Attacks API - GET all attacks
Lists all detected attacks on your applications.
The request produces an application/json
payload.
GET | SaaS | https://{your-environment-id}.live.dynatrace.com/api/v2/attacks |
Environment ActiveGateCluster ActiveGate | https://{your-activegate-domain}:9999/e/{your-environment-id}/api/v2/attacks |
Authentication
To execute this request, you need an access token with attacks.read
scope.
To learn how to obtain and use it, see Tokens and authentication.
Parameters
The cursor for the next page of results. You can find it in the nextPageKey field of the previous response.
The first page is always returned if you don't specify the nextPageKey query parameter.
When the nextPageKey is set to obtain subsequent pages, you must omit all other query parameters.
The amount of attacks in a single response payload.
The maximal allowed page size is 500.
If not set, 100 is used.
Defines the scope of the query. Only attacks matching the specified criteria are included in the response. You can add one or more of the following criteria. Values are not case-sensitive and the EQUALS
operator is used unless otherwise specified.
- State:
state("value")
. The state of the attack. Possible values areEXPLOITED
,BLOCKED
, andALLOWLISTED
. - Attack Type:
attackType("value")
. The type of the attack. Find the possible values in the description of the attackType field of the response. - Country Code:
countryCode("value")
. The country code of the attacker. Supported values include all ISO-3166-1 alpha-2 country codes (2-letter). Supplying empty filter valuecountryCode()
will return attacks, where location is not available. - Request path contains:
requestPathContains("value")
. Filters for a substring in the request path. TheCONTAINS
operator is used. A maximum of 48 characters are allowed. - Process group name contains:
processGroupNameContains("value")
. Filters for a substring in the targeted process group's name. TheCONTAINS
operator is used. - Vulnerability ID:
vulnerabilityId("123456789")
. The exact ID of the vulnerability. - Source IPs:
sourceIps("93.184.216.34", "63.124.6.12")
. The exact IPv4/IPv6 addresses of the attacker. - Management zone ID:
managementZoneIds("mzId-1", "mzId-2")
. - Management zone name:
managementZones("name-1", "name-2")
. Values are case sensitive. - Technology:
technology("technology-1", "technology-2")
. Find the possible values in the description of the technology field of the response. TheEQUALS
operator is used.
To set several criteria, separate them with a comma (,
). Only results matching (all criteria are included in the response.
Specify the value of a criterion as a quoted string. The following special characters must be escaped with a tilde (~
) inside quotes:
- Tilde
~
- Quote
"
Specifies one or more fields for sorting the attack list. Multiple fields can be concatenated using a comma (,
) as a separator (e.g. +state,-timestamp
).
You can sort by the following properties with a sign prefix for the sorting order.
displayId
: The attack's display ID.displayName
: The attack's display name.attackType
: The type of the attack (e.g. SQL_INJECTION, JNDI_INJECTION, etc.).state
: The state of the attack. (+
low severity state first-
high severity state first)sourceIp
: The IP address of the attacker. Sorts by the numerical IP value.requestPath
: The request path where the attack was started.timestamp
: When the attack was executed. (+
old attacks first or-
new attacks first) If no prefix is set,+
is used.
A list of additional attack properties you can add to the response.
The following properties are available (all other properties are always included and you can't remove them from the response):
attackTarget
: The targeted host/database of an attack.request
: The request that was sent from the attacker.entrypoint
: The entry point used by an attacker to start a specific attack.vulnerability
: The vulnerability utilized by the attack.securityProblem
: The related security problem.attacker
: The attacker of an attack.managementZones
: The related management zones.affectedEntities
: The affected entities of an attack.
To add properties, specify them in a comma-separated list and prefix each property with a plus (for example, +attackTarget,+securityProblem
).
The start of the requested timeframe.
You can use one of the following formats:
- Timestamp in UTC milliseconds.
- Human-readable format of
2021-01-25T05:57:01.123+01:00
. If no time zone is specified, UTC is used. You can use a space character instead of theT
. Seconds and fractions of a second are optional. - Relative timeframe, back from now. The format is
now-NU/A
, whereN
is the amount of time,U
is the unit of time, andA
is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example,now-1y/w
is one year back, aligned by a week. You can also specify relative timeframe without an alignment:now-NU
. Supported time units for the relative timeframe are:m
: minutesh
: hoursd
: daysw
: weeksM
: monthsy
: years
If not set, the relative timeframe of thirty days is used (now-30d
).
The end of the requested timeframe.
You can use one of the following formats:
- Timestamp in UTC milliseconds.
- Human-readable format of
2021-01-25T05:57:01.123+01:00
. If no time zone is specified, UTC is used. You can use a space character instead of theT
. Seconds and fractions of a second are optional. - Relative timeframe, back from now. The format is
now-NU/A
, whereN
is the amount of time,U
is the unit of time, andA
is an alignment. The alignment rounds all the smaller values to the nearest zero in the past. For example,now-1y/w
is one year back, aligned by a week. You can also specify relative timeframe without an alignment:now-NU
. Supported time units for the relative timeframe are:m
: minutesh
: hoursd
: daysw
: weeksM
: monthsy
: years
If not set, the current timestamp is used.
Response
Response codes
Response body objects
The AttackList
object
A list of attacks.
The cursor for the next page of results. Has the value of null
on the last page.
Use it in the nextPageKey query parameter to obtain subsequent pages of the result.
The number of entries per page.
The total number of entries in the result.
The Attack
object
Describes an attack.
The ID of the attack.
The type of the attack.
COMMAND_INJECTION
JNDI_INJECTION
SQL_INJECTION
SSRF
The display ID of the attack.
The display name of the attack.
Assessment information and the ID of a security problem related to an attack.
The state of the attack.
ALLOWLISTED
BLOCKED
EXPLOITED
The technology of the attack.
DOTNET
GO
JAVA
NODE_JS
The timestamp when the attack occurred.
The AffectedEntities
object
Information about affected entities of an attack.
The AffectedEntity
object
Information about an affected entity.
The monitored entity ID of the affected entity.
The name of the affected entity.
The AttackTarget
object
Information about the targeted host/database of an attack.
The monitored entity ID of the targeted host/database.
The name of the targeted host/database.
The Attacker
object
Attacker of an attack.
The source IP of the attacker.
The AttackerLocation
object
Location of an attacker.
City of the attacker.
The country of the attacker.
The country code of the country of the attacker, according to the ISO 3166-1 Alpha-2 standard.
The AttackEntrypoint
object
Describes the entrypoint used by an attacker to start a specific attack.
A list of values that has possibly been truncated.
The CodeLocation
object
Information about a code location.
The fully qualified class name of the code location.
The column number of the code location.
A human readable string representation of the code location.
The file name of the code location.
The function/method name of the code location.
The line number of the code location.
The return type of the function.
The TruncatableListString
object
A list of values that has possibly been truncated.
Values of the list.
The TruncationInfo
object
Information on a possible truncation.
If the list/value has been truncated.
The FunctionDefinition
object
Information about a function definition.
The fully qualified class name of the class that includes the function.
A human readable string representation of the function definition.
The file name of the function definition.
The function/method name of the function definition.
The return type of the function.
The EntrypointPayload
object
Describes a payload sent to an entrypoint during an attack.
Name of the payload, if applicable.
Type of the payload.
HTTP_BODY
HTTP_COOKIE
HTTP_HEADER_NAME
HTTP_HEADER_VALUE
HTTP_OTHER
HTTP_PARAMETER_NAME
HTTP_PARAMETER_VALUE
HTTP_URL
UNKNOWN
Value of the payload.
The ManagementZone
object
A short representation of a management zone.
The ID of the management zone.
The name of the management zone.
The RequestInformation
object
Describes the complete request information of an attack.
The target host of the request.
The request path.
The requested URL.
The ProtocolDetails
object
Details that are specific to the used protocol.
The HttpProtocolDetails
object
HTTP specific request details.
The HTTP request method.
The TruncatableListAttackRequestHeader
object
A list of values that has possibly been truncated.
The AttackRequestHeader
object
A header element of the attack's request.
The name of the header element.
The value of the header element.
The TruncatableListHttpRequestParameter
object
A list of values that has possibly been truncated.
The HttpRequestParameter
object
An HTTP request parameter.
The name of the parameter.
The value of the parameter.
The AttackSecurityProblem
object
Assessment information and the ID of a security problem related to an attack.
The assessment of a security problem related to an attack.
The security problem ID.
The AttackSecurityProblemAssessmentDto
object
The assessment of a security problem related to an attack.
The reachability of data assets by the attacked target.
NOT_AVAILABLE
NOT_DETECTED
REACHABLE
The level of exposure of the attacked target
NOT_AVAILABLE
NOT_DETECTED
PUBLIC_NETWORK
The number of data assets reachable by the attacked target.
The Vulnerability
object
Describes the exploited vulnerability.
The display name of the vulnerability.
The id of the vulnerability.
Describes what got passed into the code level vulnerability.
The VulnerableFunctionInput
object
Describes what got passed into the code level vulnerability.
The type of the input.
COMMAND
HTTP_CLIENT
JNDI
SQL_STATEMENT
The VulnerableFunctionInputSegment
object
Describes one segment that was passed into a vulnerable function.
The type of the input segment.
MALICIOUS_INPUT
REGULAR_INPUT
TAINTED_INPUT
The value of the input segment.
Response body JSON model
{"attacks": [{"affectedEntities": {"processGroup": {"id": "string","name": "string"},"processGroupInstance": {}},"attackId": "string","attackTarget": {"entityId": "string","name": "string"},"attackType": "COMMAND_INJECTION","attacker": {"location": {"city": "string","country": "string","countryCode": "string"},"sourceIp": "string"},"displayId": "string","displayName": "string","entrypoint": {"codeLocation": {"className": "string","columnNumber": 1,"displayName": "string","fileName": "string","functionName": "string","lineNumber": 1,"parameterTypes": {"truncationInfo": {"truncated": true},"values": ["string"]},"returnType": "string"},"entrypointFunction": {"className": "string","displayName": "string","fileName": "string","functionName": "string","parameterTypes": {},"returnType": "string"},"payload": [{"truncationInfo": {},"values": [{"name": "string","type": "HTTP_BODY","value": "string"}]}]},"managementZones": [{"id": "string","name": "string"}],"request": {"host": "string","path": "string","protocolDetails": {"http": {"headers": {"truncationInfo": {},"values": [{"name": "string","value": "string"}]},"parameters": {"truncationInfo": {},"values": [{"name": "string","value": "string"}]},"requestMethod": "string"}},"url": "string"},"securityProblem": {"assessment": {"dataAssets": "NOT_AVAILABLE","exposure": "NOT_AVAILABLE","numberOfReachableDataAssets": 1},"securityProblemId": "string"},"state": "ALLOWLISTED","technology": "DOTNET","timestamp": 1,"vulnerability": {"codeLocation": {},"displayName": "string","vulnerabilityId": "string","vulnerableFunction": {},"vulnerableFunctionInput": {"inputSegments": [{"type": "MALICIOUS_INPUT","value": "string"}],"type": "COMMAND"}}}],"nextPageKey": "AQAAABQBAAAABQ==","pageSize": 1,"totalCount": 1}