Attacks API - GET all attacks

  • Reference

Lists all detected attacks on your applications.

The request produces an application/json payload.

GETSaaShttps://{your-environment-id}.live.dynatrace.com/api/v2/attacks
Environment ActiveGateCluster ActiveGatehttps://{your-activegate-domain}:9999/e/{your-environment-id}/api/v2/attacks

Authentication

To execute this request, you need an access token with attacks.read scope.

To learn how to obtain and use it, see Tokens and authentication.

Parameters

ParameterTypeDescriptionInRequired
nextPageKeystring

The cursor for the next page of results. You can find it in the nextPageKey field of the previous response.

The first page is always returned if you don't specify the nextPageKey query parameter.

When the nextPageKey is set to obtain subsequent pages, you must omit all other query parameters.

queryoptional
pageSizeinteger

The amount of attacks in a single response payload.

The maximal allowed page size is 500.

If not set, 100 is used.

queryoptional
attackSelectorstring

Defines the scope of the query. Only attacks matching the specified criteria are included in the response. You can add one or more of the following criteria. Values are not case-sensitive and the EQUALS operator is used unless otherwise specified.

  • State: state("value"). The state of the attack. Possible values are EXPLOITED, BLOCKED, and ALLOWLISTED.
  • Attack Type: attackType("value"). The type of the attack. Find the possible values in the description of the attackType field of the response.
  • Country Code: countryCode("value"). The country code of the attacker. Supported values include all ISO-3166-1 alpha-2 country codes (2-letter). Supplying empty filter value countryCode() will return attacks, where location is not available.
  • Request path contains: requestPathContains("value"). Filters for a substring in the request path. The CONTAINS operator is used. A maximum of 48 characters are allowed.
  • Process group name contains: processGroupNameContains("value"). Filters for a substring in the targeted process group's name. The CONTAINS operator is used.
  • Vulnerability ID: vulnerabilityId("123456789"). The exact ID of the vulnerability.
  • Source IPs: sourceIps("93.184.216.34", "63.124.6.12"). The exact IPv4/IPv6 addresses of the attacker.
  • Management zone ID: managementZoneIds("mzId-1", "mzId-2").
  • Management zone name: managementZones("name-1", "name-2"). Values are case sensitive.
  • Technology: technology("technology-1", "technology-2"). Find the possible values in the description of the technology field of the response. The EQUALS operator is used.

To set several criteria, separate them with a comma (,). Only results matching (all criteria are included in the response.

Specify the value of a criterion as a quoted string. The following special characters must be escaped with a tilde (~) inside quotes:

  • Tilde ~
  • Quote "
queryoptional
sortstring

Specifies one or more fields for sorting the attack list. Multiple fields can be concatenated using a comma (,) as a separator (e.g. +state,-timestamp).

You can sort by the following properties with a sign prefix for the sorting order.

  • displayId: The attack's display ID.
  • displayName: The attack's display name.
  • attackType: The type of the attack (e.g. SQL_INJECTION, JNDI_INJECTION, etc.).
  • state: The state of the attack. (+ low severity state first - high severity state first)
  • sourceIp: The IP address of the attacker. Sorts by the numerical IP value.
  • requestPath: The request path where the attack was started.
  • timestamp: When the attack was executed. (+ old attacks first or - new attacks first) If no prefix is set, + is used.
queryoptional
fieldsstring

A list of additional attack properties you can add to the response.

The following properties are available (all other properties are always included and you can't remove them from the response):

  • attackTarget: The targeted host/database of an attack.
  • request: The request that was sent from the attacker.
  • entrypoint: The entry point used by an attacker to start a specific attack.
  • vulnerability: The vulnerability utilized by the attack.
  • securityProblem: The related security problem.
  • attacker: The attacker of an attack.
  • managementZones: The related management zones.
  • affectedEntities: The affected entities of an attack.

To add properties, specify them in a comma-separated list and prefix each property with a plus (for example, +attackTarget,+securityProblem).

queryoptional
fromstring

The start of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds.
  • Human-readable format of 2021-01-25T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example, now-1y/w is one year back, aligned by a week. You can also specify relative timeframe without an alignment: now-NU. Supported time units for the relative timeframe are:
    • m: minutes
    • h: hours
    • d: days
    • w: weeks
    • M: months
    • y: years

If not set, the relative timeframe of thirty days is used (now-30d).

queryoptional
tostring

The end of the requested timeframe.

You can use one of the following formats:

  • Timestamp in UTC milliseconds.
  • Human-readable format of 2021-01-25T05:57:01.123+01:00. If no time zone is specified, UTC is used. You can use a space character instead of the T. Seconds and fractions of a second are optional.
  • Relative timeframe, back from now. The format is now-NU/A, where N is the amount of time, U is the unit of time, and A is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example, now-1y/w is one year back, aligned by a week. You can also specify relative timeframe without an alignment: now-NU. Supported time units for the relative timeframe are:
    • m: minutes
    • h: hours
    • d: days
    • w: weeks
    • M: months
    • y: years

If not set, the current timestamp is used.

queryoptional

Response

Response codes

CodeTypeDescription
200AttackList

Success

4XXErrorEnvelope

Client side error.

5XXErrorEnvelope

Server side error.

Response body objects

The AttackList object

A list of attacks.

ElementTypeDescription
attacksAttack[]

A list of attacks.

nextPageKeystring

The cursor for the next page of results. Has the value of null on the last page.

Use it in the nextPageKey query parameter to obtain subsequent pages of the result.

pageSizeinteger

The number of entries per page.

totalCountinteger

The total number of entries in the result.

The Attack object

Describes an attack.

ElementTypeDescription
affectedEntitiesAffectedEntities

Information about affected entities of an attack.

attackIdstring

The ID of the attack.

attackTargetAttackTarget

Information about the targeted host/database of an attack.

attackTypestring

The type of the attack.

  • COMMAND_INJECTION
  • JNDI_INJECTION
  • SQL_INJECTION
  • SSRF
attackerAttacker

Attacker of an attack.

displayIdstring

The display ID of the attack.

displayNamestring

The display name of the attack.

entrypointAttackEntrypoint

Describes the entrypoint used by an attacker to start a specific attack.

managementZonesManagementZone[]

A list of management zones which the affected entities belong to.

requestRequestInformation

Describes the complete request information of an attack.

securityProblemAttackSecurityProblem

Assessment information and the ID of a security problem related to an attack.

statestring

The state of the attack.

  • ALLOWLISTED
  • BLOCKED
  • EXPLOITED
technologystring

The technology of the attack.

  • DOTNET
  • GO
  • JAVA
  • NODE_JS
timestampinteger

The timestamp when the attack occurred.

vulnerabilityVulnerability

Describes the exploited vulnerability.

The AffectedEntities object

Information about affected entities of an attack.

ElementTypeDescription
processGroupAffectedEntity

Information about an affected entity.

processGroupInstanceAffectedEntity

Information about an affected entity.

The AffectedEntity object

Information about an affected entity.

ElementTypeDescription
idstring

The monitored entity ID of the affected entity.

namestring

The name of the affected entity.

The AttackTarget object

Information about the targeted host/database of an attack.

ElementTypeDescription
entityIdstring

The monitored entity ID of the targeted host/database.

namestring

The name of the targeted host/database.

The Attacker object

Attacker of an attack.

ElementTypeDescription
locationAttackerLocation

Location of an attacker.

sourceIpstring

The source IP of the attacker.

The AttackerLocation object

Location of an attacker.

ElementTypeDescription
citystring

City of the attacker.

countrystring

The country of the attacker.

countryCodestring

The country code of the country of the attacker, according to the ISO 3166-1 Alpha-2 standard.

The AttackEntrypoint object

Describes the entrypoint used by an attacker to start a specific attack.

ElementTypeDescription
codeLocationCodeLocation

Information about a code location.

entrypointFunctionFunctionDefinition

Information about a function definition.

payloadobject[]

A list of values that has possibly been truncated.

The CodeLocation object

Information about a code location.

ElementTypeDescription
classNamestring

The fully qualified class name of the code location.

columnNumberinteger

The column number of the code location.

displayNamestring

A human readable string representation of the code location.

fileNamestring

The file name of the code location.

functionNamestring

The function/method name of the code location.

lineNumberinteger

The line number of the code location.

parameterTypesTruncatableListString

A list of values that has possibly been truncated.

returnTypestring

The return type of the function.

The TruncatableListString object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesstring[]

Values of the list.

The TruncationInfo object

Information on a possible truncation.

ElementTypeDescription
truncatedboolean

If the list/value has been truncated.

The FunctionDefinition object

Information about a function definition.

ElementTypeDescription
classNamestring

The fully qualified class name of the class that includes the function.

displayNamestring

A human readable string representation of the function definition.

fileNamestring

The file name of the function definition.

functionNamestring

The function/method name of the function definition.

parameterTypesTruncatableListString

A list of values that has possibly been truncated.

returnTypestring

The return type of the function.

The EntrypointPayload object

Describes a payload sent to an entrypoint during an attack.

ElementTypeDescription
namestring

Name of the payload, if applicable.

typestring

Type of the payload.

  • HTTP_BODY
  • HTTP_COOKIE
  • HTTP_HEADER_NAME
  • HTTP_HEADER_VALUE
  • HTTP_OTHER
  • HTTP_PARAMETER_NAME
  • HTTP_PARAMETER_VALUE
  • HTTP_URL
  • UNKNOWN
valuestring

Value of the payload.

The ManagementZone object

A short representation of a management zone.

ElementTypeDescription
idstring

The ID of the management zone.

namestring

The name of the management zone.

The RequestInformation object

Describes the complete request information of an attack.

ElementTypeDescription
hoststring

The target host of the request.

pathstring

The request path.

protocolDetailsProtocolDetails

Details that are specific to the used protocol.

urlstring

The requested URL.

The ProtocolDetails object

Details that are specific to the used protocol.

ElementTypeDescription
httpHttpProtocolDetails

HTTP specific request details.

The HttpProtocolDetails object

HTTP specific request details.

ElementTypeDescription
headersTruncatableListAttackRequestHeader

A list of values that has possibly been truncated.

parametersTruncatableListHttpRequestParameter

A list of values that has possibly been truncated.

requestMethodstring

The HTTP request method.

The TruncatableListAttackRequestHeader object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesAttackRequestHeader[]

Values of the list.

The AttackRequestHeader object

A header element of the attack's request.

ElementTypeDescription
namestring

The name of the header element.

valuestring

The value of the header element.

The TruncatableListHttpRequestParameter object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesHttpRequestParameter[]

Values of the list.

The HttpRequestParameter object

An HTTP request parameter.

ElementTypeDescription
namestring

The name of the parameter.

valuestring

The value of the parameter.

The AttackSecurityProblem object

Assessment information and the ID of a security problem related to an attack.

ElementTypeDescription
assessmentAttackSecurityProblemAssessmentDto

The assessment of a security problem related to an attack.

securityProblemIdstring

The security problem ID.

The AttackSecurityProblemAssessmentDto object

The assessment of a security problem related to an attack.

ElementTypeDescription
dataAssetsstring

The reachability of data assets by the attacked target.

  • NOT_AVAILABLE
  • NOT_DETECTED
  • REACHABLE
exposurestring

The level of exposure of the attacked target

  • NOT_AVAILABLE
  • NOT_DETECTED
  • PUBLIC_NETWORK
numberOfReachableDataAssetsinteger

The number of data assets reachable by the attacked target.

The Vulnerability object

Describes the exploited vulnerability.

ElementTypeDescription
codeLocationCodeLocation

Information about a code location.

displayNamestring

The display name of the vulnerability.

vulnerabilityIdstring

The id of the vulnerability.

vulnerableFunctionFunctionDefinition

Information about a function definition.

vulnerableFunctionInputVulnerableFunctionInput

Describes what got passed into the code level vulnerability.

The VulnerableFunctionInput object

Describes what got passed into the code level vulnerability.

ElementTypeDescription
inputSegmentsVulnerableFunctionInputSegment[]

A list of input segments.

typestring

The type of the input.

  • COMMAND
  • HTTP_CLIENT
  • JNDI
  • SQL_STATEMENT

The VulnerableFunctionInputSegment object

Describes one segment that was passed into a vulnerable function.

ElementTypeDescription
typestring

The type of the input segment.

  • MALICIOUS_INPUT
  • REGULAR_INPUT
  • TAINTED_INPUT
valuestring

The value of the input segment.

Response body JSON model

{
  "attacks": [
    {
      "affectedEntities": {
        "processGroup": {
          "id": "string",
          "name": "string"
        },
        "processGroupInstance": {}
      },
      "attackId": "string",
      "attackTarget": {
        "entityId": "string",
        "name": "string"
      },
      "attackType": "COMMAND_INJECTION",
      "attacker": {
        "location": {
          "city": "string",
          "country": "string",
          "countryCode": "string"
        },
        "sourceIp": "string"
      },
      "displayId": "string",
      "displayName": "string",
      "entrypoint": {
        "codeLocation": {
          "className": "string",
          "columnNumber": 1,
          "displayName": "string",
          "fileName": "string",
          "functionName": "string",
          "lineNumber": 1,
          "parameterTypes": {
            "truncationInfo": {
              "truncated": true
            },
            "values": [
              "string"
            ]
          },
          "returnType": "string"
        },
        "entrypointFunction": {
          "className": "string",
          "displayName": "string",
          "fileName": "string",
          "functionName": "string",
          "parameterTypes": {},
          "returnType": "string"
        },
        "payload": [
          {
            "truncationInfo": {},
            "values": [
              {
                "name": "string",
                "type": "HTTP_BODY",
                "value": "string"
              }
            ]
          }
        ]
      },
      "managementZones": [
        {
          "id": "string",
          "name": "string"
        }
      ],
      "request": {
        "host": "string",
        "path": "string",
        "protocolDetails": {
          "http": {
            "headers": {
              "truncationInfo": {},
              "values": [
                {
                  "name": "string",
                  "value": "string"
                }
              ]
            },
            "parameters": {
              "truncationInfo": {},
              "values": [
                {
                  "name": "string",
                  "value": "string"
                }
              ]
            },
            "requestMethod": "string"
          }
        },
        "url": "string"
      },
      "securityProblem": {
        "assessment": {
          "dataAssets": "NOT_AVAILABLE",
          "exposure": "NOT_AVAILABLE",
          "numberOfReachableDataAssets": 1
        },
        "securityProblemId": "string"
      },
      "state": "ALLOWLISTED",
      "technology": "DOTNET",
      "timestamp": 1,
      "vulnerability": {
        "codeLocation": {},
        "displayName": "string",
        "vulnerabilityId": "string",
        "vulnerableFunction": {},
        "vulnerableFunctionInput": {
          "inputSegments": [
            {
              "type": "MALICIOUS_INPUT",
              "value": "string"
            }
          ],
          "type": "COMMAND"
        }
      }
    }
  ],
  "nextPageKey": "AQAAABQBAAAABQ==",
  "pageSize": 1,
  "totalCount": 1
}