Sites
NOTE
Next-Gen WAF documentation has been moved to the Fastly Documentation website. You can continue to find Next-Gen WAF API reference documentation at this website.

Next-Gen WAF API docs


NOTE
This API is only available to Next-Gen WAF customers with access to the Next-Gen WAF control panel. If you have access to the Next-Gen WAF product in the Fastly control panel, check out the Fastly Security API.

Accessing the API

Base URL
                          https://dashboard.signalsciences.net/api/v0
                        
Examples

For examples on how to authenticate against and use the API, see Using our API.

Auth

Log into the API

post /auth

Request

Form Parameters
Name
Type
Description
email
string
required: true
password
string
min len: 8
required: true

Responses

HTTP 200
Name
Type
Description
token
string
required: true

Token to be used in subsequent requests for authentication

Response Example
{
                          "token": "a3024fcf-0c8a-43d8-b70b-ed537fe50650"
                        }
                        
HTTP 401

Login failed

Log out the session

get /auth/logout

Request

No request parameters.

Responses

HTTP 302

Redirects to the login page

Corps

List corps

get /corps

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
name
string
read only: true

Identifying name of the corp

displayName
string
min len: 3
max len: 100

Display name of the corp

smallIconURI
string
max len: 200

Small icon URI

created
string
format: date-time
read only: true

Created RFC3339 date time

siteLimit
integer
read only: true

Site limit

sites
uri
string
read only: true

URI sub sites

authType
string
read only: true

Authentication method

sessionMaxAgeDashboard
integer
default: 2592000
min len: 60
max len: 31536000

Dashboard session timeout (seconds)

Response Example
{
                          "data": [
                              {
                                  "name": "testcorp",
                                  "displayName": "Test Corporation",
                                  "smallIconURI": "",
                                  "created": "2014-12-09T10:43:54-08:00",
                                  "siteLimit": 5,
                                  "sites": {
                                      "uri": "/api/v0/corps/testcorp/sites"
                                  },
                                  "authType": "builtin",
                                  "sessionMaxAgeDashboard": 2592000,
                              }
                          ]
                        }
                        

Get corp by name

get /corps/{corpName}

Request

URI Parameters
Name
Type
Description
corpName
string
matching: [0-9a-z_.-]+
required: true

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string
read only: true

Identifying name of the corp

displayName
string
min len: 3
max len: 100

Display name of the corp

smallIconURI
string
max len: 200

Small icon URI

created
string
format: date-time
read only: true

Created RFC3339 date time

siteLimit
integer
read only: true

Site limit

sites
uri
string
read only: true

URI sub sites

authType
string
read only: true

Authentication method

sessionMaxAgeDashboard
integer
default: 2592000
min len: 60
max len: 31536000

Dashboard session timeout (seconds)

Response Example
{
                              "name": "testcorp",
                              "displayName": "Test Corporation",
                              "smallIconURI": "",
                              "created": "2014-12-09T10:43:54-08:00",
                              "siteLimit": 5,
                              "sites": {
                                  "uri": "/api/v0/corps/testcorp/sites"
                              },
                              "authType": "builtin",
                              "sessionMaxAgeDashboard": 2592000,
                            }
                            

Update corp by name

patch /corps/{corpName}

Request

URI Parameters
Name
Type
Description
corpName
string
matching: [0-9a-z_.-]+
required: true

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
displayName
string
min len: 3
max len: 100

Display name of the corp

smallIconURI
string
max len: 200

Small icon URI

sessionMaxAgeDashboard
integer
default: 2592000
min len: 60
max len: 31536000

Dashboard session timeout (seconds)

Request Example
{
                              "displayName": "Test Corporation1"
                            }
                            

Responses

HTTP 200

Successful update

Name
Type
Description
name
string
read only: true

Identifying name of the corp

displayName
string
min len: 3
max len: 100

Display name of the corp

smallIconURI
string
max len: 200

Small icon URI

created
string
format: date-time
read only: true

Created RFC3339 date time

siteLimit
integer
read only: true

Site limit

sites
uri
string
read only: true

URI sub sites

authType
string
read only: true

Authentication method

sessionMaxAgeDashboard
integer
default: 2592000
min len: 60
max len: 31536000

Dashboard session timeout (seconds)

Response Example
{
                              "name": "testcorp",
                              "displayName": "Test Corporation1",
                              "smallIconURI": "",
                              "created": "2014-12-09T10:43:54-08:00",
                              "siteLimit": 5,
                              "sites": {
                                  "uri": "/api/v0/corps/testcorp/sites"
                              },
                              "authType": "builtin",
                              "sessionMaxAgeDashboard": 2592000,
                            }
                            
HTTP 400

Failed due to data input

Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid displayName - must be between 3 and 100 characters."}
                            

Get corp overview report

get /corps/{corpName}/reports/attacks

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

from
string
default: -7d

Number of days ago to begin the data window. Takes the format "-Nd" where N is the number of days (maximum 30).

until
string
default: now

Number of days ago to end the data window. Takes the format "-Nd" where N is the number of days (maximum 30).

Responses

HTTP 200
Name
Type
Description
data
overviewSite array
required: true
name
string

Identifying name of the site

displayName
string

Display name of the site

totalCount
integer

Total number of requests

attackCount
integer

Number of malicious requests

blockedCount
integer

Number of malicious requests blocked

flaggedCount
integer

Number of malicious requests that would have been blocked in blocking mode

flaggedIPCount
integer

Number of IPs that triggered blocking events due to malicious signals

topAttackTypes
topAttackType array
tagName
string

Attack tag name

tagCount
integer

Number of instances of this attack tag

totalCount
integer

Total attack tags seen (note - requests can have multiple tags)

topAttackSources
topAttackSource array
countryCode
string

Two-letter ISO country code (note - empty for "Unknown", "private" for "Private Network"

countryName
string

Descriptive country name

requestCount
integer

Number of requests originating from this country

totalCount
integer

Total attack requests

Response Example
{
                                  "data": [
                                    {
                                      "name":"www.example.com",
                                      "displayName":"Example Site",
                                      "totalCount":49285068291,
                                      "blockedCount":29184,
                                      "flaggedCount":0,
                                      "attackCount":43129,
                                      "previousPeriodAttackCount": 40218,
                                      "previousPeriodBlockedCount": 39190,
                                      "flaggedIPCount":15,
                                      "topAttackTypes":[
                                          {
                                              "tagName":"Attack Tooling",
                                              "tagCount":32551,
                                              "totalCount":49712
                                          },
                                          {
                                              "tagName":"CMDEXE",
                                              "tagCount":5065,
                                              "totalCount":49712
                                          },
                                          {
                                              "tagName":"XSS",
                                              "tagCount":4383,
                                              "totalCount":49712
                                          }
                                      ],
                                      "topAttackSources":[
                                          {
                                              "countryCode":"CA",
                                              "countryName":"Canada",
                                              "requestCount":12414,
                                              "totalCount":43129
                                          },
                                          {
                                              "countryCode":"private",
                                              "countryName":"Private Network",
                                              "requestCount":6204,
                                              "totalCount":43129
                                          },
                                          {
                                              "countryCode":"",
                                              "countryName":"",
                                              "requestCount":5322,
                                              "totalCount":43129
                                          }
                                      ]
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid parameter - from"}
                                

List corp activity events

get /corps/{corpName}/activity

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc)
default: desc
enum: asc,desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

pretty
boolean

Pretty print the json output

events
one of (corpEvents,userEvents)
enum: corpEvents,userEvents

Filter on events

eventType
string

Filter on event type

Responses

HTTP 200
Name
Type
Description
totalCount
integer
format: int32

Total number of matching documents

next
uri
string

Reference to the next page of data

data
activityevent array
required: true
id
string

Unique ID of the activity event

eventType
string

Event type

msgData
object

Data used to format the message

attachments
0
Title
string
required: true
Fields
tuple array
required: true
0
Title
string
required: true
Value
string
required: true
Short
boolean
required: true
MarkdownFields
boolean
required: true
message
string

Message of the event

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/activity?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "random-uuid-string",
                                      "eventType": "userMultiFactorAuthEnabled",
                                      "msgData": {},
                                      "message": "User (user@example.com) enabled 2FA",
                                      "attachments": [],
                                      "created": "2018-04-12T01:00:33Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid parameter - from"}
                                

List users in corp

get /corps/{corpName}/users

Request

Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
corpUser array
required: true
name
string
read only: true
required: true

Full name of the user

email
string
read only: true
required: true

Email of the user

announcements
object
required: true
uri
string
read only: true

Reference to site announcements of the user

defaultDashboards
object
required: true
uri
string
read only: true

Reference to default dashboards of the user

memberships
object
required: true
data
data
site
object
required: true
name
string
required: true
displayName
string
required: true
role
string
required: true
uri
string
required: true
uri
string
read only: true

Reference to site memberships of the user

role
string
read only: true
required: true

Role of the user (owner, admin, user, observer)

status
string
read only: true
required: true

Status of the user

mfaEnabled
boolean
read only: true
required: true

Whether this user has two-factor auth enabled or not

authStatus
string
read only: true
required: true

Auth-specific status of the user

corpAuthType
string
read only: true
required: true

Corp auth type of the user

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

apiUser
boolean
read only: true
required: true

Is the user an API user

Response Example
{
                                  "data": [
                                    {
                                      "name": "Test User",
                                      "email": "user@example.com",
                                      "announcements": {
                                          "uri": "/api/v0/user/announcements"
                                      },
                                      "defaultDashboards": {
                                          "uri": "/api/v0/user/defaultDashboards"
                                      },
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00",
                                    }
                                  ]
                                }
                                

Get corp user by email

get /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string
matching: [0-9a-z_.-@]+
required: true
Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string
read only: true
required: true

Full name of the user

email
string
read only: true
required: true

Email of the user

announcements
object
required: true
uri
string
read only: true

Reference to site announcements of the user

defaultDashboards
object
required: true
uri
string
read only: true

Reference to default dashboards of the user

memberships
object
required: true
data
data
site
object
required: true
name
string
required: true
displayName
string
required: true
role
string
required: true
uri
string
required: true
uri
string
read only: true

Reference to site memberships of the user

role
string
read only: true
required: true

Role of the user (owner, admin, user, observer)

status
string
read only: true
required: true

Status of the user

mfaEnabled
boolean
read only: true
required: true

Whether this user has two-factor auth enabled or not

authStatus
string
read only: true
required: true

Auth-specific status of the user

corpAuthType
string
read only: true
required: true

Corp auth type of the user

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

apiUser
boolean
read only: true
required: true

Is the user an API user

Response Example
{
                                      "name": "Test User",
                                      "email": "user@example.com",
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "corpAuthType": "builtin",
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00"
                                      "apiUser": false
                                    }
                                    

Update corp user by email

patch /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string
matching: [0-9a-z_.-@]+
required: true
Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
string
read only: true

Role of the user (owner, admin, user, observer)

memberships
data
site
name
string
read only: true

Name of the site

Request Example
{
                                      "role": "user",
                                      "memberships": {
                                        "data": [{
                                          "site": {
                                            "name": "staging"
                                          }
                                        }, {
                                          "site": {
                                            "name": "production"
                                          }
                                        }]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
name
string
read only: true
required: true

Full name of the user

email
string
read only: true
required: true

Email of the user

announcements
object
required: true
uri
string
read only: true

Reference to site announcements of the user

defaultDashboards
object
required: true
uri
string
read only: true

Reference to default dashboards of the user

memberships
object
required: true
data
data
site
object
required: true
name
string
required: true
displayName
string
required: true
role
string
required: true
uri
string
required: true
uri
string
read only: true

Reference to site memberships of the user

role
string
read only: true
required: true

Role of the user (owner, admin, user, observer)

status
string
read only: true
required: true

Status of the user

mfaEnabled
boolean
read only: true
required: true

Whether this user has two-factor auth enabled or not

authStatus
string
read only: true
required: true

Auth-specific status of the user

corpAuthType
string
read only: true
required: true

Corp auth type of the user

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

apiUser
boolean
read only: true
required: true

Is the user an API user

Response Example
{
                                      "name": "",
                                      "email": "user@example.com",
                                      "memberships": {
                                        "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                      }
                                      "role": "user",
                                      "status": "active"
                                      "mfaEnabled": false,
                                      "corpAuthType": "builtin",
                                      "authStatus": "none",
                                      "created": "2014-12-09T10:43:54-08:00"
                                      "apiUser": false
                                    }
                                    

Delete user from corp

delete /corps/{corpName}/users/{userEmail}

Request

URI Parameters
Name
Type
Description
userEmail
string
matching: [0-9a-z_.-@]+
required: true

Responses

HTTP 204

Delete successful

Invite user to corp

post /corps/{corpName}/users/{userEmail}/invite

Request

Query Parameters
Name
Type
Description
expand
string

Expand hidden properties for nested object

pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
string
read only: true

Role of the user (owner, admin, user, observer)

memberships
data
site
name
string
read only: true

Name of the site

Request Example
{
                                          "role": "user",
                                          "memberships": {
                                            "data": [{
                                              "site": {
                                                "name": "staging"
                                              }
                                            }, {
                                              "site": {
                                                "name": "production"
                                              }
                                            }]
                                          }
                                        }
                                        

Responses

HTTP 200
Name
Type
Description
name
string
read only: true
required: true

Full name of the user

email
string
read only: true
required: true

Email of the user

announcements
object
required: true
uri
string
read only: true

Reference to site announcements of the user

defaultDashboards
object
required: true
uri
string
read only: true

Reference to default dashboards of the user

memberships
object
required: true
data
data
site
object
required: true
name
string
required: true
displayName
string
required: true
role
string
required: true
uri
string
required: true
uri
string
read only: true

Reference to site memberships of the user

role
string
read only: true
required: true

Role of the user (owner, admin, user, observer)

status
string
read only: true
required: true

Status of the user

mfaEnabled
boolean
read only: true
required: true

Whether this user has two-factor auth enabled or not

authStatus
string
read only: true
required: true

Auth-specific status of the user

corpAuthType
string
read only: true
required: true

Corp auth type of the user

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

apiUser
boolean
read only: true
required: true

Is the user an API user

Response Example
{
                                          "name": "",
                                          "email": "example@example.com",
                                          "memberships": {
                                            "uri": "/api/v0/corps/testcorp/users/user@example.com/memberships"
                                          }
                                          "role": "user",
                                          "status": "active"
                                          "mfaEnabled": false,
                                          "corpAuthType": "builtin",
                                          "authStatus": "none",
                                          "created": "2014-12-09T10:43:54-08:00"
                                          "apiUser": false
                                        }
                                        
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                        

List rules in corp

get /corps/{corpName}/rules

Request

Query Parameters
Name
Type
Description
type
one of (rateLimit,request,signal)
enum: rateLimit,request,signal
page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
totalCount
number
required: true

Total count of Corp Rules

data
corpRule array
required: true
unique items: true
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                  "data": {
                                    "totalCount": 1,
                                    "data": [
                                        {
                                            "id": "5e191909c931498586c6f537",
                                            "siteNames": [],
                                            "type": "request",
                                            "corpScope": "global",
                                            "enabled": true,
                                            "groupOperator": "all",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.1/8"
                                                }
                                            ],
                                            "actions": [
                                                {
                                                    "type": "block"
                                                }
                                            ],
                                            "requestlogging": "sampled",
                                            "reason": "foo",
                                            "expiration": "",
                                            "created": "2015-02-14T21:17:16Z",
                                            "updated": "2015-02-14T21:17:16Z"
                                        }
                                    ]
                                  }
                                }
                                

Create corp rule

post /corps/{corpName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                    "siteNames": [
                                        "staging",
                                        "production"
                                    ],
                                    "type": "signal",
                                    "groupOperator": "all",
                                    "conditions": [
                                        {
                                            "type": "single",
                                            "field": "ip",
                                            "operator": "equals",
                                            "value": "192.0.2.204"
                                        },
                                        {
                                            "type": "group",
                                            "groupOperator": "any",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.123"
                                                }
                                            ]
                                        }
                                    ],
                                    "actions": [
                                        {
                                            "type": "excludeSignal"
                                        }
                                    ],
                                    "requestlogging": "sampled",
                                    "enabled": true,
                                    "reason": "test",
                                    "signal": "SQLI",
                                    "expiration": "",
                                    "corpScope": "specificSites"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                  "id": "5e18ee76f13d66138c3e587c",
                                  "siteNames": [
                                    "staging",
                                    "production"
                                  ],
                                  "type": "signal",
                                  "corpScope": "specificSites",
                                  "enabled": true,
                                  "groupOperator": "all",
                                  "conditions": [
                                    {
                                      "type": "single",
                                      "field": "ip",
                                      "operator": "equals",
                                      "value": "233.252.0.31"
                                    },
                                    {
                                      "type": "group",
                                      "groupOperator": "any",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "192.0.2.63"
                                        }
                                      ]
                                    }
                                  ],
                                  "actions": [
                                    {
                                      "type": "excludeSignal"
                                    }
                                  ],
                                  "requestlogging": "sampled",
                                  "signal": "SQLI",
                                  "reason": "test",
                                  "expiration": ""
                                }
                                

Get corp rule by id

get /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                      "data": {
                                        "totalCount": 1,
                                        "data": {
                                                "id": "5e191909c931498586c6f537",
                                                "siteNames": [],
                                                "type": "request",
                                                "corpScope": "global",
                                                "enabled": true,
                                                "groupOperator": "all",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.1/8"
                                                    }
                                                ],
                                                "actions": [
                                                    {
                                                        "type": "block"
                                                    }
                                                ],
                                                "requestlogging": "sampled",
                                                "reason": "foo",
                                                "expiration": "",
                                                "created": "2015-02-14T21:17:16Z",
                                                "updated": "2015-02-14T21:17:16Z"
                                            }
                                      }
                                    }
                                    

Update corp rule

put /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                      "id": "5e1914acf13d663e6d0178ea",
                                      "siteNames": [
                                        "staging",
                                        "production"
                                      ],
                                      "type": "signal",
                                      "corpScope": "specificSites",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "198.51.100.76"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "203.0.113.156"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "requestlogging": "sampled",
                                      "signal": "SQLI",
                                      "reason": "Known malicious IPs",
                                      "expiration": ""
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion)

corpScope
string
required: true

Whether the rule is applied to all sites or to specific sites. (global, specificSites)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(block, allow, exclude)

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

signal
string
required: true

The signal id of the signal being excluded

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "5e18ee76f13d66138c3e587c",
                                      "siteNames": [
                                        "staging",
                                        "production"
                                      ],
                                      "type": "signal",
                                      "corpScope": "specificSites",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "233.252.0.101"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "192.0.2.86"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "requestlogging": "sampled",
                                      "signal": "SQLI",
                                      "reason": "test",
                                      "expiration": ""
                                    }
                                    

Delete rule from corp

delete /corps/{corpName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Delete successful

Create corp signal tag

post /corps/{corpName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
shortName
string
min len: 3
max len: 25
required: true

The display name of the signal tag

description
string
max len: 140

Optional signal tag description

Request Example
{
                                    "shortName": "example signal tag",
                                    "description": "An example of a custom signal tag"
                                }
                                

Responses

HTTP 200
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                    "shortName": "example signal tag",
                                    "tagName": "corp.example-signal-tag",
                                    "longName": "example signal tag",
                                    "description": "An example of a custom signal tag",
                                    "configurable": false,
                                    "informational": false,
                                    "needsResponse": false,
                                    "createdBy": "user@example.com",
                                    "created": "2020-02-06T23:28:54Z"
                                }
                                

List signal tags in corp

get /corps/{corpName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
corpSignalTag array
required: true
unique items: true
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                    "data": [
                                        {
                                            "shortName": "example signal tag",
                                            "tagName": "corp.example-signal-tag",
                                            "longName": "example signal tag",
                                            "description": "An example of a custom signal tag",
                                            "configurable": false,
                                            "informational": false,
                                            "needsResponse": false,
                                            "createdBy": "user@example.com",
                                            "created": "2020-02-06T23:28:54Z"
                                        },
                                        {
                                            "shortName": "test-signal",
                                            "tagName": "corp.test-signal",
                                            "longName": "Test Signal",
                                            "description": "This is a signal for use when testing",
                                            "configurable": false,
                                            "informational": false,
                                            "needsResponse": false,
                                            "createdBy": "user@example.com",
                                            "created": "2020-01-10T23:36:50Z"
                                        }
                                    ]
                                }
                                

Get corp signal tag by tagName

get /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true

Responses

HTTP 200
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                        "shortName": "example signal tag",
                                        "tagName": "corp.example-signal-tag",
                                        "longName": "example signal tag",
                                        "description": "An example of a custom signal tag",
                                        "configurable": false,
                                        "informational": false,
                                        "needsResponse": false,
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-06T23:28:54Z"
                                    }
                                    

Update corp signal tag

patch /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140
required: true

Optional signal tag description

Request Example
{
                                      "description": "An example of a custom signal tag - UPDATE"
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                        "shortName": "example signal tag",
                                        "tagName": "corp.example-signal-tag",
                                        "longName": "example signal tag",
                                        "description": "An example of a custom signal tag - UPDATE.",
                                        "configurable": false,
                                        "informational": false,
                                        "needsResponse": false,
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-06T23:28:54Z"
                                    }
                                    

Delete signal tag from corp

delete /corps/{corpName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true

Responses

HTTP 204

Delete successful

Get all lists

get /corps/{corpName}/lists

Request

Responses

HTTP 200
Name
Type
Description
data
list array
required: true
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "id": "corp.known-attackers",
                                      "name": "Known Attackers",
                                      "type": "ip",
                                      "description": "Malicious IPs we're tracking",
                                      "entries": [
                                        "198.51.100.165",
                                        "233.252.0.215",
                                        "192.0.2.186"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-06T18:57:55Z",
                                      "updated": "2018-08-13T15:26:01Z"
                                    },
                                    {
                                      "id": "corp.ofac-countries",
                                      "name": "OFAC Countries",
                                      "type": "country",
                                      "description": "Countries on the OFAC list",
                                      "entries": [
                                        "MM",
                                        "CI",
                                        "CU",
                                        "IR",
                                        "KP",
                                        "SY"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-03T20:50:54Z",
                                      "updated": "2018-08-03T20:50:59Z"
                                    }
                                  ]
                                }
                                

Create list

post /corps/{corpName}/lists

Request

Body (application/json)
Name
Type
Description
name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard, signal)

description
string
max len: 140

Optional list description

entries
string array

List entries

Request Example
{
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "192.0.2.186",
                                    "198.51.100.138",
                                    "233.252.0.174"
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                  "id": "corp.my-new-list",
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "192.0.2.186",
                                    "198.51.100.138",
                                    "233.252.0.174"
                                  ],
                                  "createdBy": "user@example.com",
                                  "created": "2018-08-16T17:38:27Z",
                                  "updated": "2018-08-16T17:38:27Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"List cannot be deleted because a rule uses it"}
                                

Get list by id

get /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "198.51.100.138",
                                        "233.252.0.174"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T17:38:27Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"id not found"}
                                    

Update list by id

patch /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140

Optional list description

entries
additions
string array

List additions

deletions
string array

List deletions

Request Example
{
                                      "entries": {
                                        "additions": [
                                          "192.0.2.19"
                                        ],
                                        "deletions": [
                                          "192.0.2.186",
                                          "233.252.0.174"
                                        ]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "198.51.100.138",
                                        "192.0.2.19"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"id not found"}
                                    

Replace list by id

put /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140

Optional list description

entries
string array

List entries

Request Example
{
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "233.252.0.174",
                                        "198.51.100.193"
                                      ]
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "corp.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "192.0.2.186",
                                        "233.252.0.174",
                                        "198.51.100.193"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Delete list

delete /corps/{corpName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

List corp integrations

get /corps/{corpName}/integrations

Request

Responses

HTTP 200
Name
Type
Description
data
integration array
id
string
read only: true
required: true

Unique id of the integration

name
string
required: true

Integration name

type
string
required: true

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string
required: true

Integration URL

fields
object,null
required: true
events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

active
boolean
read only: true
required: true
note
string

Integration note

createdBy
string
read only: true
required: true

Email address of the user that created the item

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

lastStatusCode
number
read only: true
required: true
required
Response Example
{
                                  "data": [
                                    {
                                      "id": "556a8abb3dfaa4ff28000002",
                                      "name": "Slack message",
                                      "type": "slack",
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "fields": null,
                                      "events": [
                                        "corpUpdated"
                                      ],
                                      "active": true,
                                      "note": "Sample",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z",
                                      "lastStatusCode": 0
                                    }
                                  ]
                                }
                                

Create corp integration

post /corps/{corpName}/integrations

Request

Body (application/json)
Name
Type
Description
url
string
required: true

Integration URL

type
string
required: true

Corp integration types (mailingList, slack, microsoftTeams). Site integration types (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

note
string

Integration note

Request Example
{
                                  "url":"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                  "type":"slack",
                                  "events": [
                                    "corpUpdated"
                                  ],
                                  "note": ""
                                }
                                

Responses

HTTP 200
Name
Type
Description
ID
string
read only: true
required: true

Unique ID of the integration

Type
string
required: true

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

URL
string
required: true

Integration URL

ExtraFields
string,null
required: true
Events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

Active
boolean
read only: true
required: true
CreatedBy
string
read only: true
required: true

Email address of the user that created the integration

CreatedByID
string
read only: true

ID of the user that created the integration

Note
string
required: true

Integration note

Created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

LastStatusCode
number
read only: true
required: true
Response Example
{
                                    "ID": "5e2f5d17f13d66152d396956",
                                    "Type": "slack",
                                    "URL": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                    "ExtraFields": null,
                                    "Events": [
                                        "corpUpdated"
                                    ],
                                    "Active": true,
                                    "CreatedBy": "user@example.com",
                                    "CreatedByID": "5e222f75f13d666c9eaec7d9",
                                    "Note": "",
                                    "Created": "2020-01-27T21:58:47.608359Z",
                                    "LastStatusCode": 0
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Validation failed"}
                                

Get corp integration by id

get /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string
read only: true
required: true

Unique id of the integration

name
string
required: true

Integration name

type
string
required: true

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string
required: true

Integration URL

fields
object,null
required: true
events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

active
boolean
read only: true
required: true
note
string

Integration note

createdBy
string
read only: true
required: true

Email address of the user that created the item

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

lastStatusCode
number
read only: true
required: true
Response Example
{
                                        "id": "556a8abb3dfaa4ff28000002",
                                        "name": "Slack message",
                                        "type": "slack",
                                        "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                        "fields": null,
                                        "events": [
                                          "corpUpdated"
                                        ],
                                        "active": true,
                                        "note": "Sample",
                                        "createdBy": "user@example.com",
                                        "created": "2015-02-14T21:17:16Z",
                                        "lastStatusCode": 0
                                      }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Update corp integration by id

patch /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
url
string

Integration URL

events
string array

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

Request Example
{
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "events": ["listCreated", "corpUpdated"]
                                    }
                                    

Responses

HTTP 204

Successful update

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Validation failed"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Delete corp integration

delete /corps/{corpName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Test corp integration by id

post /corps/{corpName}/integrations/{id}/test

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200

Test successful

HTTP 500

Test failed

List CloudWAF instances

get /corps/{corpName}/cloudwafInstances

Request

Responses

HTTP 200
Name
Type
Description
data
cloudwafInstanceResponse array
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

useUploadedCertificates
boolean

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

Create CloudWAF instance

post /corps/{corpName}/cloudwafInstances

Request

Body (application/json)
Name
Type
Description
name
string
required: true

Friendly name to identify a CloudWAF instance.

description
string
required: true

Friendly description to identify a CloudWAF instance.

region
string
required: true

Region the CloudWAF Instance is being deployed to.(Supported region: "us-east-1", "us-west-1", "af-south-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-2", "us-west-2").

tlsMinVersion
string
required: true

TLS minimum version. Versions Available: "1.0", "1.2".

useUploadedCertificates
boolean
required: true

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
object array
required: true
siteName
string
required: true

Site name.

instanceLocation
string
required: true

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array
required: true

Specify the protocol or protocols required. ex. ["http", "https"], ["https"].

routes
object array
required: true
certificateIds
string array
required: true

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string
required: true

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers. (default: false)

domains
string array
required: true

List of domain or request URIs, up to 100 entries.

Request Example
{
                                  "name": "test",
                                  "description": "test",
                                  "region": "us-east-1",
                                  "tlsMinVersion": "1.2",
                                  "useUploadedCertificates": true,
                                  "workspaceConfigs": [
                                    {
                                      "siteName": "www.example.com",
                                      "instanceLocation": "direct",
                                      "clientIPHeader": "",
                                      "listenerProtocols": ["https"],
                                      "routes": [
                                        {
                                          "certificateIds": ["id"],
                                          "domains": ["www.example.com"],
                                          "origin": "https://origin.example.com",
                                          "passHostHeader": false,
                                          "connectionPooling": true,
                                          "trustProxyHeaders": false
                                        }
                                      ]
                                    }
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

useUploadedCertificates
boolean

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

HTTP 400
Response Example
{"message": "An absolute URI including a scheme is required: unexpected origin, got = www.example.com"}
                                

Get CloudWAF instance by id

get /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

useUploadedCertificates
boolean

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

Response Example
{
                                      "id": "id1",
                                      "name": "website",
                                      "description": "a website",
                                      "region": "us-east-1",
                                      "tlsMinVersion": "1.2",
                                      "useUploadedCertificates": true,
                                      "workspaceConfigs": [
                                        {
                                          "siteName": "www.example.com",
                                          "instanceLocation": "direct",
                                          "clientIPHeader": "",
                                          "listenerProtocols": ["https"],
                                          "routes": [
                                            {
                                              "certificateIds": ["id2"],
                                              "domains": ["www.example.com"],
                                              "origin": "https://www.origin.example.com",
                                              "passHostHeader": false,
                                              "id": "id3",
                                              "connectionPooling": true,
                                              "trustProxyHeaders": false
                                            }
                                          ]
                                        }
                                      ],
                                      "deployment": {
                                        "status": "done",
                                        "message": "",
                                        "egressIPs": [
                                          {
                                            "ip": "233.252.0.152",
                                            "status": "reachable",
                                            "updatedAt": "2021-04-08T17:10:58Z"
                                          }
                                        ],
                                        "dnsEntry": "example.signalsciencescloud.net"
                                      },
                                      "useUploadedCertificates": true,
                                      "createdBy": "user@example.com",
                                      "created": "2021-04-08T15:50:46Z"
                                    }
                                    

Update CloudWAF instance

put /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string
required: true
Body (application/json)
Name
Type
Description
name
string
required: true

Friendly name to identify a CloudWAF instance.

description
string
required: true

Friendly description to identify a CloudWAF instance.

region
string
required: true

Region the CloudWAF Instance is being deployed to.(Supported region: "us-east-1", "us-west-1", "af-south-1", "ap-northeast-1", "ap-northeast-2", "ap-south-1", "ap-southeast-1", "ap-southeast-2", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", "sa-east-1", "us-east-2", "us-west-2").

tlsMinVersion
string
required: true

TLS minimum version. Versions Available: "1.0", "1.2".

useUploadedCertificates
boolean
required: true

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
object array
required: true
siteName
string
required: true

Site name.

instanceLocation
string
required: true

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array
required: true

Specify the protocol or protocols required. ex. ["http", "https"], ["https"].

routes
object array
required: true
id
string

Route unique identifier.

certificateIds
string array
required: true

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string
required: true

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers. (default: false)

domains
string array
required: true

List of domain or request URIs, up to 100 entries.

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF instance unique identifier.

name
string

Friendly name to identify a CloudWAF instance.

description
string

Friendly description to identify a CloudWAF instance.

region
string

Region the CloudWAF Instance is being deployed to.

tlsMinVersion
string

TLS minimum version.

useUploadedCertificates
boolean

Allows switching between using an uploaded certificate or using the default certificate. When disabled, the default certificate is used.

workspaceConfigs
siteName
string

Site name.

instanceLocation
string

Set instance location to "direct" or "advanced".

clientIPHeader
string

Specify the request header containing the client IP address, available when InstanceLocation is set to "advanced". Default: "X-Forwarded-For".

listenerProtocols
string array

Specify the protocol or protocols required.

routes
id
string

Route unique identifier.

certificateIds
string array

List of certificate IDs in string associated with request URI or domains. IDs will be available in certificate GET request.

origin
string

Origin server URI.

passHostHeader
boolean

Pass the client supplied host header through to the upstream (including the upstream TLS handshake for use with SNI and certificate validation). If using Heroku or Server Name Indications (SNI), this must be disabled(default: false).

domains
string array

List of domain or request URIs, up to 100 entries.

connectionPooling
boolean

If disabled, opened connections will not be reused (default: true).

trustProxyHeaders
boolean

If true, will trust proxy headers coming into the agent. If false, will ignore and drop those headers (default: false)

deployment
status
string

Current status of the deployment

message
string

CloudWAF instance message

egressIPs
ip
string

Egress IP address CloudWAF will be directing traffic to origin from.

status
string

EgressIP Status.

updatedAt
string

When EgressIP was last updated on.

dnsEntry
string

CloudWAF instance's DNS Entry.

useUploadedCertificates
boolean

Represents if the user uploaded certificates should be used to create or update the cloudwaf instance.

createdBy
string

CloudWAF instance created by.

created
string

Timestamp for when deployment was created.

HTTP 400
Response Example
{"message": "An absolute URI including a scheme is required: unexpected origin, got = www.example.com"}
                                    

Delete CloudWAF instance

delete /corps/{corpName}/cloudwafInstances/{deployment_id}

Request

URI Parameters
Name
Type
Description
deployment_id
string
required: true

Responses

HTTP 204

delete successful

HTTP 400
Response Example
{"message":"cannot delete with pending instance"}
                                    

Restart CloudWAF instance

post /corps/{corpName}/cloudwafInstances/{deployment_id}/restart

Request

URI Parameters
Name
Type
Description
deployment_id
string
required: true

Responses

HTTP 204

restart successful

List CloudWAF certificates

get /corps/{corpName}/cloudwafCerts

Request

Responses

HTTP 200
Name
Type
Description
data
cloudwafCertResponse array
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string array
min len: 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string
format: date-time

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string
format: date-time

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string
format: date-time

Updated RFC3339 date time

Upload CloudWAF certificate

post /corps/{corpName}/cloudwafCerts

Request

Body (application/json)
Name
Type
Description
name
string

Friendly name to identify a CloudWAF certificate

domains
string array

List of domains - deprecated

privateKey
string

Private key of the certificate in PEM format - must be unencrypted

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

Request Example
{
                                  "name": "someCertificate",
                                  "domains": [
                                    "example.com"
                                  ],
                                  "privateKey": "-----BEGIN PRIVATE KEY-----\n someCertificate private key \n-----END PRIVATE KEY-----\n",
                                  "certificateBody": "-----BEGIN CERTIFICATE-----\n someCertificate certificate body \n-----END CERTIFICATE-----\n",
                                  "certificateChain": ""
                                }
                                

Responses

HTTP 201
Name
Type
Description
id
string

CloudWAF certificate unique identifier

Response Example
{"id": "someCertificate-id" }
                                
HTTP 400
Response Example
{"message":"example.net is not associated with the specified TLS certificate.: unexpected domain, got = example.net"}
                                

Get CloudWAF certificate by id

get /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string array
min len: 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string
format: date-time

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string
format: date-time

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string
format: date-time

Updated RFC3339 date time

Response Example
{
                                  "id":"some-id",
                                  "name":"website",
                                  "domains":["example.com"],
                                  "certificateBody":"-----BEGIN CERTIFICATE-----\n certificate body \n-----END CERTIFICATE-----",
                                  "certificateChain":"",
                                  "fingerprint": "",
                                  "expiresAt":"2021-05-02T20:48:02Z",
                                  "status":"active",
                                  "createdBy":"user@example.com",
                                  "created":"2021-02-01T22:05:23Z",
                                  "updatedBy":"user@example.com",
                                  "updatedAt":"2021-02-01T22:06:17Z"
                                }
                                

Update CloudWAF certificate by id

put /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
name
string
min len: 1

Friendly name to identify a CloudWAF certificate

Request Example
{
                                "name": "some name"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

CloudWAF certificate unique identifier

name
string

Friendly name to identify a CloudWAF certificate

commonName
string

Common name of the uploaded certificate

subjectAlternativeNames
string array

Subject alternative names from the uploaded certificate

domains
string array
min len: 1

List of domains - deprecated

certificateBody
string

Body of the certificate in PEM format

certificateChain
string

Certificate chain in PEM format

fingerprint
string

SHA1 fingerprint of the certififcate

expiresAt
string
format: date-time

TimeStamp for when certificate expires in RFC3339 date time format

status
string

Current status of the certificate - could be one of "unknown", "active", "pendingverification", "expired", "error"

createdBy
string

Email address of the user that created the certfificate

created
string
format: date-time

Created RFC3339 date time

updatedBy
string

Email address of the user that updated the certificate

updatedAt
string
format: date-time

Updated RFC3339 date time

Response Example
{
                                  "id": "some-id",
                                  "name": "some certificate",
                                  "domains": [
                                      "website"
                                  ],
                                  "certificateBody": "-----BEGIN CERTIFICATE-----\n some certificate certificate body\n-----END CERTIFICATE-----\n",
                                  "certificateChain": "-----BEGIN CERTIFICATE-----\n some certificate certificate chain\n-----END CERTIFICATE-----\n",
                                  "fingerprint": "",
                                  "expiresAt": "2022-01-28T20:32:47Z",
                                  "status": "active",
                                  "createdBy": "user@example.com",
                                  "created": "2021-01-28T20:34:06.952625Z",
                                  "updatedBy": "user@example.com",
                                  "updatedAt": "2021-03-10T17:51:17.540049Z"}
                                
HTTP 400
Response Example
{"message":"name cannot be empty"}
                                

Delete CloudWAF certificate by id

delete /corps/{corpName}/cloudwafCerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Delete successful

HTTP 400
Response Example
{"message":"certificate f179ae5fd6d8b5f742753e7019936d7e58e5c5bf used in deployments: cert is in use"}
                                

Sites

List sites in corp

get /corps/{corpName}/sites

Request

URI Parameters
Name
Type
Description
corpName
string
matching: [0-9a-z_.-]+
required: true

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

name
string

Filter on site name or display name

page
integer
default: 1

The page of the results

limit
integer
default: 10

The number of entries to be returned

agentLevel
one of (block,log,off)
enum: block,log,off

Filter on agent mode

Responses

HTTP 200
Name
Type
Description
data
site array
required: true
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string
format: date-time
read only: true

Created RFC3339 date time

whitelist
uri
string
read only: true

Reference to the site's whitelist

blacklist
uri
string
read only: true

Reference to the site's blacklist

blocklist
uri
string
read only: true

Reference to the site's blocklist

events
uri
string
read only: true

Reference to the site's events

requests
uri
string
read only: true

Reference to the site's requests

redactions
uri
string
read only: true

Reference to the site's redactions

suspiciousIPs
uri
string
read only: true

Reference to the site's suspicious IPs

monitors
uri
string
read only: true

Reference to the site's monitors

integrations
uri
string
read only: true

Reference to the site's integrations

headerLinks
uri
string
read only: true

Reference to the site's header links

agents
uri
string
read only: true

Reference to the site's agents

alerts
uri
string
read only: true

Reference to the site's alerts

analyticsEvents
uri
string
read only: true

Reference to the site's analytics events

topAttacks
uri
string
read only: true

Reference to the site's top attacks

members
uri
string
read only: true

Reference to the site's members

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Response Example
{
                          "data": [
                              {
                                  "name": "www.example.com",
                                  "displayName": "My Website",
                                  "agentLevel": "block",
                                  "blockHTTPCode": 406,
                                  "blockDurationSeconds": 86400,
                                  "created": "2014-12-09T10:43:54-08:00",
                                  "whitelist": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                                  },
                                  "blacklist": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                                  },
                                  "events": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                                  },
                                  "requests": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                                  },
                                  "redactions": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                                  },
                                  "suspiciousIPs": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                                  },
                                  "monitors": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                                  },
                                  "integrations": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                                  },
                                  "headerLinks": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                                  },
                                  "agents": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                                  },
                                  "alerts": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                                  },
                                  "analyticsEvents": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                                  },
                                  "topAttacks": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                                  },
                                  "members": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                                  }
                              }
                          ]
                        }
                        

Create site in corp

post /corps/{corpName}/sites

Request

URI Parameters
Name
Type
Description
corpName
string
matching: [0-9a-z_.-]+
required: true

Corp shortname

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Request Example
{
                          'name": "www.example.com",
                          "displayName": "Example Website",
                          "agentLevel": "block",
                          "blockDurationSeconds": 259200,
                          "blockHTTPCode": 302,
                          "blockRedirectURL": "/blocked/"
                        }
                        

Responses

HTTP 200
Name
Type
Description
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string
format: date-time
read only: true

Created RFC3339 date time

whitelist
uri
string
read only: true

Reference to the site's whitelist

blacklist
uri
string
read only: true

Reference to the site's blacklist

blocklist
uri
string
read only: true

Reference to the site's blocklist

events
uri
string
read only: true

Reference to the site's events

requests
uri
string
read only: true

Reference to the site's requests

redactions
uri
string
read only: true

Reference to the site's redactions

suspiciousIPs
uri
string
read only: true

Reference to the site's suspicious IPs

monitors
uri
string
read only: true

Reference to the site's monitors

integrations
uri
string
read only: true

Reference to the site's integrations

headerLinks
uri
string
read only: true

Reference to the site's header links

agents
uri
string
read only: true

Reference to the site's agents

alerts
uri
string
read only: true

Reference to the site's alerts

analyticsEvents
uri
string
read only: true

Reference to the site's analytics events

topAttacks
uri
string
read only: true

Reference to the site's top attacks

members
uri
string
read only: true

Reference to the site's members

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Response Example
{
                          "name": "www.example.com",
                          "displayName": "My Website1",
                          "agentLevel": "block",
                          "blockHTTPCode": 302,
                          "blockDurationSeconds": 259200,
                          "blockRedirectURL": "/blocked/",
                          "created": "2014-12-09T10:43:54-08:00",
                          "whitelist": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                          },
                          "blacklist": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                          },
                          "events": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                          },
                          "requests": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                          },
                          "redactions": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                          },
                          "suspiciousIPs": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                          },
                          "monitors": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                          },
                          "integrations": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                          },
                          "headerLinks": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                          },
                          "agents": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                          },
                          "alerts": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                          },
                          "analyticsEvents": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                          },
                          "topAttacks": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                          },
                          "tags": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/tags"
                          },
                          "rules": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/rules"
                          },
                          "members": {
                              "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                          }
                        }
                        
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid block code - must be between 100 and 599"}
                        

Get site by name

get /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string
matching: [0-9a-z_.-]+
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string
format: date-time
read only: true

Created RFC3339 date time

whitelist
uri
string
read only: true

Reference to the site's whitelist

blacklist
uri
string
read only: true

Reference to the site's blacklist

blocklist
uri
string
read only: true

Reference to the site's blocklist

events
uri
string
read only: true

Reference to the site's events

requests
uri
string
read only: true

Reference to the site's requests

redactions
uri
string
read only: true

Reference to the site's redactions

suspiciousIPs
uri
string
read only: true

Reference to the site's suspicious IPs

monitors
uri
string
read only: true

Reference to the site's monitors

integrations
uri
string
read only: true

Reference to the site's integrations

headerLinks
uri
string
read only: true

Reference to the site's header links

agents
uri
string
read only: true

Reference to the site's agents

alerts
uri
string
read only: true

Reference to the site's alerts

analyticsEvents
uri
string
read only: true

Reference to the site's analytics events

topAttacks
uri
string
read only: true

Reference to the site's top attacks

members
uri
string
read only: true

Reference to the site's members

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Response Example
{
                              "name": "www.example.com",
                              "displayName": "My Website",
                              "agentLevel": "block",
                              "blockHTTPCode": 406,
                              "blockDurationSeconds": 86400,
                              "created": "2014-12-09T10:43:54-08:00",
                              "whitelist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                              },
                              "blacklist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                              },
                              "events": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                              },
                              "requests": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                              },
                              "redactions": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                              },
                              "suspiciousIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                              },
                              "rateLimitedIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/rateLimitedIPs"
                              },
                              "monitors": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                              },
                              "integrations": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                              },
                              "headerLinks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                              },
                              "agents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                              },
                              "alerts": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                              },
                              "analyticsEvents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                              },
                              "topAttacks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                              },
                              "members": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                              }
                            }
                            
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                            

Update a site by name

patch /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string
matching: [0-9a-z_.-]+
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Request Example
{
                              "displayName": "My Website1",
                              "agentLevel": "block",
                              "blockDurationSeconds": 259200,
                              "attackThresholds": [
                                {
                                "interval": 1,
                                "threshold": 25
                                },
                                {
                                "interval": 10,
                                "threshold": 60
                                },
                                {
                                "interval": 60,
                                "threshold": 100
                                }
                              ]
                            }
                            

Responses

HTTP 200
Name
Type
Description
name
string
min len: 3
max len: 100

Identifying name of the site

displayName
string
min len: 3
max len: 100

Display name of the site

agentLevel
string
enum: block,log,off

Agent action level - 'block', 'log' or 'off'

agentAnonMode
string
default: off
enum: EU,off

Agent IP anonimization mode - 'EU' or 'off'

blockDurationSeconds
integer
default: 86400
format: int32
max: 31556900

Duration to block an IP in seconds

blockHTTPCode
integer
default: 406
format: int32
min: 301
max: 599

HTTP response code to send when when traffic is being blocked

blockRedirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

created
string
format: date-time
read only: true

Created RFC3339 date time

whitelist
uri
string
read only: true

Reference to the site's whitelist

blacklist
uri
string
read only: true

Reference to the site's blacklist

blocklist
uri
string
read only: true

Reference to the site's blocklist

events
uri
string
read only: true

Reference to the site's events

requests
uri
string
read only: true

Reference to the site's requests

redactions
uri
string
read only: true

Reference to the site's redactions

suspiciousIPs
uri
string
read only: true

Reference to the site's suspicious IPs

monitors
uri
string
read only: true

Reference to the site's monitors

integrations
uri
string
read only: true

Reference to the site's integrations

headerLinks
uri
string
read only: true

Reference to the site's header links

agents
uri
string
read only: true

Reference to the site's agents

alerts
uri
string
read only: true

Reference to the site's alerts

analyticsEvents
uri
string
read only: true

Reference to the site's analytics events

topAttacks
uri
string
read only: true

Reference to the site's top attacks

members
uri
string
read only: true

Reference to the site's members

attackThresholds

Attack threshold parameters for system site alerts

interval
integer
enum: 1,10,60

Number of minutes during which attack signals per IP address are counted

threshold
integer

Number of attack signals per IP address that must be detected during the interval before the related IP address is flagged

immediateBlock
boolean

Determines whether to instantly block requests tagged with at least one attack signal

Response Example
{
                              "name": "www.example.com",
                              "displayName": "My Website1",
                              "agentLevel": "block",
                              "blockHTTPCode": 406,
                              "blockDurationSeconds": 259200,
                              "created": "2014-12-09T10:43:54-08:00",
                              "whitelist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/whitelist"
                              },
                              "blacklist": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/blacklist"
                              },
                              "events": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/events"
                              },
                              "requests": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests"
                              },
                              "redactions": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/redactions"
                              },
                              "suspiciousIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/suspiciousIPs"
                              },
                              "rateLimitedIPs": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/rateLimitedIPs"
                              },
                              "monitors": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/monitors"
                              },
                              "integrations": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/integrations"
                              },
                              "headerLinks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/headerLinks"
                              },
                              "agents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/agents"
                              },
                              "alerts": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/alerts"
                              },
                              "analyticsEvents": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events"
                              },
                              "topAttacks": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/top/attacks"
                              },
                              "tags": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/tags"
                              },
                              "rules": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/advancedRules"
                              },
                              "members": {
                                  "uri": "/api/v0/corps/testcorp/sites/www.example.com/members"
                              },
                              "attackThresholds": [
                                {
                                "interval": 1,
                                "threshold": 25
                                },
                                {
                                "interval": 10,
                                "threshold": 60
                                },
                                {
                                "interval": 60,
                                "threshold": 100
                                }
                              ]
                            }
                            
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid block code - must be between 100 and 599"}
                            

Delete site

delete /corps/{corpName}/sites/{siteName}

Request

URI Parameters
Name
Type
Description
siteName
string
matching: [0-9a-z_.-]+
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Delete successful

Deploy site to edge

put /corps/{corpName}/sites/{siteName}/edgeDeployment

Configure the Next-Gen WAF site for Edge Deployment.

Request

Headers
Name
Type
Description
Fastly-Key
string
required: true

Fastly API key with write access to the Fastly service. This field is only required if you are linking Compute services to the Next-Gen WAF.

Content-Type
string
required: true

Must be 'application/json'

Body (application/json)
Name
Type
Description
authorizedServices
string array

List of Compute services. This field is only required if you are linking Compute services to the Next-Gen WAF.

Request Example
{"authorizedServices": ["SU1Z0isxPaozGVKXdv0eY"]}
                                

Responses

HTTP 200

Initialization successful

Remove an Edge Deployment

delete /corps/{corpName}/sites/{siteName}/edgeDeployment

Remove the Edge Deployment of a Next-Gen WAF Site. It does not affect other Site configurations or prevent the Site from being re-deployed to the edge again later.

Request

Headers
Name
Type
Description
Content-Type
string
required: true

Must be 'application/json'

Responses

HTTP 200

Edge Deployment successfully removed

List site activity events

get /corps/{corpName}/sites/{siteName}/analytics/events

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc)
default: desc
enum: asc,desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

pretty
boolean

Pretty print the json output

events
one of (alerts,audits,excludeAgentsOnline)
enum: alerts,audits,excludeAgentsOnline

Filter on events

eventType
string

Filter on event type

Responses

HTTP 200
Name
Type
Description
totalCount
integer
format: int32

Total number of matching documents

next
uri
string

Reference to the next page of data

data
activityevent array
required: true
id
string

Unique ID of the activity event

eventType
string

Event type

msgData
object

Data used to format the message

attachments
0
Title
string
required: true
Fields
tuple array
required: true
0
Title
string
required: true
Value
string
required: true
Short
boolean
required: true
MarkdownFields
boolean
required: true
message
string

Message of the event

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/analytics/events?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "558cf75c3dfaa4b9c2000001",
                                      "eventType": "blacklistIP",
                                      "msgData": {"ip": "192.0.2.149"},
                                      "message": "User (user@example.com) blacklisted \"192.0.2.149\"",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Create or Update Delivery Integration

put /corps/{corpName}/sites/{siteName}/deliveryIntegration/{fastlySID}

Connect this site to a Delivery service to protect traffic going to origin. Deploys or updates latest VCL and configuration to the Delivery service. Copies backends from the Delivery service to the Edge Deployment. These configurations are needed to forward traffic to the WAF. Note that the changes to the Fastly service will be activated unless the `activateVersion` field is passed as `false`.

Request

URI Parameters
Name
Type
Description
fastlySID
string
matching: [0-9a-zA-Z]+}
required: true

Fastly service ID

Headers
Name
Type
Description
Fastly-Key
string
required: true

Fastly API key with write access to the Fastly service

Content-Type
string
required: true

Must be 'application/json'

Body (application/json)
Name
Type
Description
percentEnabled
integer
format: int32
max: 100

Optional percent of requests that should be inspected by Next-Gen WAF

activateVersion
boolean
default: true

Optional flag that indicates whether the VCL version should be activated (true) or not activated (false)

Request Example
{
                                      "percentEnabled": 0,
                                      "activateVersion": true
                                    }
                                    

Responses

HTTP 200

Service configuration successful

Detach Edge Deployment Service

delete /corps/{corpName}/sites/{siteName}/deliveryIntegration/{fastlySID}

Stop securing the given Delivery service and disconnect the Fastly service from this Edge Deployment.

Request

URI Parameters
Name
Type
Description
fastlySID
string
matching: [0-9a-zA-Z]+}
required: true

Fastly service ID

Headers
Name
Type
Description
Fastly-Key
string
required: true

Fastly API key with write access to the Fastly service

Content-Type
string
required: true

Must be 'application/json'

Responses

HTTP 200

Service detachment successful

Update Edge Deployment Backends

put /corps/{corpName}/sites/{siteName}/deliveryIntegration/{fastlySID}/backends

Check if any changes were made to the Fastly service's backends and updates the Edge Deployment if necessary. Note that the Fastly service must already be configured for Edge Deployment.

Request

Headers
Name
Type
Description
Fastly-Key
string
required: true

Fastly API key with read access to the Fastly service

Content-Type
string
required: true

Must be 'application/json'

Responses

HTTP 200

Backend syncing successful

List site members

get /corps/{corpName}/sites/{siteName}/members

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
siteMember array
required: true
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                  "data": [
                                    {
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Add members to site

post /corps/{corpName}/sites/{siteName}/members

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
members
string array
min len: 1
required: true

List of existing user email addresses

Request Example
{
                                  "members: ["user@example.com"]
                                }
                                

Responses

HTTP 200
Name
Type
Description
data
siteMember array
required: true
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                  "data": [
                                    {
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid user"}
                                

Get site member by email

get /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}

Request

URI Parameters
Name
Type
Description
siteMemberEmail
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                      "user": {
                                        "name": "Example User",
                                        "email": "user@example.com",
                                        "status": "active",
                                        "authStatus": "none",
                                        "corpAuthType": "builtin",
                                        "apiUser": false
                                      },
                                      "role": "owner"
                                    },
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Delete from site members

delete /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}

Request

URI Parameters
Name
Type
Description
siteMemberEmail
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Invite a site member

post /corps/{corpName}/sites/{siteName}/members/{siteMemberEmail}/invite

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
role
string
min len: 1
required: true

Role of the user (owner, admin, user, observer)

Request Example
{
                                          "role": "observer"
                                        }
                                        

Responses

HTTP 200
Name
Type
Description
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                          "user": {
                                            "name": "Example User",
                                            "email": "user@example.com",
                                            "status": "active",
                                            "authStatus": "none",
                                            "corpAuthType": "builtin",
                                            "apiUser": false
                                          },
                                          "role": "owner"
                                        }
                                        
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                        

List rules in site

get /corps/{corpName}/sites/{siteName}/rules

Request

Query Parameters
Name
Type
Description
type
one of (rateLimit,request,signal)
enum: rateLimit,request,signal
page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
totalCount
number
required: true

Total count of Site Rules

data
siteRule array
required: true
unique items: true
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint))

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                  "data": {
                                    "totalCount": 1,
                                    "data": [
                                        {
                                            "id": "5e191909c931498586c6f537",
                                            "siteNames": [
                                                "www.example.com"
                                            ],
                                            "type": "request",
                                            "enabled": true,
                                            "groupOperator": "all",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.100"
                                                }
                                            ],
                                            "actions": [
                                                {
                                                    "type": "block"
                                                }
                                            ],
                                            "requestlogging": "sampled",
                                            "reason": "test",
                                            "expiration": "",
                                            "created": "2015-02-14T21:17:16Z",
                                            "updated": "2015-02-14T21:17:16Z"
                                        }
                                    ]
                                  }
                                }
                                

Create site rule

post /corps/{corpName}/sites/{siteName}/rules

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit. Can be set to ALL-REQUESTS to act upon all requests from a client.

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for (default: 1, options: 1, 10)

duration
integer

Length of time in seconds to enforce the rule for once activated (default: 600, minimum: 300, maximum: 86400)

signal
string
required: true

The signal id of the signal being excluded (for rateLimit rules this is the signal to be attached)

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                  "type": "signal",
                                  "groupOperator": "all",
                                  "conditions": [
                                    {
                                      "type": "single",
                                      "field": "ip",
                                      "operator": "equals",
                                      "value": "198.51.100.136"
                                    },
                                    {
                                      "type": "group",
                                      "groupOperator": "any",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "233.252.0.212"
                                        }
                                      ]
                                    }
                                  ],
                                  "actions": [
                                    {
                                      "type": "excludeSignal"
                                    }
                                  ],
                                  "enabled": true,
                                  "reason": "Example site rule",
                                  "signal": "SQLI",
                                  "expiration": ""
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint))

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                    "id": "5e321810f13d660ea4cd8d0f",
                                    "siteNames": [
                                        "www.example.com"
                                    ],
                                    "type": "signal",
                                    "enabled": true,
                                    "groupOperator": "all",
                                    "conditions": [
                                        {
                                            "type": "single",
                                            "field": "ip",
                                            "operator": "equals",
                                            "value": "198.51.100.136"
                                        },
                                        {
                                            "type": "group",
                                            "groupOperator": "any",
                                            "conditions": [
                                                {
                                                    "type": "single",
                                                    "field": "ip",
                                                    "operator": "equals",
                                                    "value": "233.252.0.212"
                                                }
                                            ]
                                        }
                                    ],
                                    "actions": [
                                        {
                                            "type": "excludeSignal"
                                        }
                                    ],
                                    "signal": "SQLI",
                                    "reason": "Example site rule",
                                    "expiration": "",
                                    "createdBy": "user@example.com",
                                    "created": "2020-01-29T23:41:04Z",
                                    "updated": "2020-01-29T23:41:04Z"
                                }
                                

Get site rule by id

get /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint))

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                        "id": "5e321810f13d660ea4cd8d0f",
                                        "siteNames": [
                                            "www.example.com"
                                        ],
                                        "type": "signal",
                                        "enabled": true,
                                        "groupOperator": "all",
                                        "conditions": [
                                            {
                                                "type": "single",
                                                "field": "ip",
                                                "operator": "equals",
                                                "value": "192.0.2.137"
                                            },
                                            {
                                                "type": "group",
                                                "groupOperator": "any",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.247"
                                                    }
                                                ]
                                            }
                                        ],
                                        "actions": [
                                            {
                                                "type": "excludeSignal"
                                            }
                                        ],
                                        "signal": "SQLI",
                                        "reason": "Example site rule",
                                        "expiration": "",
                                        "createdBy": "user@example.com",
                                        "created": "2020-01-29T23:41:04Z",
                                        "updated": "2020-01-29T23:41:04Z"
                                    }
                                    

Update site rule

put /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
siteNames
string array
read only: true
unique items: true

Sites with the rule available. Rules with a global corpScope will return '[]'.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint)

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit. Can be set to ALL-REQUESTS to act upon all requests from a client.

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for (default: 1, options: 1, 10)

duration
integer

Length of time in seconds to enforce the rule for once activated (default: 600, minimum: 300, maximum: 86400)

signal
string
required: true

The signal id of the signal being excluded (for rateLimit rules this is the signal to be attached)

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

Request Example
{
                                      "id": "5e321810f13d660ea4cd8d0f",
                                      "type": "signal",
                                      "enabled": true,
                                      "groupOperator": "all",
                                      "conditions": [
                                        {
                                          "type": "single",
                                          "field": "ip",
                                          "operator": "equals",
                                          "value": "198.51.100.177"
                                        },
                                        {
                                          "type": "group",
                                          "groupOperator": "any",
                                          "conditions": [
                                            {
                                              "type": "single",
                                              "field": "ip",
                                              "operator": "equals",
                                              "value": "203.0.113.247"
                                            }
                                          ]
                                        }
                                      ],
                                      "actions": [
                                        {
                                          "type": "excludeSignal"
                                        }
                                      ],
                                      "signal": "SQLI",
                                      "reason": "Known malicious IPs",
                                      "expiration": ""
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
required: true
siteNames
string array
read only: true
required: true
unique items: true

Sites with the rule available.

type
string
required: true

Type of rule (request, signal exclusion, rateLimit)

enabled
boolean
required: true
groupOperator
string
required: true

Conditions that must be matched when evaluating the request (all, any)

conditions
object array
min items: 1
required: true
unique items: true
type
string
required: true

(group, single, multival)

groupOperator
string

type: group - Conditions that must be matched when evaluating the request (all, any)

field
string

type: single - (scheme, method, path, useragent, domain, ip, responseCode, agentname, paramname, paramvalue, country, name, valueString, valueInt, valueIp, signalType, ja3Fingerprint))

type: multival - (postParameter, queryParameter, requestCookie, requestHeader, responseHeader, signal)

operator
string

type: single - (equals, doesNotEqual, contains, doesNotContain, greaterEqual, lesserEqual, like, notLike, exists, doesNotExist, matches, doesNotMatch, inList, notInList)

value
string

type: single - See request fields

actions
object array
required: true
unique items: true

For rateLimit rules an action with a valid type and signal is required, for all other rules only type is required

signal
string

For rateLimit rules, the signal to act upon when activating the rateLimit

type
string
required: true

(block, allow, exclude, browserChallenge, verifyToken) (rateLimit rule valid values: logRequest, blockSignal, browserChallenge, verifyToken)

redirectURL
string

URL to redirect to when blockHTTPCode is 301 or 302

responseCode
integer

HTTP response code for blocked requests (default: 406)

allowInteractive
boolean

Allows switching between a non-interactive and interactive browser challenge. Only valid with the browserChallenge action type.

requestlogging
string
default: sampled
enum: sampled,none

Indicates whether to store the logs for requests that match the rule's conditions (sampled) or not store them (none). This field is only available for request rules.

rateLimit
threshold
integer

Requests counted before activating the rate limit

interval
integer

Length of time in minutes the threshold should be measured for

duration
integer

Length of time in seconds to enforce the rule for once activated

reason
string
required: true

Description of the rule

expiration
string
required: true

Date the rule will automatically be disabled. If rule is always enabled, will return empty string

createdBy
string
required: true

The user that created the rule

created
string
required: true

Created RFC3339 date time

updated
string
required: true

Last updated RFC3339 date time

Response Example
{
                                        "id": "5e321810f13d660ea4cd8d0f",
                                        "siteNames": [
                                            "www.example.com"
                                        ],
                                        "type": "signal",
                                        "enabled": true,
                                        "groupOperator": "all",
                                        "conditions": [
                                            {
                                                "type": "single",
                                                "field": "ip",
                                                "operator": "equals",
                                                "value": "198.51.100.177"
                                            },
                                            {
                                                "type": "group",
                                                "groupOperator": "any",
                                                "conditions": [
                                                    {
                                                        "type": "single",
                                                        "field": "ip",
                                                        "operator": "equals",
                                                        "value": "203.0.113.247"
                                                    }
                                                ]
                                            }
                                        ],
                                        "actions": [
                                            {
                                                "type": "excludeSignal"
                                            }
                                        ],
                                        "signal": "SQLI",
                                        "reason": "Known malicious IPs",
                                        "expiration": "",
                                        "createdBy": "user@example.com",
                                        "created": "2020-01-29T23:41:04Z",
                                        "updated": "2020-01-29T23:45:21Z"
                                    }
                                    

Delete rule from site

delete /corps/{corpName}/sites/{siteName}/rules/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Delete successful

List available rule templates

get /corps/{corpName}/sites/{siteName}/templates

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
template array
required: true
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
object array
unique items: true
name
string
required: true

Name of template field

type
string
required: true

Value type of template field

label
string
required: true

Short description for template field

placeholder
string
required: true

Placeholder value for template field

Response Example
{
                                  "data": [
                                    {
                                      "id": "LOGINATTEMPT",
                                      "name": "LOGINATTEMPT",
                                      "shortName": "Login Attempts",
                                      "description": "Indicates a login attempt",
                                      "fields": [
                                        {
                                            "name": "path",
                                            "type": "string",
                                            "label": "If a request's POST path equals",
                                            "placeholder": "/auth/*"
                                        }
                                      ]
                                    },
                                    {
                                      "id": "REGATTEMPT",
                                      "name": "REGATTEMPT",
                                      "shortName": "Registration Attempts",
                                      "description": "Indicates a registration attempt",
                                      "fields": [
                                        {
                                            "name": "path",
                                            "type": "string",
                                            "label": "If a request's POST path equals",
                                            "placeholder": "/register/*"
                                        }
                                      ]
                                    }
                                  ]
                                }
                                

Get rule template by id

get /corps/{corpName}/sites/{siteName}/templates/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
object array
unique items: true
name
string
required: true

Name of template field

type
string
required: true

Value type of template field

label
string
required: true

Short description for template field

placeholder
string
required: true

Placeholder value for template field

Response Example
{
                                      "id": "LOGINATTEMPT",
                                      "name": "LOGINATTEMPT",
                                      "shortName": "Login Attempts",
                                      "description": "Indicates a login attempt",
                                      "fields": [
                                          {
                                              "name": "path",
                                              "type": "string",
                                              "label": "If a request's POST path equals",
                                              "placeholder": "/auth/*"
                                          }
                                      ]
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

List configured templated rules

get /corps/{corpName}/sites/{siteName}/configuredtemplates

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
configuredTemplate array
required: true
name
string
required: true
detections
configuredTemplateDetection array
required: true
id
string
required: true
name
string
required: true

Name of templated rule

enabled
boolean
required: true

A flag to toggle this detection

fields
object array
unique items: true
name
string
required: true
value
integer,string,boolean
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

alerts
alert array
required: true
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                  "data": [
                                    {
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                  ]
                                }
                                

Get configured template rule by id

get /corps/{corpName}/sites/{siteName}/configuredtemplates/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string
name
string

Name of templated rule

shortName
string

Display name of templated rule

description
string

Description of templated rule

fields
object array
unique items: true
name
string
required: true

Name of template field

type
string
required: true

Value type of template field

label
string
required: true

Short description for template field

placeholder
string
required: true

Placeholder value for template field

Response Example
{
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Update site template rule by name

post /corps/{corpName}/sites/{siteName}/configuredtemplates/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
alertAdds
configuredTemplateAlertAdd array
required: true
longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
min: 1
max: 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

alertDeletes
alert array
required: true
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
alertUpdates
alert array
required: true
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
detectionAdds
configuredTemplateDetectionAdd array
required: true
enabled
boolean
required: true

A flag to toggle this detection

fields
object array
min items: 1
unique items: true
name
string
required: true
value
integer,string,boolean
required: true
detectionDeletes
configuredTemplateDetection array
required: true
id
string
required: true
name
string
required: true

Name of templated rule

enabled
boolean
required: true

A flag to toggle this detection

fields
object array
unique items: true
name
string
required: true
value
integer,string,boolean
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

detectionUpdates
configuredTemplateDetection array
required: true
id
string
required: true
name
string
required: true

Name of templated rule

enabled
boolean
required: true

A flag to toggle this detection

fields
object array
unique items: true
name
string
required: true
value
integer,string,boolean
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

Request Example
{
                                      "alertAdds": [
                                          {
                                              "action": "info",
                                              "enabled": true,
                                              "interval": 1,
                                              "skipNotifications": false,
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "threshold": 50
                                          }
                                      ],
                                      "alertDeletes": [],
                                      "alertUpdates": [],
                                      "detectionAdds": [
                                          {
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ]
                                          }
                                      ],
                                      "detectionDeletes": [],
                                      "detectionUpdates": []
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
name
string
required: true
detections
configuredTemplateDetection array
required: true
id
string
required: true
name
string
required: true

Name of templated rule

enabled
boolean
required: true

A flag to toggle this detection

fields
object array
unique items: true
name
string
required: true
value
integer,string,boolean
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

alerts
alert array
required: true
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                      "name": "LOGINATTEMPT",
                                      "detections": [
                                          {
                                              "id": "5e4d815ac931492a13d95e60",
                                              "name": "LOGINATTEMPT",
                                              "enabled": true,
                                              "fields": [
                                                  {
                                                      "name": "path",
                                                      "value": "/auth/*"
                                                  }
                                              ],
                                              "created": "2020-02-19T10:41:30-08:00",
                                              "createdBy": "user@example.com"
                                          }
                                      ],
                                      "alerts": [
                                          {
                                              "id": "5e4d815ac931492a13d95e62",
                                              "tagName": "LOGINATTEMPT",
                                              "longName": "LOGINATTEMPT-50-in-1",
                                              "type": "template",
                                              "interval": 1,
                                              "threshold": 50,
                                              "skipNotifications": false,
                                              "enabled": true,
                                              "action": "info",
                                              "fieldName": "remoteIP",
                                              "createdBy": "",
                                              "created": "2020-02-19T18:41:30Z"
                                          }
                                      ]
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Validation failed"}
                                    

List signal tags in site

get /corps/{corpName}/sites/{siteName}/tags

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
siteSignalTag array
required: true
unique items: true
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "shortName": "OAuth Login",
                                      "tagName": "site.oauth-login",
                                      "longName": "OAuth Login",
                                      "description": "An attempt to sign in via OAuth. Tracks the occurrence of a specific event that only happens on our site",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T21:31:52Z"
                                    }
                                  ]
                                }
                                

Create site signal tag

post /corps/{corpName}/sites/{siteName}/tags

Request

Body (application/json)
Name
Type
Description
shortName
string
min len: 3
max len: 25
required: true

The display name of the signal tag

description
string
max len: 140

Optional signal tag description

Request Example
{
                                  "shortName": "example-signal-tag",
                                  "description": "Tracks the occurrence of a specific event that only happens on our site."
                                }
                                

Responses

HTTP 201
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                  "shortName": "example-signal-tag",
                                  "tagName": "site.example-signal-tag",
                                  "longName": "example-signal-tag",
                                  "description": "Tracks the occurrence of a specific event that only happens on our site",
                                  "configurable": false,
                                  "informational": false,
                                  "needsResponse": false,
                                  "createdBy": "user@example.com",
                                  "created": "2020-01-21T23:23:03Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"validation error/duplicate tag name"}
                                

Get site signal tag by tagName

get /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true

Responses

HTTP 200
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                      "shortName": "example-signal-tag",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "example-signal-tag",
                                      "description": "An example of a custom site signal tag",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T23:23:03Z"
                                    }
                                    

Update site signal tag

patch /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140
required: true

Optional signal tag description

Request Example
{
                                     "description": "An updated example of a custom signal tag."
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
shortName
string
required: true

The display name of the signal tag

tagName
string
required: true

The identifier for the signal tag

longName
string
read only: true
required: true

The display name of the signal tag - deprecated

description
string
required: true

Optional signal tag description

configurable
boolean
read only: true
required: true
informational
boolean
read only: true
required: true
needsResponse
boolean
read only: true
required: true
createdBy
string
read only: true

Email address of the user that created the resource

created
string
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                      "shortName": "example-signal-tag",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "example-signal-tag",
                                      "description": "An updated example of a custom signal tag.",
                                      "configurable": false,
                                      "informational": false,
                                      "needsResponse": false,
                                      "createdBy": "user@example.com",
                                      "created": "2020-01-21T23:23:03Z"
                                    }
                                    

Delete signal tag from site

delete /corps/{corpName}/sites/{siteName}/tags/{tagName}

Request

URI Parameters
Name
Type
Description
tagName
string
required: true

Responses

HTTP 204

Delete successful

Get all lists

get /corps/{corpName}/sites/{siteName}/lists

Request

Responses

HTTP 200
Name
Type
Description
data
list array
required: true
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "id": "site.known-attackers",
                                      "name": "Known Attackers",
                                      "type": "ip",
                                      "description": "Malicious IPs we're tracking",
                                      "entries": [
                                        "203.0.113.247",
                                        "198.51.100.177",
                                        "192.0.2.137"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-06T18:57:55Z",
                                      "updated": "2018-08-13T15:26:01Z"
                                    },
                                    {
                                      "id": "site.ofac-countries",
                                      "name": "OFAC Countries",
                                      "type": "country",
                                      "description": "Countries on the OFAC list",
                                      "entries": [
                                        "MM",
                                        "CI",
                                        "CU",
                                        "IR",
                                        "KP",
                                        "SY"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-03T20:50:54Z",
                                      "updated": "2018-08-03T20:50:59Z"
                                    }
                                  ]
                                }
                                

Create list

post /corps/{corpName}/sites/{siteName}/lists

Request

Body (application/json)
Name
Type
Description
name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard, signal)

description
string
max len: 140

Optional list description

entries
string array

List entries

Request Example
{
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "203.0.113.247",
                                    "198.51.100.177",
                                    "192.0.2.137"
                                  ]
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                  "id": "site.my-new-list",
                                  "name": "My New List",
                                  "type": "ip",
                                  "description": "Some IPs we're putting in a list",
                                  "entries": [
                                    "203.0.113.247",
                                    "198.51.100.177",
                                    "192.0.2.137"
                                  ],
                                  "createdBy": "user@example.com",
                                  "created": "2018-08-16T17:38:27Z",
                                  "updated": "2018-08-16T17:38:27Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"List cannot be deleted because a rule uses it"}
                                

Get list by id

get /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "198.51.100.177",
                                        "192.0.2.137"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T17:38:27Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Update list by id

patch /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140

Optional list description

entries
additions
string array

List additions

deletions
string array

List deletions

Request Example
{
                                      "entries": {
                                        "additions": [
                                          "203.0.113.6"
                                        ],
                                        "deletions": [
                                          "203.0.113.247",
                                          "192.0.2.137"
                                        ]
                                      }
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "198.51.100.177",
                                        "203.0.113.6"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Replace list by id

put /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
description
string
max len: 140

Optional list description

entries
string array

List entries

Request Example
{
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "192.0.2.137",
                                        "192.0.2.223"
                                      ]
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string

Site-specific unique ID of the list

name
string
min len: 3
max len: 32

Descriptive list name

type
string

List types (string, ip, country, wildcard)

description
string
max len: 140

Optional list description

entries
string array

List entries

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

updated
string
format: date-time
read only: true

Last updated RFC3339 date time

Response Example
{
                                      "id": "site.my-new-list",
                                      "name": "My New List",
                                      "type": "ip",
                                      "description": "Some IPs we're still putting in a list",
                                      "entries": [
                                        "203.0.113.247",
                                        "192.0.2.137",
                                        "192.0.2.223"
                                      ],
                                      "createdBy": "user@example.com",
                                      "created": "2018-08-16T17:38:27Z",
                                      "updated": "2018-08-16T21:43:08Z"
                                    }
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

Delete list

delete /corps/{corpName}/sites/{siteName}/lists/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Successful removal from the list

HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"ID not found"}
                                    

List alerts

get /corps/{corpName}/sites/{siteName}/alerts

Request

Responses

HTTP 200
Name
Type
Description
data
alert array
required: true
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                  data: [
                                    {
                                        "id": "5e45dc78c931491dc923e4a6",
                                        "tagName": "site.example-signal-tag",
                                        "longName": "Alert",
                                        "type": "siteAlert",
                                        "interval": 1,
                                        "threshold": 10,
                                        "skipNotifications": false,
                                        "enabled": true,
                                        "action": "flagged",
                                        "fieldName": "remoteIP",
                                        "createdBy": "user@example.com",
                                        "created": "2020-02-13T23:23:03Z",
                                        "updated": "2020-01-13T23:23:03Z"
                                    }
                                  ]
                                }
                                

Create alert

post /corps/{corpName}/sites/{siteName}/alerts

Request

Body (application/json)
Name
Type
Description
tagName
string

The name of the tag whose occurrences the alert is watching. Must match an existing tag

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
min: 1
max: 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

Request Example
{
                                  "tagName": "custom-tag",
                                  "longName": "Example Alert",
                                  "interval": 1,
                                  "threshold": 10,
                                  "enabled": true,
                                  "action": "flagged"
                                }
                                

Responses

HTTP 201
Name
Type
Description
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                  "id": "5e45dc78c931491dc923e4a6",
                                  "tagName": "site.example-signal-tag",
                                  "longName": "Alert",
                                  "type": "siteAlert",
                                  "interval": 1,
                                  "threshold": 10,
                                  "skipNotifications": false,
                                  "enabled": true,
                                  "action": "flagged",
                                  "fieldName": "remoteIP",
                                  "createdBy": "user@example.com",
                                  "created": "2020-02-13T23:23:03Z",
                                  "updated": "2020-01-13T23:23:03Z"
                                }
                                

Get alert

get /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200
Name
Type
Description
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                      "id": "5e45dc78c931491dc923e4a6",
                                      "tagName": "site.example-signal-tag",
                                      "longName": "Alert",
                                      "type": "siteAlert",
                                      "interval": 1,
                                      "threshold": 10,
                                      "skipNotifications": false,
                                      "enabled": true,
                                      "action": "flagged",
                                      "fieldName": "remoteIP",
                                      "createdBy": "user@example.com",
                                      "created": "2020-02-13T23:23:03Z",
                                      "updated": "2020-01-13T23:23:03Z"
                                    }
                                    

Update alert

patch /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
tagName
string

The name of the tag whose occurrences the alert is watching. Must match an existing tag

longName
string

A human readable description of the alert. Must be between 3 and 25 characters.

interval
integer

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
min: 1
max: 10000

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

enabled
boolean

A flag to toggle this alert.

action
string

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

Request Example
{
                                      "tagName": "custom-tag",
                                      "interval": 1,
                                      "threshold": 10,
                                      "enabled": true,
                                      "action": "flagged"
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
required: true

Site-specific unique ID of the alert

tagName
string
required: true

The name of the tag whose occurrences the alert is watching.

longName
string
required: true

A human readable description of the alert. Must be between 3 and 25 characters.

type
string
required: true

Type of alert (siteAlert, template, rateLimit, siteMetric)

interval
integer
required: true

The number of minutes of past traffic to examine. Must be 1, 10 or 60.

threshold
integer
required: true

The number of occurrences of the tag in the interval needed to trigger the alert.

blockDurationSeconds
integer

The number of seconds this alert is active.

skipNotifications
boolean

A flag to disable external notifications - slack, webhooks, emails, etc.

enabled
boolean
required: true

A flag to toggle this alert.

action
string
required: true

A flag that describes what happens when the alert is triggered. 'info' creates an incident in the dashboard. 'flagged' creates an incident and blocks traffic for 24 hours.

fieldName
string
required: true
createdBy
string
required: true

The email of the user that created the alert

created
string
required: true

Created RFC3339 date time

operator
string
Response Example
{
                                      "id": "random-uuid-string",
                                      "siteId": "site-id-hex",
                                      "tagName": "custom-tag",
                                      "interval": 1,
                                      "threshold": 10,
                                      "enabled": true,
                                      "action": "flagged",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                    

Delete alert

delete /corps/{corpName}/sites/{siteName}/alerts/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Delete successful

Search requests

get /corps/{corpName}/sites/{siteName}/requests

Request

Query Parameters
Name
Type
Description
page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

pretty
boolean

Pretty print the json output

q
string

Search query. See Search Syntax.

Responses

HTTP 200
Name
Type
Description
totalCount
integer

Total number of records matching the search

next
uri
string

Reference to the next page of data

data
request array
id
string

Unique ID of the request

timestamp
string
format: date-time

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer
format: int32

HTTP response code

responseSize
integer
format: int32

HTTP response size

responseMillis
integer
format: int32

Response time in millis

agentResponseCode
integer
format: int32

Agent response code

summation
attrs
bot_j
string

JA3 fingerprint of client

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

required
description
Response Example
{
                                  "totalCount": 3,
                                  "next": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/requests?limit=1&page=1"
                                  },
                                  "data": [
                                      {
                                          "id": "54871be4f749437f4f00008d",
                                          "serverHostname": "local",
                                          "remoteIP": "95.128.246.44",
                                          "remoteHostname": "95-128-246-44.avk-com.ru",
                                          "remoteCountryCode": "RU",
                                          "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                          "timestamp": "2014-12-09T15:57:24Z",
                                          "method": "PUT",
                                          "serverName": "",
                                          "protocol": "HTTP/1.1",
                                          "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                          "uri": "",
                                          "responseCode": 503,
                                          "responseSize": 88336,
                                          "responseMillis": 0,
                                          "agentResponseCode": 200,
                                          "summation": {
                                              "attrs": {
                                                  "bot_j": "2bab0327a296230f9f6427341e716ea0",
                                               },
                                          },
                                          "tags": [
                                              {
                                                  "type": "HTTP503",
                                                  "location": "HTTP",
                                                  "value": "503",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SANS",
                                                  "location": "HTTP",
                                                  "value": "95.128.246.44",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SQLI",
                                                  "location": "QUERYSTRING",
                                                  "value": "foo=1 OR 1",
                                                  "detector": "bogus"
                                              }
                                          ]
                                      }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Get request by ID

get /corps/{corpName}/sites/{siteName}/requests/{requestID}

Request

URI Parameters
Name
Type
Description
requestID
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the request

timestamp
string
format: date-time

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer
format: int32

HTTP response code

responseSize
integer
format: int32

HTTP response size

responseMillis
integer
format: int32

Response time in millis

agentResponseCode
integer
format: int32

Agent response code

summation
attrs
bot_j
string

JA3 fingerprint of client

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

Response Example
{
                                        "id": "54871be4f749437f4f00008d",
                                        "serverHostname": "local",
                                        "remoteIP": "95.128.246.44",
                                        "remoteHostname": "95-128-246-44.avk-com.ru",
                                        "remoteCountryCode": "RU",
                                        "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                        "timestamp": "2014-12-09T15:57:24Z",
                                        "method": "PUT",
                                        "serverName": "",
                                        "protocol": "HTTP/1.1",
                                        "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                        "uri": "",
                                        "responseCode": 503,
                                        "responseSize": 88336,
                                        "agentResponseCode": 200,
                                        "summation": {
                                            "attrs": {
                                                "bot_j": "2bab0327a296230f9f6427341e716ea0",
                                             },
                                        },
                                        "tags": [
                                            {
                                              "type": "HTTP503",
                                              "location": "HTTP",
                                              "value": "503",
                                              "detector": "bogus"
                                            },
                                            {
                                                "type": "SANS",
                                                "location": "HTTP",
                                                "value": "95.128.246.44",
                                                "detector": "bogus"
                                            },
                                            {
                                                "type": "SQLI",
                                                "location": "QUERYSTRING",
                                                "value": "foo=1 OR 1",
                                                "detector": "bogus"
                                            }
                                        ]
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    

Get request feed

get /corps/{corpName}/sites/{siteName}/feed/requests

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

from
integer
required: true

The POSIX Unix time to start. Has restrictions - see Extracting Your Data.

until
integer
required: true

The POSIX Unix time to end. Has restrictions - see Extracting Your Data.

tags
string

Limits feed to specific tags, comma-separated list - see System Tags.

Responses

HTTP 200
Name
Type
Description
next
uri
string

Reference to the next page of data

data
request array
id
string

Unique ID of the request

timestamp
string
format: date-time

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer
format: int32

HTTP response code

responseSize
integer
format: int32

HTTP response size

responseMillis
integer
format: int32

Response time in millis

agentResponseCode
integer
format: int32

Agent response code

summation
attrs
bot_j
string

JA3 fingerprint of client

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

required
Response Example
{
                                  "next": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/feed/requests?next=cXVlcnlUaGVuRmV0Y2g7Mjs4NDM6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzs4NDI6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzswOw=="
                                  },
                                  "data": [
                                      {
                                          "id": "54871be4f749437f4f00008d",
                                          "serverHostname": "local",
                                          "remoteIP": "95.128.246.44",
                                          "remoteHostname": "95-128-246-44.avk-com.ru",
                                          "remoteCountryCode": "RU",
                                          "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                          "timestamp": "2014-12-09T15:57:24Z",
                                          "method": "PUT",
                                          "serverName": "",
                                          "protocol": "HTTP/1.1",
                                          "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                          "uri": "",
                                          "responseCode": 503,
                                          "responseSize": 88336,
                                          "responseMillis": 0,
                                          "agentResponseCode": 200,
                                          "summation": {
                                              "attrs": {
                                                  "bot_j": "2bab0327a296230f9f6427341e716ea0",
                                               },
                                          },
                                          "tags": [
                                              {
                                                  "type": "HTTP503",
                                                  "location": "HTTP",
                                                  "value": "503",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SANS",
                                                  "location": "HTTP",
                                                  "value": "95.128.246.44",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SQLI",
                                                  "location": "QUERYSTRING",
                                                  "value": "foo=1 OR 1",
                                                  "detector": "bogus"
                                              }
                                          ]
                                      }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid timestamp param"}
                                
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Error performing search"}
                                
HTTP 504
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Feed timeout exceeded"}
                                

Retrieve a paginated feed

post /corps/{corpName}/sites/{siteName}/feed/requests

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Form Parameters
Name
Type
Description
next
string
required: true

The pagination cursor ID. Read our guide on Using our API for details.

Content-Type
string
required: true

Must be 'application/x-www-form-urlencoded'

Responses

HTTP 200
Name
Type
Description
next
uri
string

Reference to the next page of data

data
request array
id
string

Unique ID of the request

timestamp
string
format: date-time

Timestamp RFC3339 date time

serverHostname
string

Server hostname

serverName
string

Server name

uri
string

URI

path
string

Path

userAgent
string

User agent of the request

remoteIP
string

Remote IP address

remoteHostname
string

Remote hostname

remoteCountryCode
string

Remote country code

method
string

HTTP method e.g. PUT

protocol
string

HTTP protocol e.g. HTTP/1.1

responseCode
integer
format: int32

HTTP response code

responseSize
integer
format: int32

HTTP response size

responseMillis
integer
format: int32

Response time in millis

agentResponseCode
integer
format: int32

Agent response code

summation
attrs
bot_j
string

JA3 fingerprint of client

tags
type
string

Type of tag

location
string

Where the tag was detected

value
string

Value

detector
string

Detector

required
Response Example
{
                                  "next": {
                                      "uri": "/api/v0/corps/testcorp/sites/www.example.com/feed/requests?next=cXVlcnlUaGVuRmV0Y2g7Mjs4NDM6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzs4NDI6cGhsQU1DdHRUTWEtWTJNdFRucVpDZzswOw=="
                                  },
                                  "data": [
                                      {
                                          "id": "54871be4f749437f4f00008d",
                                          "serverHostname": "local",
                                          "remoteIP": "95.128.246.44",
                                          "remoteHostname": "95-128-246-44.avk-com.ru",
                                          "remoteCountryCode": "RU",
                                          "userAgent": "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:000691)",
                                          "timestamp": "2014-12-09T15:57:24Z",
                                          "method": "PUT",
                                          "serverName": "",
                                          "protocol": "HTTP/1.1",
                                          "path": "/help/../../../../../../../../../../../../../../../../etc/shadow",
                                          "uri": "",
                                          "responseCode": 503,
                                          "responseSize": 88336,
                                          "responseMillis": 0,
                                          "agentResponseCode": 200,
                                          "summation": {
                                              "attrs": {
                                                  "bot_j": "2bab0327a296230f9f6427341e716ea0",
                                               },
                                          },
                                          "tags": [
                                              {
                                                  "type": "HTTP503",
                                                  "location": "HTTP",
                                                  "value": "503",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SANS",
                                                  "location": "HTTP",
                                                  "value": "95.128.246.44",
                                                  "detector": "bogus"
                                              },
                                              {
                                                  "type": "SQLI",
                                                  "location": "QUERYSTRING",
                                                  "value": "foo=1 OR 1",
                                                  "detector": "bogus"
                                              }
                                          ]
                                      }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid timestamp param"}
                                
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Error performing search"}
                                
HTTP 504
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Feed timeout exceeded"}
                                

List events

get /corps/{corpName}/sites/{siteName}/events

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

sort
one of (asc,desc)
default: desc
enum: asc,desc

The sort order

since_id
string

The id of the last object in the set

max_id
string

The id of the last object in the set

limit
integer
default: 100
max: 1000

The number of entries to be returned per page

page
integer

The page of the results. Each page is limited to 1,000 requests, and a maximum of 10,000 requests in total will be returned.

pretty
boolean

Pretty print the json output

action
one of (flagged,info)
enum: flagged,info

Filter based on action

tag
string
min len: 3
matching: [a-zA-Z0-9_-]+

Filter based on tag

ip
string
min len: 7
max len: 15

Filter based on IP

status
one of (active,expired)
enum: active,expired

Filter based on status

Responses

HTTP 200
Name
Type
Description
totalCount
integer
format: int32

Total number of matching documents

next
uri
string

Reference to the next page of data

data
event array
required: true
id
string

Unique ID of the event

timestamp
string
format: date-time

Timestamp RFC3339 date time

source
string

Source information

remoteCountryCode
string

Country code

remoteHostname
string

Remote hostname

userAgents
useragents
string

Useragents

action
string

Either "flagged" (IP is flagged and subsequent malicious requests will be blocked) or "info" (IP is flagged and subsequent requests will be logged).

reasons
object

Key attack type - value number of

requestCount
integer
format: int32

Total number of requests

tagCount
integer
format: int32

Total number of tags

window
integer
format: int32

Time window in seconds where the items were detected

expires
string
format: date-time

Expires RFC3339 date time

expiredBy
string

email of the user if the event is expired manually

Response Example
{
                                  "totalCount": 5,
                                  "next": {
                                    "uri": "/api/v0/corps/testcorp/sites/www.example.com/events?limit=1&page=2"
                                  },
                                  "data": [
                                    {
                                      "id": "54de69dcba53b02fbf000018",
                                      "timestamp": "2015-02-13T21:17:16Z",
                                      "source": "162.245.23.109",
                                      "remoteCountryCode": "AU",
                                      "remoteHostname": "",
                                      "userAgents": [
                                        "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
                                      ],
                                      "action": "flagged",
                                      "type": "attack",
                                      "reasons": {
                                        "SQLI": 99
                                      },
                                      "requestCount": 1,
                                      "tagCount": 1,
                                      "window": 60,
                                      "expires": "2015-02-14T21:17:16Z",
                                      "expiredBy": ""
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Get event by ID

get /corps/{corpName}/sites/{siteName}/events/{eventID}

Request

URI Parameters
Name
Type
Description
eventID
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the event

timestamp
string
format: date-time

Timestamp RFC3339 date time

source
string

Source information

remoteCountryCode
string

Country code

remoteHostname
string

Remote hostname

userAgents
useragents
string

Useragents

action
string

Either "flagged" (IP is flagged and subsequent malicious requests will be blocked) or "info" (IP is flagged and subsequent requests will be logged).

reasons
object

Key attack type - value number of

requestCount
integer
format: int32

Total number of requests

tagCount
integer
format: int32

Total number of tags

window
integer
format: int32

Time window in seconds where the items were detected

expires
string
format: date-time

Expires RFC3339 date time

expiredBy
string

email of the user if the event is expired manually

Response Example
{
                                      "id": "54de69dcba53b02fbf000018",
                                      "timestamp": "2015-02-13T21:17:16Z",
                                      "source": "162.245.23.109",
                                      "remoteCountryCode": "AU",
                                      "remoteHostname": "",
                                      "userAgents": [
                                        "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
                                      ],
                                      "action": "flagged",
                                      "type": "attack",
                                      "reasons": {
                                        "SQLI": 99
                                      },
                                      "requestCount": 1,
                                      "tagCount": 1,
                                      "window": 60,
                                      "expires": "2015-02-14T21:17:16Z",
                                      "expiredBy": ""
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    

Expire an event by ID

post /corps/{corpName}/sites/{siteName}/events/{eventID}/expire

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the event

timestamp
string
format: date-time

Timestamp RFC3339 date time

source
string

Source information

remoteCountryCode
string

Country code

remoteHostname
string

Remote hostname

userAgents
useragents
string

Useragents

action
string

Either "flagged" (IP is flagged and subsequent malicious requests will be blocked) or "info" (IP is flagged and subsequent requests will be logged).

reasons
object

Key attack type - value number of

requestCount
integer
format: int32

Total number of requests

tagCount
integer
format: int32

Total number of tags

window
integer
format: int32

Time window in seconds where the items were detected

expires
string
format: date-time

Expires RFC3339 date time

expiredBy
string

email of the user if the event is expired manually

Response Example
{
                                          "id": "54de69dcba53b02fbf000018",
                                          "timestamp": "2015-02-13T21:17:16Z",
                                          "source": "162.245.23.109",
                                          "remoteCountryCode": "AU",
                                          "remoteHostname": "",
                                          "userAgents": [
                                            "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)"
                                          ],
                                          "action": "flagged",
                                          "type": "attack",
                                          "reasons": {
                                            "SQLI": 99
                                          },
                                          "requestCount": 1,
                                          "tagCount": 1,
                                          "window": 60,
                                          "expires": "2015-02-14T21:17:16Z",
                                          "expiredBy": ""
                                        }
                                        
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                        

List suspicious IPs

get /corps/{corpName}/sites/{siteName}/suspiciousIPs

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

limit
integer
default: 5
min: 1
max: 50

The number of IPs to be returned

Responses

HTTP 200
Name
Type
Description
data
suspiciousIP array
required: true
source
string
read only: true

IP address

remoteCountryCode
string
read only: true

Remote country code

remoteHostname
string
read only: true

Remote hostname

percent
integer
read only: true

Percent towards flagged threshold

tagName
string
read only: true

Attack tag seen from this IP

shortName
string
read only: true

Label for this attack tag

intervalStart
string
format: date-time
read only: true

Beginning of most recent interval in which this attack was seen

timestamp
string
format: date-time
read only: true

Time of most recent attack

Response Example
{
                                  "data": [
                                    {
                                      "source": "95.128.246.44",
                                      "percent": 20,
                                      "remoteCountryCode": "RU",
                                      "remoteHostname": "95-128-246-44.avk-com.ru",
                                      "tagName": "USERAGENT",
                                      "shortName": "Attack Tooling",
                                      "reasons": {
                                        "USERAGENT": 99
                                      },
                                      "intervalStart": "2016-08-09T17:05:17Z",
                                      "timestamp": "2016-08-09T18:05:17Z",
                                    },
                                    {
                                      "source": "95.128.246.45",
                                      "percent": 6,
                                      "remoteCountryCode": "RU",
                                      "remoteHostname": "95-128-246-45.avk-com.ru",
                                      "tagName": "SQLI",
                                      "shortName": "SQLI",
                                      "reasons": {
                                        "SQLI": 2,
                                        "TRAVERSAL": 1,
                                        "XSS": 4
                                      },
                                      "intervalStart": "2016-08-09T17:05:17Z",
                                      "timestamp": "2016-08-09T18:05:17Z",
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

List rate-limited IPs

get /corps/{corpName}/sites/{siteName}/rateLimitedIPs

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

ip
string

The IP address used to filter results

limit
integer
default: 20

The maximum number of IPs to be returned per page

page
integer
default: 1
min: 1

The page number of the results

tag
string

signal ID

Responses

HTTP 200
Name
Type
Description
data
rateLimitedIP array
required: true
id
string
created
string

Created RFC3339 date time

siteID
string
signal
string

Signal name

ip
string

IP address

expires
string

RFC3339 date time when the rule will automatically be disabled. If rule is always enabled, will return empty string

Response Example
{
                                  "data": [
                                    {
                                      "id": "558cde3f3dfaa4a82900000a",
                                      "ip": "95.128.246.44",
                                      "siteID": "cb8cde3f3dfaa4a82900d00b",
                                      "signal": "signal nickname",
                                      "created": "2016-08-09T17:05:17Z",
                                      "expires": "2017-08-09T17:05:17Z",
                                    },
                                    {
                                      "id": "fd8cde3f3dfaa4a82900200f",
                                      "ip": "95.128.246.45",
                                      "siteID": "668cde3f3dfaa4a829000110c",
                                      "signal": "another signal nickname",
                                      "created": "2016-08-09T17:05:17Z",
                                      "expires": "2017-08-09T17:05:17Z",
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Get whitelist

get /corps/{corpName}/sites/{siteName}/whitelist

Request

Responses

HTTP 200
Name
Type
Description
data
id
string

Unique ID of the tag

source
string
min len: 7

IP address

expires
string
format: date-time

Expires RFC3339 date time, or empty for does not expire

note
string
max len: 100
required: true

Note associated with the tag

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

required
Response Example
{
                                  "data": [
                                      {
                                          "id": "558cde3f3dfaa4a82900000a",
                                          "source": "192.0.2.16",
                                          "expires": "2014-12-19T21:28:54-08:00",
                                          "note": "Sample",
                                          "createdBy": "user@example.com",
                                          "created": "2014-12-11T22:51:56-08:00"
                                      }
                                  ]
                                }
                                

Add to whitelist

put /corps/{corpName}/sites/{siteName}/whitelist

Request

Body (application/json)
Name
Type
Description
source
string
min len: 7

IP address

note
string
max len: 100
required: true

Note associated with the tag

expires
string
format: date-time

Optional RFC3339-formatted datetime in the future. Omit this paramater if it does not expire.

Request Example
{
                                  "source": "203.0.113.101",
                                  "note": "Example note"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the tag

source
string
min len: 7

IP address

expires
string
format: date-time

Expires RFC3339 date time, or empty for does not expire

note
string
max len: 100
required: true

Note associated with the tag

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "id": "558cde293dfaa4a829000009",
                                  "source": "192.0.2.16",
                                  "expires": "",
                                  "note": "Example Note",
                                  "createdBy": "user@example.com",
                                  "created": "2014-12-11T22:51:56-08:00"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid IP address"}
                                

Delete from whitelist

delete /corps/{corpName}/sites/{siteName}/whitelist/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Successful removal from the list

HTTP 404

Could not find the id

Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Not found"}
                                    

Get blacklist

get /corps/{corpName}/sites/{siteName}/blacklist

Request

Responses

HTTP 200
Name
Type
Description
data
id
string

Unique ID of the tag

source
string
min len: 7

IP address

expires
string
format: date-time

Expires RFC3339 date time, or empty for does not expire

note
string
max len: 100
required: true

Note associated with the tag

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

required
Response Example
{
                                  "data": [
                                      {
                                          "id": "558cde293dfaa4a829000009",
                                          "source": "192.0.2.16",
                                          "expires": "2014-12-19T21:28:54-08:00",
                                          "note": "Sample",
                                          "createdBy": "user@example.com",
                                          "created": "2014-12-11T22:51:56-08:00"
                                      }
                                  ]
                                }
                                

Add to blacklist

put /corps/{corpName}/sites/{siteName}/blacklist

Request

Body (application/json)
Name
Type
Description
source
string
min len: 7

IP address

note
string
max len: 100
required: true

Note associated with the tag

expires
string
format: date-time

Optional RFC3339-formatted datetime in the future. Omit this paramater if it does not expire.

Request Example
{
                                  "source": "203.0.113.101",
                                  "note": "Example note"
                                }
                                

Responses

HTTP 200
Name
Type
Description
id
string

Unique ID of the tag

source
string
min len: 7

IP address

expires
string
format: date-time

Expires RFC3339 date time, or empty for does not expire

note
string
max len: 100
required: true

Note associated with the tag

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "id": "558cde3f3dfaa4a82900000a",
                                  "source": "192.0.2.16",
                                  "expires": "",
                                  "note": "Example Note",
                                  "createdBy": "user@example.com",
                                  "created": "2014-12-11T22:51:56-08:00"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid IP address"}
                                

Delete from blacklist

delete /corps/{corpName}/sites/{siteName}/blacklist/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Successful removal from the list

HTTP 404

Could not find the id

Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Not found"}
                                    

List redactions

get /corps/{corpName}/sites/{siteName}/redactions

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
totalCount
number
required: true

Total count of Redactions

data
redaction array
required: true
id
string
min len: 1

Unique identifier for the redaction

field
string
min len: 1

Field name

redactionType
integer
max: 2

Type of redaction (0: Request Parameter, 1: Request Header, 2: Response Header)

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "totalCount" : 1,
                                  "data": [
                                    {
                                      "id": "0a54cf363621",
                                      "field": "privateField",
                                      "redactionType": 0,
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Add to redactions

post /corps/{corpName}/sites/{siteName}/redactions

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
field
string
min len: 1

Field name

redactionType
integer
max: 2

Type of redaction (0: Request Parameter, 1: Request Header, 2: Response Header)

Request Example
{
                                  "field": "privateField",
                                  "redactionType": 2,
                                }
                                

Responses

HTTP 200
Name
Type
Description
totalCount
number
required: true

Total count of Redactions

data
redaction array
required: true
id
string
min len: 1

Unique identifier for the redaction

field
string
min len: 1

Field name

redactionType
integer
max: 2

Type of redaction (0: Request Parameter, 1: Request Header, 2: Response Header)

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                  "totalCount" : 1,
                                  "data": [
                                    {
                                      "id": "0a54cf363622",
                                      "field": "privateField",
                                      "redactionType": 2,
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Update a redaction

patch /corps/{corpName}/sites/{siteName}/redactions/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
field
string
min len: 1

Field name

redactionType
integer
max: 2

Type of redaction (0: Request Parameter, 1: Request Header, 2: Response Header)

Request Example
{
                                      "redactionType": 1,
                                    }
                                    

Responses

HTTP 200
Name
Type
Description
id
string
min len: 1

Unique identifier for the redaction

field
string
min len: 1

Field name

redactionType
integer
max: 2

Type of redaction (0: Request Parameter, 1: Request Header, 2: Response Header)

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

Response Example
{
                                      "id": "0a54cf363622",
                                      "field": "privateField",
                                      "redactionType": 1,
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Not found"}
                                    

Delete from redactions

delete /corps/{corpName}/sites/{siteName}/redactions/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Not found"}
                                    

List agents

get /corps/{corpName}/sites/{siteName}/agents

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
agent.active
bool

Whether agent was seen in past 5 minutes

agent.addr
string

RPC Address

agent.args
string

Command line arguments

agent.build_id
string

Commit SHA of current build

agent.connections_dropped
integer

Counter of connections dropped by agent

agent.connections_open
integer

Gauge of simultaneous connections

agent.connections_total
integer

Counter of total connections

agent.current_requests
integer

Number of requests in last interval

agent.decision_time_50th
float

Decision time in ms, 50th percentile

agent.decision_time_95th
float

Decision time in ms, 95th percentile

agent.decision_time_99th
float

Decision time in ms, 99th percentile

agent.enabled
boolean

Configuration flag for on/off

agent.last_rule_update
date

Timestamp of last rules update in RFC3339

agent.last_seen
date

Timestamp of last heartbeat in RFC3339

agent.max_procs
integer

GOMAXPROCS setting

agent.name
string

Name

agent.read_bytes
integer

Byte tally of read requests (GET)

agent.rpc_postrequest
integer

Counter of total RPC PostRequests

agent.rpc_prerequest
integer

Counter of total RPC PreRequests

agent.rpc_updaterequest
integer

Counter of total RPC UpdateRequests

agent.rule_updates
integer

Counter of rule updates

agent.status
string

Agent status (online/offline)

agent.timestamp
date

Agent's UTC Time

agent.timezone
string

Agent's timezone

agent.timezone_offset
string

Agent's timezone offset

agent.upload_metadata_failures
integer

Number of failures trying to send data since last successful send

agent.upload_size
integer

Byte size of last message uploaded to Signal Sciences platform

agent.uptime
integer

Counter of uptime in seconds

agent.version
string

Current version

agent.write_bytes
integer

Byte tally of write requests (POST, PUT, etc)

host.agent_cpu
float

Gauge of CPU usage by agent

host.architecture
string

Processor architecture

host.clock_skew
float

Median host clock skew (in seconds) over the past 5 minutes

host.cpu
float

Gauge of CPU usage

host.cpu_mhz
integer

CPU clock speed

host.instance_type
string

Instance type

host.num_cpu
integer

Number of CPUs

host.os
string

OS

host.remote_addr
string

Host's IP address

module.server
string

Module server version

module.version
string

Module version

runtime.gc_pause_millis
float

Counter of garbage collection time

runtime.mem_size
integer

Gauge of bytes allocated for agent

runtime.num_gc
integer

Counter of garbage collections

runtime.num_goroutines
integer

Gauge of current number of goroutines

required
Response Example
{
                                  "data": [
                                    {
                                      "agent.active": true,
                                      "agent.addr": "unix:/var/run/sigsci.sock",
                                      "agent.args": "/opt/sigsci/sbin/sigsci-agent ",
                                      "agent.build_id": "6c105c9719172e5257255f996a8b9475b33b57ff",
                                      "agent.connections_dropped": 0,
                                      "agent.connections_open": 0,
                                      "agent.connections_total": 419038,
                                      "agent.current_requests": 50,
                                      "agent.decision_time_50th": 0.8043622142857145,
                                      "agent.decision_time_95th": 6.895777,
                                      "agent.decision_time_99th": 9.037322,
                                      "agent.enabled": true,
                                      "agent.last_rule_update": "2016-01-25T15:40:59Z",
                                      "agent.last_seen": "2016-01-25T14:42:30Z",
                                      "agent.max_procs": 1,
                                      "agent.name": "testAgent",
                                      "agent.read_bytes": 308250973,
                                      "agent.rpc_postrequest": 8582,
                                      "agent.rpc_prerequest": 409140,
                                      "agent.rpc_updaterequest": 1315,
                                      "agent.rule_updates": 158,
                                      "agent.status": "online",
                                      "agent.timestamp": 1453736459,
                                      "agent.timezone": "UTC",
                                      "agent.timezone_offset": 0,
                                      "agent.upload_metadata_failures": 0,
                                      "agent.upload_size": 2524,
                                      "agent.uptime": 491731,
                                      "agent.version": "1.8.5758",
                                      "agent.write_bytes": 8492498,
                                      "host.agent_cpu": 0.23333318319915222,
                                      "host.architecture": "amd64",
                                      "host.clock_skew": 15,
                                      "host.cpu": 0,
                                      "host.cpu_mhz": 2500,
                                      "host.instance_type": "c3.large",
                                      "host.num_cpu": 1,
                                      "host.os": "Ubuntu 14.04.3 LTS",
                                      "host.remote_addr": "123.123.97.219",
                                      "module.server": "go1.5.3",
                                      "module.version": "1.0",
                                      "runtime.gc_pause_millis": 2505.317246,
                                      "runtime.mem_size": 8837480,
                                      "runtime.num_gc": 6540,
                                      "runtime.num_goroutines": 12
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Agent Details

get /corps/{corpName}/sites/{siteName}/agents/{agentName}

Request

URI Parameters
Name
Type
Description
agentName
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
agent.active
bool

Whether agent was seen in past 5 minutes

agent.addr
string

RPC Address

agent.args
string

Command line arguments

agent.build_id
string

Commit SHA of current build

agent.connections_dropped
integer

Counter of connections dropped by agent

agent.connections_open
integer

Gauge of simultaneous connections

agent.connections_total
integer

Counter of total connections

agent.current_requests
integer

Number of requests in last interval

agent.decision_time_50th
float

Decision time in ms, 50th percentile

agent.decision_time_95th
float

Decision time in ms, 95th percentile

agent.decision_time_99th
float

Decision time in ms, 99th percentile

agent.enabled
boolean

Configuration flag for on/off

agent.last_rule_update
date

Timestamp of last rules update in RFC3339

agent.last_seen
date

Timestamp of last heartbeat in RFC3339

agent.max_procs
integer

GOMAXPROCS setting

agent.name
string

Name

agent.read_bytes
integer

Byte tally of read requests (GET)

agent.rpc_postrequest
integer

Counter of total RPC PostRequests

agent.rpc_prerequest
integer

Counter of total RPC PreRequests

agent.rpc_updaterequest
integer

Counter of total RPC UpdateRequests

agent.rule_updates
integer

Counter of rule updates

agent.status
string

Agent status (online/offline)

agent.timestamp
date

Agent's UTC Time

agent.timezone
string

Agent's timezone

agent.timezone_offset
string

Agent's timezone offset

agent.upload_metadata_failures
integer

Number of failures trying to send data since last successful send

agent.upload_size
integer

Byte size of last message uploaded to Signal Sciences platform

agent.uptime
integer

Counter of uptime in seconds

agent.version
string

Current version

agent.write_bytes
integer

Byte tally of write requests (POST, PUT, etc)

host.agent_cpu
float

Gauge of CPU usage by agent

host.architecture
string

Processor architecture

host.clock_skew
float

Median host clock skew (in seconds) over the past 5 minutes

host.cpu
float

Gauge of CPU usage

host.cpu_mhz
integer

CPU clock speed

host.instance_type
string

Instance type

host.num_cpu
integer

Number of CPUs

host.os
string

OS

host.remote_addr
string

Host's IP address

module.server
string

Module server version

module.version
string

Module version

runtime.gc_pause_millis
float

Counter of garbage collection time

runtime.mem_size
integer

Gauge of bytes allocated for agent

runtime.num_gc
integer

Counter of garbage collections

runtime.num_goroutines
integer

Gauge of current number of goroutines

Response Example
{
                                      "agent.active": true,
                                      "agent.addr": "unix:/var/run/sigsci.sock",
                                      "agent.args": "/opt/sigsci/sbin/sigsci-agent ",
                                      "agent.build_id": "6c105c9719172e5257255f996a8b9475b33b57ff",
                                      "agent.connections_dropped": 0,
                                      "agent.connections_open": 0,
                                      "agent.connections_total": 419038,
                                      "agent.current_requests": 50,
                                      "agent.decision_time_50th": 0.8043622142857145,
                                      "agent.decision_time_95th": 6.895777,
                                      "agent.decision_time_99th": 9.037322,
                                      "agent.enabled": true,
                                      "agent.last_rule_update": "2016-01-25T15:40:59Z",
                                      "agent.last_seen": "2016-01-25T14:42:30Z",
                                      "agent.max_procs": 1,
                                      "agent.name": "testAgent",
                                      "agent.read_bytes": 308250973,
                                      "agent.rpc_postrequest": 8582,
                                      "agent.rpc_prerequest": 409140,
                                      "agent.rpc_updaterequest": 1315,
                                      "agent.rule_updates": 158,
                                      "agent.status": "online",
                                      "agent.timestamp": 1453736459,
                                      "agent.timezone": "UTC",
                                      "agent.timezone_offset": 0,
                                      "agent.upload_metadata_failures": 0,
                                      "agent.upload_size": 2524,
                                      "agent.uptime": 491731,
                                      "agent.version": "1.8.5758",
                                      "agent.write_bytes": 8492498,
                                      "host.agent_cpu": 0.23333318319915222,
                                      "host.architecture": "amd64",
                                      "host.clock_skew": 15,
                                      "host.cpu": 0,
                                      "host.cpu_mhz": 2500,
                                      "host.instance_type": "c3.large",
                                      "host.num_cpu": 1,
                                      "host.os": "Ubuntu 14.04.3 LTS",
                                      "host.remote_addr": "123.123.97.219",
                                      "module.server": "go1.5.3",
                                      "module.version": "1.0",
                                      "runtime.gc_pause_millis": 2505.317246,
                                      "runtime.mem_size": 8837480,
                                      "runtime.num_gc": 6540,
                                      "runtime.num_goroutines": 12
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    

Get agent logs by agent name

get /corps/{corpName}/sites/{siteName}/agents/{agentName}/logs

Request

URI Parameters
Name
Type
Description
agentName
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
corp
string

the agent's parent Corp

site
string

the agent's parent Site

logs
hostName
string

host name

logLevel
string

level of severity

message
string

description of event

createdAt
date

RFC3339 formatted timestamp of event

Response Example
{
                                      "corp": "sigsci",
                                      "site": "dashboard",
                                      "logs": [
                                        {
                                          "hostName": "localhost",
                                          "logLevel": "INFO",
                                          "message": "1 rules updated",
                                          "createdAt": "2016-01-29T20:00:30Z"
                                        }
                                      ]
                                    }
                                    

List agent keys

get /corps/{corpName}/sites/{siteName}/agentKeys

Fetches a list of all Agent Keys for a site. A site should only have one set of agent keys, and is limited to a maximum of two. The second set is used to ensure agent key rotation can be rolled back if needed, but the old agent keys should be deleted upon successful rotation and deployment of updated agents.

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

isPrimary
boolean

Filters based on if the agent keys are the Site's primary agent keys

Responses

HTTP 200
Name
Type
Description
data
object array
required: true
accessKey
string
required: true

Agent configuration accesskeyid value

secretKey
string
required: true

Agent configuration secretaccesskey value

isPrimary
boolean
required: true

The primary agent keys for the Site in the cloud-hosted collection and analysis system. The primary agent keys should be used to configure the agent.

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

updated
string
format: date-time
read only: true
required: true

Updated RFC3339 date time

Response Example
{
                                    "data": [
                                        {
                                            "accessKey": "d217f023-616e-4389-a230-1665c7c44010",
                                            "secretKey": "rNs7ti7dvbt0k2Ob4qCCL-Prob5QIRSNOyyp3cj79vs",
                                            "isPrimary": true,
                                            "created": "2020-01-26T17:10:29.771Z",
                                            "updated": "2020-01-26T17:10:29.772Z"
                                        }
                                    ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site not found"}
                                
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"internal error"}
                                

Create Agent Keys

post /corps/{corpName}/sites/{siteName}/agentKeys

Creates new, non-primary agent keys for a site. A site should only have one set of agent keys, and is limited to a maximum of two.

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
accessKey
string
required: true

Agent configuration accesskeyid value

secretKey
string
required: true

Agent configuration secretaccesskey value

isPrimary
boolean
required: true

The primary agent keys for the Site in the cloud-hosted collection and analysis system. The primary agent keys should be used to configure the agent.

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

updated
string
format: date-time
read only: true
required: true

Updated RFC3339 date time

Response Example
{
                                    "accessKey": "d217f023-616e-4389-a230-1665c7c44010",
                                    "secretKey": "rNs7ti7dvbt0k2Ob4qCCL-Prob5QIRSNOyyp3cj79vs",
                                    "isPrimary": true,
                                    "created": "2020-01-26T17:10:29.771Z",
                                    "updated": "2020-01-26T17:10:29.772Z"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"agent keys max count of 2 reached"}
                                
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"not found"}
                                
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"internal error"}
                                

Get Agent Keys by accessKey

get /corps/{corpName}/sites/{siteName}/agentKeys/{accessKey}

Fetches agent keys by the accessKey.

Request

URI Parameters
Name
Type
Description
accessKey
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
accessKey
string
required: true

Agent configuration accesskeyid value

secretKey
string
required: true

Agent configuration secretaccesskey value

isPrimary
boolean
required: true

The primary agent keys for the Site in the cloud-hosted collection and analysis system. The primary agent keys should be used to configure the agent.

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

updated
string
format: date-time
read only: true
required: true

Updated RFC3339 date time

Response Example
{
                                        "accessKey": "d217f023-616e-4389-a230-1665c7c44010",
                                        "secretKey": "rNs7ti7dvbt0k2Ob4qCCL-Prob5QIRSNOyyp3cj79vs",
                                        "isPrimary": true,
                                        "created": "2020-01-26T17:10:29.771Z",
                                        "updated": "2020-01-26T17:10:29.772Z"
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site not found"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"not found"}
                                    
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"internal error"}
                                    

Delete agent keys

delete /corps/{corpName}/sites/{siteName}/agentKeys/{accessKey}

Deletes the agent keys with the given accessKey. Will fail if the agent keys are the site's primary agent keys.

Request

URI Parameters
Name
Type
Description
accessKey
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful deletion of the agent keys

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"cannot delete site's primary agent key"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"not found"}
                                    
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"internal error"}
                                    

Make agent keys primary

post /corps/{corpName}/sites/{siteName}/agentKeys/{accessKey}/makePrimary

RPC call that updates a site's primary agent keys. Agents will stop receiving configuration updates after a new set of agent keys are made primary, and will begin receiving them again when the site's agents are properly configured and started with the new agent keys.

Request

Responses

HTTP 204

Successfully set agent keys as site's primary agent keys

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site not found"}
                                        
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"not found"}
                                        
HTTP 500
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"internal error"}
                                        

Get site's primary agent keys

get /corps/{corpName}/sites/{siteName}/keys

Fetches the site's primary agent keys.

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
name
string

site name

accessKey
string

access key

secretKey
string

secret key

Response Example
{
                                  "name": "www.example.com",
                                  "accessKey": "b7e03c6e-09db-4306-a69d-06a88d4b1d1e",
                                  "secretKey": "dzXOIhudazcfIQFpVu5069bMHO7I4vavDKIRV3Xsx8B",
                                }
                                

List site integrations

get /corps/{corpName}/sites/{siteName}/integrations

Request

Responses

HTTP 200
Name
Type
Description
data
integration array
id
string
read only: true
required: true

Unique id of the integration

name
string
required: true

Integration name

type
string
required: true

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string
required: true

Integration URL

fields
object,null
required: true
events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

active
boolean
read only: true
required: true
note
string

Integration note

createdBy
string
read only: true
required: true

Email address of the user that created the item

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

lastStatusCode
number
read only: true
required: true
required
Response Example
{
                                  "data": [
                                    {
                                      "id": "556a8abb3dfaa4ff28000002",
                                      "name": "Slack message",
                                      "type": "slack",
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "events": [
                                        "webhookEvents"
                                      ],
                                      "active": true,
                                      "note": "Sample",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Create site integration

post /corps/{corpName}/sites/{siteName}/integrations

Request

Body (application/json)
Name
Type
Description
url
string
required: true

Integration URL

type
string
required: true

Corp integration types (mailingList, slack, microsoftTeams). Site integration types (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

note
string

Integration note

Request Example
{
                                  "url":"https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                  "type":"generic",
                                  "events": [
                                    "webhookEvents"
                                  ],
                                  "note": ""
                                }
                                

Responses

HTTP 200
Name
Type
Description
data
newIntegration array
required: true
url
string
required: true

Integration URL

type
string
required: true

Corp integration types (mailingList, slack, microsoftTeams). Site integration types (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

note
string

Integration note

Response Example
{
                                    "data": [
                                        {
                                            "id": "5e2f5d8cf13d66152d396959",
                                            "name": "Generic webhook",
                                            "type": "generic",
                                            "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                            "fields": null,
                                            "events": [
                                                "webhookEvents"
                                            ],
                                            "active": true,
                                            "note": "",
                                            "createdBy": "user@example.com",
                                            "created": "2020-01-27T22:00:44Z",
                                            "lastStatusCode": 0
                                        }
                                    ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Get site integration by id

get /corps/{corpName}/sites/{siteName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
id
string
read only: true
required: true

Unique id of the integration

name
string
required: true

Integration name

type
string
required: true

Corp integration types: (mailingList, slack, microsoftTeams). Site integration types: (mailingList, slack, datadog, generic, pagerduty, microsoftTeams, jira, opsgenie, victorops, pivotaltracker)

url
string
required: true

Integration URL

fields
object,null
required: true
events
string array
required: true

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

active
boolean
read only: true
required: true
note
string

Integration note

createdBy
string
read only: true
required: true

Email address of the user that created the item

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

lastStatusCode
number
read only: true
required: true
Response Example
{
                                      "id": "556a8abb3dfaa4ff28000003",
                                      "type": "generic",
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "events": [
                                        "webhookEvents"
                                      ],
                                      "active": true,
                                      "note": "Sample",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                    
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    

Update site integration by id

patch /corps/{corpName}/sites/{siteName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
url
string

Integration URL

events
string array

Array of event types. Visit our integrations documentation to find out which events the service you are connecting allows.

Request Example
{
                                      "url": "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX",
                                      "events": ["flag", "loggingModeChanged"]
                                    }
                                    

Responses

HTTP 204

Successful update

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Delete site integration

delete /corps/{corpName}/sites/{siteName}/integrations/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 204

Successful removal from the list

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No integration with given id exists"}
                                    

Test site integration by id

post /corps/{corpName}/sites/{siteName}/integrations/{id}/test

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 200

Test successful

HTTP 500

Test failed

Add to header links

post /corps/{corpName}/sites/{siteName}/headerLinks

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
type
string
min len: 1
required: true

The type of header, either 'request' or 'response'

link
string
min len: 1
required: true

External link

linkName
string
min len: 1
required: true

Name of header link for display purposes

name
string
min len: 1
required: true

Name of header

Request Example
{
                                  "type": "response",
                                  "name": "X-SplunkRequest-Id",
                                  "linkName": "Splunk",
                                  "link": "https://splunk.example.com/?q={{value}}"
                                }
                                

Responses

HTTP 200
Name
Type
Description
data
headerLink array
id
string

Unique ID of the header link

type
string
min len: 1
required: true

The type of header, either 'request' or 'response'

link
string
min len: 1
required: true

External link

linkName
string
min len: 1
required: true

Name of header link for display purposes

name
string
min len: 1
required: true

Name of header

createdBy
string
read only: true

Email address of the user that created the item

created
string
format: date-time
read only: true

Created RFC3339 date time

required
Response Example
{
                                  "data": [
                                    {
                                      "id": "558cf75c3dfaa4b9c2000001",
                                      "type": "response",
                                      "name": "X-Request-Id",
                                      "linkName": "Kibana",
                                      "link": "https://kibana.example.com/?q={{value}}",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    },
                                    {
                                      "id": "558cf75c3dfaa4b9c2000002",
                                      "type": "request",
                                      "name": "X-SplunkRequest-Id",
                                      "linkName": "Splunk",
                                      "link": "https://splunk.example.com/?q={{value}}",
                                      "createdBy": "user@example.com",
                                      "created": "2015-02-14T21:17:16Z"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Get site monitors

get /corps/{corpName}/sites/{siteName}/monitors

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Responses

HTTP 200
Name
Type
Description
data
monitor array
required: true
id
string
required: true

Unique ID of the site monitor

url
string
min len: 1
required: true

URL for site monitor

share
boolean
min len: 1
required: true

Whether this site monitor is enabled or not

createdBy
string
read only: true
required: true

Email address of the user that created the item

created
string
format: date-time
read only: true
required: true

Created RFC3339 date time

Response Example
{
                                  "data": [
                                    {
                                      "id": "b7e03c6e-09db-4306-a69d-06a88d4b1d1e",
                                      "url": "https://dashboard.signalsciences.net/corp/site/monitor/b7e03c6e-09db-4306-a69d-06a88d4b1d1e",
                                      "share": true,
                                      "createdBy": "user@example.com",
                                      "created": "2014-12-09T10:43:54-08:00"
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site not found"}
                                

Generate site monitor URL

post /corps/{corpName}/sites/{siteName}/monitors

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

dashboardId
string
required: true

The ID of the dashboard

Responses

HTTP 200
Name
Type
Description
data
siteMember array
required: true
role
string

Role of the user (owner, admin, user, observer)

user
apiUser
boolean

API user

authStatus
string

Auth status of the user

corpAuthType
string

Auth type of the corp

email
string

Email of the user

name
string

Name of the user

status
string

Status of the user

Response Example
{
                                  "id": "bd0dee5e-0313-40c2-9396-21881b07a7db",
                                  "url": "https://dashboard.signalsciences.net/corp/site/monitor/bd0dee5e-0313-40c2-9396-21881b07a7db",
                                  "share": true,
                                  "createdBy": "user@example.com",
                                  "created": "2014-12-09T10:43:54-08:00"
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site monitor not found"}
                                

Update site monitor

put /corps/{corpName}/sites/{siteName}/monitors/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true
Body (application/json)
Name
Type
Description
id
string
min len: 1
required: true

The ID of the monitor

share
boolean
required: true

Shareable link enabled

Request Example
{
                                      "id": "be9072f8-50d3-48f0-acaf-c270502aa834",
                                      "share": true
                                    }
                                    

Responses

HTTP 204

Site monitor updated

HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Site monitor not found"}
                                    
HTTP 404
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"No monitor URL for site exists"}
                                    

Delete site monitor

delete /corps/{corpName}/sites/{siteName}/monitors/{id}

Request

URI Parameters
Name
Type
Description
id
string
required: true

Responses

HTTP 204

Delete successful

List top attacks

get /corps/{corpName}/sites/{siteName}/top/attacks

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

pretty
boolean

Pretty print the json output

field
one of (remoteAddr,remoteCountryCode,serverNameAndPath,path)
default: remoteAddr
enum: remoteAddr,remoteCountryCode,serverNameAndPath,path

Field to group by

limit
integer
default: 5
min: 1
max: 100

The number of results to be returned

Responses

HTTP 200
Name
Type
Description
totalRequests
integer

Total number of matching requests

data
topAttack array
required: true
value
string
read only: true

Value

label
string
read only: true

Label (more information about value)

count
integer
read only: true

Count of attacks seen from this country, IP, etc.

Response Example
{
                                  "totalRequests": 1402,
                                  "data": [
                                      {
                                        {
                                           "value": "US",
                                           "label": "United States",
                                           "count": 306
                                         },
                                         {
                                           "value": "JP",
                                           "label": "Japan",
                                           "count": 159
                                         },
                                         {
                                           "value": "CZ",
                                           "label": "Czech Republic",
                                           "count": 150
                                         }
                                      ]
                                    }
                                  ]
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Invalid site"}
                                

Send simulation

post /corps/{corpName}/sites/{siteName}/simulator

Request

Query Parameters
Name
Type
Description
pretty
boolean

Pretty print the json output

Body (application/json)
Name
Type
Description
sample_request
string
min len: 1
required: true

Sample request to be sent to the simulator. Each HTTP header should be separated by a literal newline (\n) character

sample_response
string
required: true

Sample response to be sent to the simulator. Each HTTP header should be separated by a literal newline (\n) character

Request Example
{
                                    "sample_request": "POST /foobar?key1=value1 HTTP/1.1\nHost: sample.foo\nAccept-Encoding: gzip, deflate\nAccept-Language: en-us\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nConnection: keep-alive\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 10000\nCookie:\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15\nCache-Control: max-age=0\nX-Forwarded-For: 127.0.0.1\nX-Forwarded-Proto: https\n\npostkey1=value1&post2=value2",
                                    "sample_response": "HTTP/1.1 200 OK\nServer: nginx\nDate: Fri, 21 Aug 2015 21:30:50 GMT\nContent-Type: text/html; charset=utf-8\nConnection: keep-alive\nContent-Length: 0\nx-xss-protection: 1; mode=block\nx-content-type-options: nosniff\npragma: no-cache\nx-frame-options: SAMEORIGIN\nStrict-Transport-Security: max-age=15552000; includeSubDomains\nX-Request-ID: 123456789"
                                }
                                

Responses

HTTP 200
Name
Type
Description
data
simulatorData array
required: true
waf_response
integer
required: true

Response code returned from the WAF

response_code
integer
required: true

Response code that would be returned to client

response_size
integer
required: true

Size of response returned to client

signals
simulatorSignals array
type
string
read only: true

Signal type

location
string
read only: true

Location that caused the signal to be added

name
string
read only: true

Name of the signal

value
string
read only: true

Value that caused the signal to be added

detector
string
read only: true

Detection mechanism that added the signal

redaction
integer
read only: true

Whether the value was redacted or not

Response Example
{
                                  "data": {
                                      "waf_response": 406,
                                      "response_code": 406,
                                      "response_size": 20,
                                      "signals": [
                                          {
                                              "type": "BLOCKED",
                                              "location": "",
                                              "name": "",
                                              "value": "406",
                                              "detector": "6529987e8332b901d40cfd14",
                                              "redaction": 0
                                          }
                                      ]
                                  }
                                }
                                
HTTP 400
Name
Type
Description
message
string
read only: true

Error message

Response Example
{"message":"Test error: unexpected EOF"}
                                

Timeseries

Get timeseries request info

get /corps/{corpName}/sites/{siteName}/timeseries/requests

Request

Query Parameters
Name
Type
Description
from
integer

The POSIX Unix time to start

until
integer

The POSIX Unix time to end

pretty
boolean

Pretty print the json output

tag
string
min len: 3
matching: [a-zA-Z0-9_-]+
required: true

Filter based on N request tags

rollup
integer
default: 60
min: 60
max: 86400

Rollup interval in seconds e.g. 60 = 1 minute interval

format
one of (charts)
default: charts
enum: charts

Desired output format

Responses

HTTP 200
Name
Type
Description
data
object array
required: true
type
string

Type

from
int32

The POSIX Unix time to start

until
int32

The POSIX Unix time to end

inc
int32

Increment (in seconds) of each point

data

Array of points

summaryCount
int32

Sum of all the points

totalPoints
int32

Count of all the points

Response Example
[
                              {
                                "type": "SQLI",
                                "from": 1429835400,
                                "until": 1429836300,
                                "inc": 300,
                                "data": [3,2,0,6],
                                "summaryCount": 11,
                                "totalPoints": 4,
                              },
                              {
                                "type": "XSS",
                                "from": 1429835400,
                                "until": 1429836300,
                                "inc": 300,
                                "data": [1,7,1,0],
                                "summaryCount": 9,
                                "totalPoints": 4,
                              }
                            ]