                                        ],
                                        "dnsEntry": "example.signalsciencescloud.net"
                                      },
                                      "useUploadedCertificates": true,
                                      "createdBy": "user@example.com",
                                      "created": "2021-04-08T15:50:46Z"
                                    }
                                    

Update CloudWAF instance

put /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string required
Body (application/json)
Name
Type
Description
name
stringrequired

Friendly name to identify a CloudWAF instance.

description
stringrequired

Friendly description to identify a CloudWAF instance.

region
stringrequired

Region the CloudWAF Instance is being deployed to.(Supported region: "us-east-1", "us-west-1", "af-south-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-2", "us-west-2").

tlsMinVersion
stringrequired

TLS minimum version. Versions Available: "1.0", "1.2".

workspaceConfigs
object arrayrequired
siteName
stringrequired

Site name.

instanceLocation
stringrequired

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string arrayrequired

Specify the protocol or protocols required. ex. ["http", "https"], ["https"].

routes
object arrayrequired
id
string

Route unique identifier.

certificateIds
string arrayrequired

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
stringrequired

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers. (default: false)

domains
string arrayrequired

List of domain or request URIs, up to 100 entries.

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

HTTP 400
Response Example
{"message": "An absolute URI including a scheme is required: unexpected origin, got = www.example.com"}
                                    

Delete CloudWAF instance

delete /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string required

Responses

HTTP 204

delete successful

HTTP 400
Response Example
{"message":"cannot delete with pending instance"}
                                    

Restart CloudWAF instance

post /corps/{corpName}/cloudwafInstances/{deployment_id}/restart

Request

URI Parameters
Name
Type
Description
deployment_id
string required

Responses

HTTP 204

restart successful

List CloudWAF certificates

get /corps/{corpName}/cloudwafCerts

Request

Responses

HTTP 200
Name
Type
Description
data
cloudwafCertResponse array
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string arraymin len 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string

Updated RFC3339 date time

Upload CloudWAF certificate

post /corps/{corpName}/cloudwafCerts

Request

Body (application/json)
Name
Type
Description
name
string

Friendly name to identify a CloudWAF certificate

domains
string array

List of domains - deprecated

privateKey
string

Private key of the certificate in PEM format - must be unencrypted

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

Request Example
{
                                  "name": "someCertificate",
                                  "domains": [
                                    "example.com"
                                  ],
                                  "privateKey": "-----BEGIN PRIVATE KEY-----\n someCertificate private key \n-----END PRIVATE KEY-----\n",
                                  "certificateBody": "-----BEGIN CERTIFICATE-----\n someCertificate certificate body \n-----END CERTIFICATE-----\n",
                                  "certificateChain": ""
                                }
                                

Responses

HTTP 201
Name
Type
Description
id
string

CloudWAF certificate unique identifier

Response Example
{"id": "someCertificate-id" }
                                
HTTP 400
Response Example
{"message":"example.net is not associated with the specified TLS certificate.: unexpected domain, got = example.net"}
                                

Get CloudWAF certificate by id

get /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string arraymin len 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string

Updated RFC3339 date time

Response Example
{
                                  "id":"some-id",
                                  "name":"website",
                                  "domains":["example.com"],
                                  "certificateBody":"-----BEGIN CERTIFICATE-----\n certificate body \n-----END CERTIFICATE-----",
                                  "certificateChain":"",
                                  "fingerprint": "",
                                  "expiresAt":"2021-05-02T20:48:02Z",
                                  "status":"active",
                                  "createdBy":"user@example.com",
                                  "created":"2021-02-01T22:05:23Z",
                                  "updatedBy":"user@example.com",
                                  "updatedAt":"2021-02-01T22:06:17Z"
                                }
                                

Update CloudWAF certificate by id

put /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
name
stringmin len 1

Friendly name to identify a CloudWAF certificate

Request Example
{
                                "name": "some name"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string arraymin len 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string

Updated RFC3339 date time

Response Example
{
                                  "id": "some-id",
                                  "name": "some certificate",
                                  "domains": [
                                      "website"
                                  ],
                                  "certificateBody": "-----BEGIN CERTIFICATE-----\n some certificate certificate body\n-----END CERTIFICATE-----\n",
                                  "certificateChain": "-----BEGIN CERTIFICATE-----\n some certificate certificate chain\n-----END CERTIFICATE-----\n",
                                  "fingerprint": "",
                                  "expiresAt": "2022-01-28T20:32:47Z",
                                  "status": "active",
                                  "createdBy": "user@example.com",
                                  "created": "2021-01-28T20:34:06.952625Z",
                                  "updatedBy": "user@example.com",
                                  "updatedAt": "2021-03-10T17:51:17.540049Z"}
                                
HTTP 400
Response Example
{"message":"name cannot be empty"}
                                

Delete CloudWAF certificate by id

delete /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Delete successful

HTTP 400
Response Example
{"message":"certificate f179ae5fd6d8b5f742753e7019936d7e58e5c5bf used in deployments: cert is in use"}
                                

sites

List sites in corp

get /corps/{corpName}/sites

Request

URI Parameters
Name
Type
Description
corpName
string required matching [0-9a-z_.-]+

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

name
string

Filter on site name or display name

page
integer default 1

The page of the results

limit
integer default 10

The number of entries to be returned

agentLevel
one of (block,log,off)

Filter on agent mode

Responses

HTTP 200
Name
Type
Description
data
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string

Created RFC3339 date time

whitelist
uri
string

Reference to the site's whitelist

blacklist
uri
string

Reference to the site's blacklist

blocklist
uri
string

Reference to the site's blocklist

events
uri
string

Reference to the site's events

requests
uri
string

Reference to the site's requests

redactions
uri
string

Reference to the site's redactions

suspiciousIPs
uri
string

Reference to the site's suspicious IPs

monitors
uri
string

Reference to the site's monitors

integrations
uri
string

Reference to the site's integrations

headerLinks
uri
string

Reference to the site's header links

agents
uri
string

Reference to the site's agents

alerts
uri
string

Reference to the site's alerts

analyticsEvents
uri
string

Reference to the site's analytics events

topAttacks
uri
string

Reference to the site's top attacks

members
uri
string

Reference to the site's members

Response Example
{
                          "data": [
                              {
                                  "name": "www.example.com",
                                  "displayName": "My Website",
                                  "agentLevel": "block",
                                  "blockHTTPCode": 406,
                                  "blockDurationSeconds": 86400,
                                  "created": "2014-12-09T10:43:54-08:00",
                                  "whitelist": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                                  },
                                  "blacklist": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                                  },
                                  "events": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                                  },
                                  "requests": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                                  },
                                  "redactions": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                                  },
                                  "suspiciousIPs": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                                  },
                                  "monitors": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                                  },
                                  "integrations": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                                  },
                                  "headerLinks": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                                  },
                                  "agents": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                                  },
                                  "alerts": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                                  },
                                  "analyticsEvents": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                                  },
                                  "topAttacks": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                                  },
                                  "members": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                                  }
                              }
                          ]
                        }
                        

Create site in corp

post /corps/{corpName}/sites

Request

URI Parameters
Name
Type
Description
corpName
string required matching [0-9a-z_.-]+

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

Request Example
{
                          'name": "www.example.com",
                          "displayName": "Example Website",
                          "agentLevel": "block",
                          "blockDurationSeconds": 259200,
                          "blockHTTPCode": 302,
                          "blockRedirectURL": "/blocked/"
                        }
                        

Responses

HTTP 200
Name
Type
Description
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string

Created RFC3339 date time

whitelist
uri
string

Reference to the site's whitelist

blacklist
uri
string

Reference to the site's blacklist

blocklist
uri
string

Reference to the site's blocklist

events
uri
string

Reference to the site's events

requests
uri
string

Reference to the site's requests

redactions
uri
string

Reference to the site's redactions

suspiciousIPs
uri
string

Reference to the site's suspicious IPs

monitors
uri
string

Reference to the site's monitors

integrations
uri
string

Reference to the site's integrations

headerLinks
uri
string

Reference to the site's header links

agents
uri
string

Reference to the site's agents

alerts
uri
string

Reference to the site's alerts

analyticsEvents
uri
string

Reference to the site's analytics events

topAttacks
uri
string

Reference to the site's top attacks

members
uri
string

Reference to the site's members

Response Example
{
                          "name": "www.example.com",
                          "displayName": "My Website1",
                          "agentLevel": "block",
                          "blockHTTPCode": 302,
                          "blockDurationSeconds": 259200,
                          "blockRedirectURL": "/blocked/",
                          "created": "2014-12-09T10:43:54-08:00",
                          "whitelist": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                          },
                          "blacklist": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                          },
                          "events": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                          },
                          "requests": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                          },
                          "redactions": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                          },
                          "suspiciousIPs": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                          },
                          "monitors": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                          },
                          "integrations": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                          },
                          "headerLinks": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                          },
                          "agents": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                          },
                          "alerts": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                          },
                          "analyticsEvents": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                          },
                          "topAttacks": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                          },
                          "tags": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/tags"
                          },
                          "rules": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/rules"
                          },
                          "members": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                          }
                        }
                        
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid block code - must be between 100 and 599"}
                        

Get site by name

get /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string required matching [0-9a-z_.-]+
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string

Created RFC3339 date time

whitelist
uri
string

Reference to the site's whitelist

blacklist
uri
string

Reference to the site's blacklist

blocklist
uri
string

Reference to the site's blocklist

events
uri
string

Reference to the site's events

requests
uri
string

Reference to the site's requests

redactions
uri
string

Reference to the site's redactions

suspiciousIPs
uri
string

Reference to the site's suspicious IPs

monitors
uri
string

Reference to the site's monitors

integrations
uri
string

Reference to the site's integrations

headerLinks
uri
string

Reference to the site's header links

agents
uri
string

Reference to the site's agents

alerts
uri
string

Reference to the site's alerts

analyticsEvents
uri
string

Reference to the site's analytics events

topAttacks
uri
string

Reference to the site's top attacks

members
uri
string

Reference to the site's members

Response Example
{
                              "name": "www.example.com",
                              "displayName": "My Website",
                              "agentLevel": "block",
                              "blockHTTPCode": 406,
                              "blockDurationSeconds": 86400,
                              "created": "2014-12-09T10:43:54-08:00",
                              "whitelist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                              },
                              "blacklist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                              },
                              "events": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                              },
                              "requests": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                              },
                              "redactions": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                              },
                              "suspiciousIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                              },
                              "rateLimitedIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/rateLimitedIPs"
                              },
                              "monitors": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                              },
                              "integrations": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                              },
                              "headerLinks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                              },
                              "agents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                              },
                              "alerts": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                              },
                              "analyticsEvents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                              },
                              "topAttacks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                              },
                              "members": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                              }
                            }
                            
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                            

Update a site by name

patch /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string required matching [0-9a-z_.-]+
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

Request Example
{
                              "displayName": "My Website1",
                              "agentLevel": "block",
                              "blockDurationSeconds": 259200
                            }
                            

Responses

HTTP 200
Name
Type
Description
name
stringmin len 3 max len 100

Identifying name of the site

displayName
stringmin len 3 max len 100

Display name of the site

agentLevel
string

Agent action level - 'block', 'log' or 'off'

agentAnonMode
stringdefault off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integerdefault 86400 max 31556900

Duration to block an IP in seconds

blockHTTPCode
integerdefault 406 min 301 max 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string

Created RFC3339 date time

whitelist
uri
string

Reference to the site's whitelist

blacklist
uri
string

Reference to the site's blacklist

blocklist
uri
string

Reference to the site's blocklist

events
uri
string

Reference to the site's events

requests
uri
string

Reference to the site's requests

redactions
uri
string

Reference to the site's redactions

suspiciousIPs
uri
string

Reference to the site's suspicious IPs

monitors
uri
string

Reference to the site's monitors

integrations
uri
string

Reference to the site's integrations

headerLinks
uri
string

Reference to the site's header links

agents
uri
string

Reference to the site's agents

alerts
uri
string

Reference to the site's alerts

analyticsEvents
uri
string

Reference to the site's analytics events

topAttacks
uri
string

Reference to the site's top attacks

members
uri
string

Reference to the site's members

Response Example
{
                              "name": "www.example.com",
                              "displayName": "My Website1",
                              "agentLevel": "block",
                              "blockHTTPCode": 406,
                              "blockDurationSeconds": 259200,
                              "created": "2014-12-09T10:43:54-08:00",
                              "whitelist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                              },
                              "blacklist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                              },
                              "events": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                              },
                              "requests": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                              },
                              "redactions": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                              },
                              "suspiciousIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                              },
                              "rateLimitedIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/rateLimitedIPs"
                              },
                              "monitors": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                              },
                              "integrations": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                              },
                              "headerLinks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                              },
                              "agents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                              },
                              "alerts": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                              },
                              "analyticsEvents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                              },
                              "topAttacks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                              },
                              "tags": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/tags"
                              },
                              "rules": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/advancedRules"
                              },
                              "members": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                              }
                            }
                            
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid block code - must be between 100 and 599"}
                            

Delete site

delete /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string required matching [0-9a-z_.-]+
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Delete successful

List site activity events

get /corps/{corpName}/sites/{siteName}/analytics/events

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc) default desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer default 100 max 10000

The number of entries to be returned

page
integer

The page of the results - a maximum of 10000 requests in total will be returned

pretty
boolean

Pretty print the json output

events
one of (alerts,audits,excludeAgentsOnline)

Filter on events

eventType
string

Filter on event type

Responses

HTTP 200
Name
Type
Description
totalCount
integer

Total number of matching documents

next
uri
string

Reference to the next page of data

data
activityevent array
id
string

Unique ID of the activity event

eventType
string

Event type

msgData
object

Data used to format the message

attachments
0
objectrequired
Title
string
Fields
0
objectrequired
Title
string
Value
string
Short
boolean
MarkdownFields
boolean
message
string

Message of the event

created
string

Created RFC3339 date time

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "558cf75c3dfaa4b9c2000001",
                                      "eventType": "blacklistIP",
                                      "msgData": {"ip": "192.0.2.149"},
                                      "message": "User (user@example.com) blacklisted \"192.0.2.149\"",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                

Create or Update Edge Deployment

put /corps/{corpName}/sites/{siteName}/edgeDeployment

This call initializes the Next-Gen WAF deployment in Compute@Edge and configures the site for Edge Deployment.

Request

Headers
Name
Type
Description
Content-Type
string required

Must be 'application/json'

Responses

HTTP 200

Initialization successful

Create or Update Edge Deployment Service

put /corps/{corpName}/sites/{siteName}/edgeDeployment/{fastlySID}

This call copies the backends from the Fastly service to the Edge Deployment and configures the Fastly service with an edge dictionary and dynamic VCL snippets. These configurations are needed to forward traffic to the WAF. Note that the changes to the Fastly service will be activated unless the `activateVersion` field is passed as `false`.

Request

URI Parameters
Name
Type
Description
fastlySID
string required matching [0-9a-zA-Z]+}

Fastly service ID

Headers
Name
Type
Description
Fastly-Key
string required

Fastly API key with write access to the Fastly service

Content-Type
string required

Must be 'application/json'

Body (application/json)
Name
Type
Description
percentEnabled
integermax 100

Optional percent of requests that should be inspected by Next-Gen WAF

activateVersion
booleandefault true

Optional flag that indicates whether the VCL version should be activated (true) or not activated (false)

Request Example
{
                                      "percentEnabled": 0,
                                      "activateVersion": true
                                    }
                                    

Responses

HTTP 200

Service configuration successful

Detach Edge Deployment Service

delete /corps/{corpName}/sites/{siteName}/edgeDeployment/{fastlySID}

This call removes all backends from the Edge Deployment connected to the Fastly service and detaches the Fastly Service from the Edge Deployment. Note that requests will still forward the Edge Deployment until it is removed from the Fastly Service VCL.

Request

URI Parameters
Name
Type
Description
fastlySID
string required matching [0-9a-zA-Z]+}

Fastly service ID

Headers
Name
Type
Description
Fastly-Key
string required

Fastly API key with write access to the Fastly service

Content-Type
string required

Must be 'application/json'

Responses

HTTP 200

Service detachment successful

Update Edge Deployment backends

put /corps/{corpName}/sites/{siteName}/edgeDeployment/{fastlySID}/backends

This call checks if any changes were made to the Fastly service's backends and updates the Edge Deployment if necessary. Note that the Fastly service must already be configured for Edge Deployment.

Request

Headers
Name
Type
Description
Fastly-Key
string required

Fastly API key with read access to the Fastly service

Content-Type
string required

Must be 'application/json'

Responses

HTTP 200

Backend syncing successful

List site members

get /corps/{corpName}/sites/{siteName}/members

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
siteMember array
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                  "data": [
                                    {
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                

Add members to site

post /corps/{corpName}/sites/{siteName}/members

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
members
string arraymin len 1

List of existing user email addresses

Request Example
{
                                  "members: ["user@example.com"]
                                }
                                

Responses

HTTP 200
Name
Type
Description
data
siteMember array
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                  "data": [
                                    {
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid user"}
                                

Get site member by email

get /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}

Request

URI Parameters
Name
Type
Description
siteMemberEmail
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    },
                                    
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Delete from site members

delete /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}

Request

URI Parameters
Name
Type
Description
siteMemberEmail
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Invite a site member

post /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}/invite

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
stringmin len 1

Role of the user (owner, admin, user, observer)

Request Example
{
                                          "role": "observer"
                                        }
                                        

Responses

HTTP 200
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                          "user": {
                                            "name": "Example User",
                                            "email": "user@example.com",
                                            "status": "active",
                                            "authStatus": "none",
                                            "corpAuthType": "builtin",
                                            "apiUser": false
                                          },
                                          "role": "owner"
                                        }
                                        
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                        

List rules in site

get /corps/{corpName}/sites/{siteName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
totalCount
number

Total count of Site Rules

data
siteRule array
id
string
siteNames
string array

Sites with the rule available.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "data": {
                                    "totalCount": 1,
                                    "data": [
                                        {
                                            "id": "5e191909c931498586c6f537",
                                            "siteNames": [
                                                "www.example.com"
                                            ],
                                            "type": "request",
                                            "enabled": true,
                                            "groupOperator": "all",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.100"
                                                }
                                            ],
                                            "actions": [
                                                {
                                                    "type": "block"
                                                }
                                            ],
                                            "requestlogging": "sampled",
                                            "reason": "test",
                                            "expiration": "",
                                            "created": "2015-02-14T21:17:16Z",
                                            "updated": "2015-02-14T21:17:16Z"
                                        }
                                    ]
                                  }
                                }
                                

Create site rule

post /corps/{corpName}/sites/{siteName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
siteNames
string array

Sites with the rule available.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit. Can be set to ALL-REQUESTS to act upon all requests from a client.

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for (default: 1, options: 1, 10)

duration
integer

Length of time in seconds to enforce the rule for once activated (default: 600, minimum: 300, maximum: 86400)

signal
string

The signal id of the signal being excluded (for rateLimit rules this is the signal to be attached)

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                  "type": "signal",
                                  "groupOperator": "all",
                                  "conditions": [
                                    {
                                      "type": "single",
                                      "field": "ip",
                                      "operator": "equals",
                                      "value": "198.51.100.136"
                                    },
                                    {
                                      "type": "group",
                                      "groupOperator": "any",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "233.252.0.212"
                                        }
                                      ]
                                    }
                                  ],
                                  "actions": [
                                    {
                                      "type": "excludeSignal"
                                    }
                                  ],
                                  "enabled": true,
                                  "reason": "Example site rule",
                                  "signal": "SQLI",
                                  "expiration": ""
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                    "id": "5e321810f13d660ea4cd8d0f",
                                    "siteNames": [
                                        "www.example.com"
                                    ],
                                    "type": "signal",
                                    "enabled": true,
                                    "groupOperator": "all",
                                    "conditions": [
                                        {
                                            "type": "single",
                                            "field": "ip",
                                            "operator": "equals",
                                            "value": "198.51.100.136"
                                        },
                                        {
                                            "type": "group",
                                            "groupOperator": "any",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.212"
                                                }
                                            ]
                                        }
                                    ],
                                    "actions": [
                                        {
                                            "type": "excludeSignal"
                                        }
                                    ],
                                    "signal": "SQLI",
                                    "reason": "Example site rule",
                                    "expiration": "",
                                    "createdBy": "user@example.com",
                                    "created": "2020-01-29T23:41:04Z",
                                    "updated": "2020-01-29T23:41:04Z"
                                }
                                

Get site rule by id

get /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                        "id": "5e321810f13d660ea4cd8d0f",
                                        "siteNames": [
                                            "www.example.com"
                                        ],
                                        "type": "signal",
                                        "enabled": true,
                                        "groupOperator": "all",
                                        "conditions": [
                                            {
                                                "type": "single",
                                                "field": "ip",
                                                "operator": "equals",
                                                "value": "192.0.2.137"
                                            },
                                            {
                                                "type": "group",
                                                "groupOperator": "any",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.247"
                                                    }
                                                ]
                                            }
                                        ],
                                        "actions": [
                                            {
                                                "type": "excludeSignal"
                                            }
                                        ],
                                        "signal": "SQLI",
                                        "reason": "Example site rule",
                                        "expiration": "",
                                        "createdBy": "user@example.com",
                                        "created": "2020-01-29T23:41:04Z",
                                        "updated": "2020-01-29T23:41:04Z"
                                    }
                                    

Update site rule

put /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
siteNames
string array

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit. Can be set to ALL-REQUESTS to act upon all requests from a client.

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for (default: 1, options: 1, 10)

duration
integer

Length of time in seconds to enforce the rule for once activated (default: 600, minimum: 300, maximum: 86400)

signal
string

The signal id of the signal being excluded (for rateLimit rules this is the signal to be attached)

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                      "id": "5e321810f13d660ea4cd8d0f",
                                      "type": "signal",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "198.51.100.177"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "203.0.113.247"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "signal": "SQLI",
                                      "reason": "Known malicious IPs",
                                      "expiration": ""
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
siteNames
string array

Sites with the rule available.

type
string

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
groupOperator
string

Conditions that must be matched when evaluating the request (all, any)

conditions
type
string

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueIp, signalType)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string

(block, allow, exclude) (rateLimit rule valid values: logRequest, blockSignal)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

requestlogging
stringdefault sampled

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string

Description of the rule

expiration
string

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string

The user that created the rule

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                        "id": "5e321810f13d660ea4cd8d0f",
                                        "siteNames": [
                                            "www.example.com"
                                        ],
                                        "type": "signal",
                                        "enabled": true,
                                        "groupOperator": "all",
                                        "conditions": [
                                            {
                                                "type": "single",
                                                "field": "ip",
                                                "operator": "equals",
                                                "value": "198.51.100.177"
                                            },
                                            {
                                                "type": "group",
                                                "groupOperator": "any",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.247"
                                                    }
                                                ]
                                            }
                                        ],
                                        "actions": [
                                            {
                                                "type": "excludeSignal"
                                            }
                                        ],
                                        "signal": "SQLI",
                                        "reason": "Known malicious IPs",
                                        "expiration": "",
                                        "createdBy": "user@example.com",
                                        "created": "2020-01-29T23:41:04Z",
                                        "updated": "2020-01-29T23:45:21Z"
                                    }
                                    

Delete rule from site

delete /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Delete successful

List available rule templates

get /corps/{corpName}/sites/{siteName}/templates

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
template array
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
name
string

Name of template field

type
string

Value type of template field

label
string

Short description for template field

placeholder
string

Placeholder value for template field

Response Example
{
                                  "data": [
                                    {
                                      "id": "LOGINATTEMPT",
                                      "name": "LOGINATTEMPT",
                                      "shortName": "Login Attempts",
                                      "description": "Indicates a login attempt",
                                      "fields": [
                                        {
                                            "name": "path",
                                            "type": "string",
                                            "label": "If a request's POST path equals",
                                            "placeholder": "/auth/*"
                                        }
                                      ]
                                    },
                                    {
                                      "id": "REGATTEMPT",
                                      "name": "REGATTEMPT",
                                      "shortName": "Registration Attempts",
                                      "description": "Indicates a registration attempt",
                                      "fields": [
                                        {
                                            "name": "path",
                                            "type": "string",
                                            "label": "If a request's POST path equals",
                                            "placeholder": "/register/*"
                                        }
                                      ]
                                    }
                                  ]
                                }
                                

Get rule template by id

get /corps/{corpName}/sites/{siteName}/templates/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
name
string

Name of template field

type
string

Value type of template field

label
string

Short description for template field

placeholder
string

Placeholder value for template field

Response Example
{
                                      "id": "LOGINATTEMPT",
                                      "name": "LOGINATTEMPT",
                                      "shortName": "Login Attempts",
                                      "description": "Indicates a login attempt",
                                      "fields": [
                                          {
                                              "name": "path",
                                              "type": "string",
                                              "label": "If a request's POST path equals",
                                              "placeholder": "/auth/*"
                                          }
                                      ]
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

List configured templated rules

get /corps/{corpName}/sites/{siteName}/configuredtemplates

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
configuredTemplate array
name
string
detections
configuredTemplateDetection array
id
string
name
string

Name of templated rule

enabled
boolean

A flag to toggle this detection

fields
name
string
value
integer,string,boolean
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

alerts
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                  "data": [
                                    {
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                  ]
                                }
                                

Get configured template rule by id

get /corps/{corpName}/sites/{siteName}/configuredtemplates/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
name
string

Name of template field

type
string

Value type of template field

label
string

Short description for template field

placeholder
string

Placeholder value for template field

Response Example
{
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Update site template rule by name

post /corps/{corpName}/sites/{siteName}/configuredtemplates/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
alertAdds
configuredTemplateAlertAdd array
longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integermin 1 max 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

alertDeletes
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
alertUpdates
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
detectionAdds
configuredTemplateDetectionAdd array
enabled
boolean

A flag to toggle this detection

fields
name
string
value
integer,string,boolean
detectionDeletes
configuredTemplateDetection array
id
string
name
string

Name of templated rule

enabled
boolean

A flag to toggle this detection

fields
name
string
value
integer,string,boolean
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

detectionUpdates
configuredTemplateDetection array
id
string
name
string

Name of templated rule

enabled
boolean

A flag to toggle this detection

fields
name
string
value
integer,string,boolean
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

Request Example
{
                                      "alertAdds": [
                                          {
                                              "action": "info",
                                              "enabled": true,
                                              "interval": 1,
                                              "skipNotifications": false,
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "threshold": 50
                                          }
                                      ],
                                      "alertDeletes": [],
                                      "alertUpdates": [],
                                      "detectionAdds": [
                                          {
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ]
                                          }
                                      ],
                                      "detectionDeletes": [],
                                      "detectionUpdates": []
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
name
string
detections
configuredTemplateDetection array
id
string
name
string

Name of templated rule

enabled
boolean

A flag to toggle this detection

fields
name
string
value
integer,string,boolean
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

alerts
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                    
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Validation failed"}
                                    

List signal tags in site

get /corps/{corpName}/sites/{siteName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
siteSignalTag array
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "shortName": "OAuth Login",
                                      "tagName": "site.oauth-login",
                                      "longName": "OAuth Login",
                                      "description": "An attempt to sign in via OAuth. Tracks the occurrence of a specific event that only happens on our site",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T21:31:52Z"
                                    }
                                  ]
                                }
                                

Create site signal tag

post /corps/{corpName}/sites/{siteName}/tags

Request

Body (application/json)
Name
Type
Description
shortName
stringmin len 3 max len 25

The display name of the signal tag

description
stringmax len 140

Optional signal tag description

Request Example
{
                                  "shortName": "example-signal-tag",
                                  "description": "Tracks the occurrence of a specific event that only happens on our site."
                                }
                                

Responses

HTTP 201
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                  "shortName": "example-signal-tag",
                                  "tagName": "site.example-signal-tag",
                                  "longName": "example-signal-tag",
                                  "description": "Tracks the occurrence of a specific event that only happens on our site",
                                  "configurable": false,
                                  "informational": false,
                                  "needsResponse": false,
                                  "createdBy": "user@example.com",
                                  "created": "2020-01-21T23:23:03Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"validation error/duplicate tag name"}
                                

Get site signal tag by tagName

get /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required

Responses

HTTP 200
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                      "shortName": "example-signal-tag",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "example-signal-tag",
                                      "description": "An example of a custom site signal tag",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T23:23:03Z"
                                    }
                                    

Update site signal tag

patch /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional signal tag description

Request Example
{
                                     "description": "An updated example of a custom signal tag."
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
shortName
string

The display name of the signal tag

tagName
string

The identifier for the signal tag

longName
string

The display name of the signal tag - deprecated

description
string

Optional signal tag description

configurable
boolean
informational
boolean
needsResponse
boolean
createdBy
string

Email address of the user that created the resource

created
string

Created RFC3339 date time

Response Example
{
                                      "shortName": "example-signal-tag",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "example-signal-tag",
                                      "description": "An updated example of a custom signal tag.",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T23:23:03Z"
                                    }
                                    

Delete signal tag from site

delete /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string required

Responses

HTTP 204

Delete successful

Get all lists

get /corps/{corpName}/sites/{siteName}/lists

Request

Responses

HTTP 200
Name
Type
Description
data
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "id": "site.known-attackers",
                                      "name": "Known Attackers",
                                      "type": "ip",
                                      "description": "Malicious IPs we're tracking",
                                      "entries": [
                                        "203.0.113.247",
                                        "198.51.100.177",
                                        "192.0.2.137"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-06T18:57:55Z",
                                      "updated": "2018-08-13T15:26:01Z"
                                    },
                                    {
                                      "id": "site.ofac-countries",
                                      "name": "OFAC Countries",
                                      "type": "country",
                                      "description": "Countries on the OFAC list",
                                      "entries": [
                                        "MM",
                                        "CI",
                                        "CU",
                                        "IR",
                                        "KP",
                                        "SY"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-03T20:50:54Z",
                                      "updated": "2018-08-03T20:50:59Z"
                                    }
                                  ]
                                }
                                

Create list

post /corps/{corpName}/sites/{siteName}/lists

Request

Body (application/json)
Name
Type
Description
name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard, signal)

description
stringmax len 140

Optional list description

entries
string array

List entries

Request Example
{
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "203.0.113.247",
                                    "198.51.100.177",
                                    "192.0.2.137"
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                  "id": "site.my-new-list",
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "203.0.113.247",
                                    "198.51.100.177",
                                    "192.0.2.137"
                                  ],
                                  "createdBy": "user@example.com",
                                  "created": "2018-08-16T17:38:27Z",
                                  "updated": "2018-08-16T17:38:27Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"List cannot be deleted because a rule uses it"}
                                

Get list by id

get /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "198.51.100.177",
                                        "192.0.2.137"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T17:38:27Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Update list by id

patch /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional list description

entries
additions
string array

List additions

deletions
string array

List deletions

Request Example
{
                                      "entries": {
                                        "additions": [
                                          "203.0.113.6"
                                        ],
                                        "deletions": [
                                          "203.0.113.247",
                                          "192.0.2.137"
                                        ]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "198.51.100.177",
                                        "203.0.113.6"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Replace list by id

put /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
description
stringmax len 140

Optional list description

entries
string array

List entries

Request Example
{
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "192.0.2.137",
                                        "192.0.2.223"
                                      ]
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
stringmin len 3 max len 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
stringmax len 140

Optional list description

entries
string array

List entries

createdBy
string

Email address of the user that created the item

created
string

Created RFC3339 date time

updated
string

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "192.0.2.137",
                                        "192.0.2.223"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

Delete list

delete /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string

Error message

Response Example
{"message":"ID not found"}
                                    

List alerts

get /corps/{corpName}/sites/{siteName}/alerts

Request

Responses

HTTP 200
Name
Type
Description
data
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                  data: [
                                    {
                                        "id": "5e45dc78c931491dc923e4a6",
                                        "tagName": "site.example-signal-tag",
                                        "longName": "Alert",
                                        "type": "siteAlert",
                                        "interval": 1,
                                        "threshold": 10,
                                        "skipNotifications": false,
                                        "enabled": true,
                                        "action": "flagged",
                                        "fieldName": "remoteIP",
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-13T23:23:03Z",
                                        "updated": "2020-01-13T23:23:03Z"
                                    }
                                  ]
                                }
                                

Create alert

post /corps/{corpName}/sites/{siteName}/alerts

Request

Body (application/json)
Name
Type
Description
tagName
string

The name of the tag whose occurrences the alert is watching. Must match an existing tag

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integermin 1 max 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

Request Example
{
                                  "tagName": "custom-tag",
                                  "longName": "Example Alert",
                                  "interval": 1,
                                  "threshold": 10,
                                  "enabled": true,
                                  "action": "flagged"
                                }
                                

Responses

HTTP 201
Name
Type
Description
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                  "id": "5e45dc78c931491dc923e4a6",
                                  "tagName": "site.example-signal-tag",
                                  "longName": "Alert",
                                  "type": "siteAlert",
                                  "interval": 1,
                                  "threshold": 10,
                                  "skipNotifications": false,
                                  "enabled": true,
                                  "action": "flagged",
                                  "fieldName": "remoteIP",
                                  "createdBy": "user@example.com",
                                  "created": "2020-02-13T23:23:03Z",
                                  "updated": "2020-01-13T23:23:03Z"
                                }
                                

Get alert

get /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                      "id": "5e45dc78c931491dc923e4a6",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "Alert",
                                      "type": "siteAlert",
                                      "interval": 1,
                                      "threshold": 10,
                                      "skipNotifications": false,
                                      "enabled": true,
                                      "action": "flagged",
                                      "fieldName": "remoteIP",
                                      "createdBy": "user@example.com",
                                      "created": "2020-02-13T23:23:03Z",
                                      "updated": "2020-01-13T23:23:03Z"
                                    }
                                    

Update alert

patch /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required
Body (application/json)
Name
Type
Description
tagName
string

The name of the tag whose occurrences the alert is watching. Must match an existing tag

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integermin 1 max 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

Request Example
{
                                      "tagName": "custom-tag",
                                      "interval": 1,
                                      "threshold": 10,
                                      "enabled": true,
                                      "action": "flagged"
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the alert

tagName
string

The name of the tag whose occurrences the alert is watching.

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

type
string

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
createdBy
string

The email of the user that created the alert

created
string

Created RFC3339 date time

operator
string
Response Example
{
                                      "id": "random-uuid-string",
                                      "siteId": "site-id-hex",
                                      "tagName": "custom-tag",
                                      "interval": 1,
                                      "threshold": 10,
                                      "enabled": true,
                                      "action": "flagged",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                    

Delete alert

delete /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string required

Responses

HTTP 204

Delete successful

Search requests

get /corps/{corpName}/sites/{siteName}/requests

Request

Query Parameters
Name
Type
Description
page
integer

The page of the results - a maximum of 10000 requests in total will be returned

limit
integer default 100 max 10000

The number of entries to be returned

pretty
boolean

Pretty print the json output

q
string

Search query. See Search Syntax.

Responses

HTTP 200
Name
Type
Description
totalCount
integer

Total number of records matching the search

next
uri
string

Reference to the next page of data

data
request array
id
string

Unique ID of the request

timestamp
string

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer

HTTP response code

responseSize
integer

HTTP response size

responseMillis
integer

Response time in millis

agentResponseCode
integer

Agent response code

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

Response Example
{
                                  "totalCount": 3,
                                  "next": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests?limit=1&page=1"
                                  },
                                  "data": [
                                      {
                                          "id": "54871be4f749437f4f00008d",
                                          "serverHostname": "local",
                                          "remoteIP": "95.128.246.44",
                                          "remoteHostname": "95-128-246-44.avk-com.ru",
                                          "remoteCountryCode": "RU",
                                          "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                          "timestamp": "2014-12-09T15:57:24Z",
                                          "method": "PUT",
                                          "serverName": "",
                                          "protocol": "HTTP/1.1",
                                          "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                          "uri": "",
                                          "responseCode": 503,
                                          "responseSize": 88336,
                                          "responseMillis": 0,
                                          "agentResponseCode": 200,
                                          "tags": [
                                              {
                                                  "type": "HTTP503",
                                                  "location": "HTTP",
                                                  "value": "503",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SANS",
                                                  "location": "HTTP",
                                                  "value": "95.128.246.44",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SQLI",
                                                  "location": "QUERYSTRING",
                                                  "value": "foo=1 OR 1",
                                                  "detector": "bogus"
                                              }
                                          ]
                                      }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                

Get request by ID

get /corps/{corpName}/sites/{siteName}/requests/{requestID}

Request

URI Parameters
Name
Type
Description
requestID
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the request

timestamp
string

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer

HTTP response code

responseSize
integer

HTTP response size

responseMillis
integer

Response time in millis

agentResponseCode
integer

Agent response code

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

Response Example
{
                                        "id": "54871be4f749437f4f00008d",
                                        "serverHostname": "local",
                                        "remoteIP": "95.128.246.44",
                                        "remoteHostname": "95-128-246-44.avk-com.ru",
                                        "remoteCountryCode": "RU",
                                        "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                        "timestamp": "2014-12-09T15:57:24Z",
                                        "method": "PUT",
                                        "serverName": "",
                                        "protocol": "HTTP/1.1",
                                        "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                        "uri": "",
                                        "responseCode": 503,
                                        "responseSize": 88336,
                                        "agentResponseCode": 200,
                                        "tags": [
                                            {
                                              "type": "HTTP503",
                                              "location": "HTTP",
                                              "value": "503",
                                              "detector": "bogus"
                                            },
                                            {
                                                "type": "SANS",
                                                "location": "HTTP",
                                                "value": "95.128.246.44",
                                                "detector": "bogus"
                                            },
                                            {
                                                "type": "SQLI",
                                                "location": "QUERYSTRING",
                                                "value": "foo=1 OR 1",
                                                "detector": "bogus"
                                            }
                                        ]
                                    }
                                    
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                    

Get request feed

get /corps/{corpName}/sites/{siteName}/feed/requests

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

from
integer required

The POSIX Unix time to start. Has restrictions - see Extracting Your Data.

until
integer required

The POSIX Unix time to end. Has restrictions - see Extracting Your Data.

tags
string

Limits feed to specific tags, comma-separated list - see System Tags.

Responses

HTTP 200
Name
Type
Description
next
uri
string

Reference to the next page of data

data
request array
id
string

Unique ID of the request

timestamp
string

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer

HTTP response code

responseSize
integer

HTTP response size

responseMillis
integer

Response time in millis

agentResponseCode
integer

Agent response code

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

Response Example
{
                                  "next": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/feed/requests?next=cXVlcnlUaGVuRmV0Y2g7Mjs4NDM6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzs4NDI6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzswOw=="
                                  },
                                  "data": [
                                      {
                                          "id": "54871be4f749437f4f00008d",
                                          "serverHostname": "local",
                                          "remoteIP": "95.128.246.44",
                                          "remoteHostname": "95-128-246-44.avk-com.ru",
                                          "remoteCountryCode": "RU",
                                          "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                          "timestamp": "2014-12-09T15:57:24Z",
                                          "method": "PUT",
                                          "serverName": "",
                                          "protocol": "HTTP/1.1",
                                          "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                          "uri": "",
                                          "responseCode": 503,
                                          "responseSize": 88336,
                                          "responseMillis": 0,
                                          "agentResponseCode": 200,
                                          "tags": [
                                              {
                                                  "type": "HTTP503",
                                                  "location": "HTTP",
                                                  "value": "503",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SANS",
                                                  "location": "HTTP",
                                                  "value": "95.128.246.44",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SQLI",
                                                  "location": "QUERYSTRING",
                                                  "value": "foo=1 OR 1",
                                                  "detector": "bogus"
                                              }
                                          ]
                                      }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid timestamp param"}
                                
HTTP 500
Name
Type
Description
message
string

Error message

Response Example
{"message":"Error performing search"}
                                
HTTP 504
Name
Type
Description
message
string

Error message

Response Example
{"message":"Feed timeout exceeded"}
                                

List events

get /corps/{corpName}/sites/{siteName}/events

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc) default desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer default 100 max 10000

The number of entries to be returned

page
integer

The page of the results - a maximum of 10000 requests in total will be returned

pretty
boolean

Pretty print the json output

action
one of (flagged,info)

Filter based on action

tag
string min len 3 matching [a-zA-Z0-9_-]+

Filter based on tag

ip
string min len 7 max len 15

Filter based on IP

status
one of (active,expired)

Filter based on status

Responses

HTTP 200
Name
Type
Description
totalCount
integer

Total number of matching documents

next
uri
string

Reference to the next page of data

data
id
string

Unique ID of the event

timestamp
string

Timestamp RFC3339 date time

source
string

Source information

remoteCountryCode
string

Country code

remoteHostname
string

Remote hostname

userAgents
useragents
string

Useragents

action
string

Either "flagged" (IP is flagged and subsequent malicious requests will be blocked) or "info" (IP is flagged and subsequent requests will be logged).

reasons
object

Key attack type - value number of

requestCount
integer

Total number of requests

tagCount
integer

Total number of tags

window
integer

Time window in seconds where the items were detected

expires
string

Expires RFC3339 date time

expiredBy
string

email of the user if the event is expired manually

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/events?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "54de69dcba53b02fbf000018",
                                      "timestamp": "2015-02-13T21:17:16Z",
                                      "source": "162.245.23.109",
                                      "remoteCountryCode": "AU",
                                      "remoteHostname": "",
                                      "userAgents": [
                                        "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
                                      ],
                                      "action": "flagged",
                                      "type": "attack",
                                      "reasons": {
                                        "SQLI": 99
                                      },
                                      "requestCount": 1,
                                      "tagCount": 1,
                                      "window": 60,
                                      "expires": "2015-02-14T21:17:16Z",
                                      "expiredBy": ""
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string

Error message

Response Example
{"message":"Invalid site"}
                                

Get event by ID

get /corps/{corpName}/sites/{siteName}/events/{eventID}

Request

URI Parameters
Name
Type
Description
eventID
string required
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the event

timestamp
string

Timestamp RFC3339 date time

source
string

Source information

remoteCountryCode
string

Country code

remoteHostname
string

Remote hostname

userAgents
useragents
string

Useragents

action
string

Either "flagged" (IP is flagged and subsequent malicious requests will be blocked) or "info" (IP is flagged and subsequent requests will be logged).

reasons
object

Key attack type - value number of

requestCount
integer

Total number of requests

tagCount
integer

Total number of tags

window
integer

Time window in seconds where the items were detected

expires
string

Expires RFC3339 date time

expiredBy
string

email of the user if the event is expired manually

Response Example
{
                                      "id": "54de69dcba53b02fbf000018",