Attacks API - GET attack details

  • Reference
  • Published Aug 30, 2023

Lists the details of a specific attack.

The request produces an application/json payload.

GETManagedDynatrace for Governmenthttps://{your-domain}/e/{your-environment-id}/api/v2/attacks/{id}
Environment and Cluster ActiveGate (default port 9999)https://{your-activegate-domain}:9999/e/{your-environment-id}/api/v2/attacks/{id}

Authentication

To execute this request, you need an access token with attacks.read scope.

To learn how to obtain and use it, see Tokens and authentication.

Parameters

ParameterTypeDescriptionInRequired
idstring

The ID of the attack.

pathrequired
fieldsstring

A list of additional attack properties you can add to the response.

The following properties are available (all other properties are always included and you can't remove them from the response):

  • attackTarget: The targeted host/database of an attack.
  • request: The request that was sent from the attacker.
  • entrypoint: The entry point used by an attacker to start a specific attack.
  • vulnerability: The vulnerability utilized by the attack.
  • securityProblem: The related security problem.
  • attacker: The attacker of an attack.
  • managementZones: The related management zones.

To add properties, specify them in a comma-separated list and prefix each property with a plus (for example, +attackTarget,+securityProblem).

queryoptional

Response

Response codes

CodeTypeDescription
200Attack

Success

4XXErrorEnvelope

Client side error.

5XXErrorEnvelope

Server side error.

Response body objects

The Attack object

Describes an attack.

ElementTypeDescription
affectedEntitiesAffectedEntities

Information about affected entities of an attack.

attackIdstring

The ID of the attack.

attackTargetAttackTarget

Information about the targeted host/database of an attack.

attackTypestring

The type of the attack.

  • COMMAND_INJECTION
  • JNDI_INJECTION
  • SQL_INJECTION
  • SSRF
attackerAttacker

Attacker of an attack.

displayIdstring

The display ID of the attack.

displayNamestring

The display name of the attack.

entrypointAttackEntrypoint

Describes the entrypoint used by an attacker to start a specific attack.

managementZonesManagementZone[]

A list of management zones which the affected entities belong to.

requestRequestInformation

Describes the complete request information of an attack.

securityProblemAttackSecurityProblem

Assessment information and the ID of a security problem related to an attack.

statestring

The state of the attack.

  • ALLOWLISTED
  • BLOCKED
  • EXPLOITED
technologystring

The technology of the attack.

  • DOTNET
  • GO
  • JAVA
  • NODE_JS
timestampinteger

The timestamp when the attack occurred.

vulnerabilityVulnerability

Describes the exploited vulnerability.

The AffectedEntities object

Information about affected entities of an attack.

ElementTypeDescription
processGroupAffectedEntity

Information about an affected entity.

processGroupInstanceAffectedEntity

Information about an affected entity.

The AffectedEntity object

Information about an affected entity.

ElementTypeDescription
idstring

The monitored entity ID of the affected entity.

namestring

The name of the affected entity.

The AttackTarget object

Information about the targeted host/database of an attack.

ElementTypeDescription
entityIdstring

The monitored entity ID of the targeted host/database.

namestring

The name of the targeted host/database.

The Attacker object

Attacker of an attack.

ElementTypeDescription
locationAttackerLocation

Location of an attacker.

sourceIpstring

The source IP of the attacker.

The AttackerLocation object

Location of an attacker.

ElementTypeDescription
citystring

City of the attacker.

countrystring

The country of the attacker.

countryCodestring

The country code of the country of the attacker, according to the ISO 3166-1 Alpha-2 standard.

The AttackEntrypoint object

Describes the entrypoint used by an attacker to start a specific attack.

ElementTypeDescription
codeLocationCodeLocation

Information about a code location.

entrypointFunctionFunctionDefinition

Information about a function definition.

payloadobject[]

A list of values that has possibly been truncated.

The CodeLocation object

Information about a code location.

ElementTypeDescription
classNamestring

The fully qualified class name of the code location.

columnNumberinteger

The column number of the code location.

displayNamestring

A human readable string representation of the code location.

fileNamestring

The file name of the code location.

functionNamestring

The function/method name of the code location.

lineNumberinteger

The line number of the code location.

parameterTypesTruncatableListString

A list of values that has possibly been truncated.

returnTypestring

The return type of the function.

The TruncatableListString object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesstring[]

Values of the list.

The TruncationInfo object

Information on a possible truncation.

ElementTypeDescription
truncatedboolean

If the list/value has been truncated.

The FunctionDefinition object

Information about a function definition.

ElementTypeDescription
classNamestring

The fully qualified class name of the class that includes the function.

displayNamestring

A human readable string representation of the function definition.

fileNamestring

The file name of the function definition.

functionNamestring

The function/method name of the function definition.

parameterTypesTruncatableListString

A list of values that has possibly been truncated.

returnTypestring

The return type of the function.

The EntrypointPayload object

Describes a payload sent to an entrypoint during an attack.

ElementTypeDescription
namestring

Name of the payload, if applicable.

typestring

Type of the payload.

  • HTTP_BODY
  • HTTP_COOKIE
  • HTTP_HEADER_NAME
  • HTTP_HEADER_VALUE
  • HTTP_OTHER
  • HTTP_PARAMETER_NAME
  • HTTP_PARAMETER_VALUE
  • HTTP_URL
  • UNKNOWN
valuestring

Value of the payload.

The ManagementZone object

A short representation of a management zone.

ElementTypeDescription
idstring

The ID of the management zone.

namestring

The name of the management zone.

The RequestInformation object

Describes the complete request information of an attack.

ElementTypeDescription
hoststring

The target host of the request.

pathstring

The request path.

protocolDetailsProtocolDetails

Details that are specific to the used protocol.

urlstring

The requested URL.

The ProtocolDetails object

Details that are specific to the used protocol.

ElementTypeDescription
httpHttpProtocolDetails

HTTP specific request details.

The HttpProtocolDetails object

HTTP specific request details.

ElementTypeDescription
headersTruncatableListAttackRequestHeader

A list of values that has possibly been truncated.

parametersTruncatableListHttpRequestParameter

A list of values that has possibly been truncated.

requestMethodstring

The HTTP request method.

The TruncatableListAttackRequestHeader object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesAttackRequestHeader[]

Values of the list.

The AttackRequestHeader object

A header element of the attack's request.

ElementTypeDescription
namestring

The name of the header element.

valuestring

The value of the header element.

The TruncatableListHttpRequestParameter object

A list of values that has possibly been truncated.

ElementTypeDescription
truncationInfoTruncationInfo

Information on a possible truncation.

valuesHttpRequestParameter[]

Values of the list.

The HttpRequestParameter object

An HTTP request parameter.

ElementTypeDescription
namestring

The name of the parameter.

valuestring

The value of the parameter.

The AttackSecurityProblem object

Assessment information and the ID of a security problem related to an attack.

ElementTypeDescription
assessmentAttackSecurityProblemAssessmentDto

The assessment of a security problem related to an attack.

securityProblemIdstring

The security problem ID.

The AttackSecurityProblemAssessmentDto object

The assessment of a security problem related to an attack.

ElementTypeDescription
dataAssetsstring

The reachability of data assets by the attacked target.

  • NOT_AVAILABLE
  • NOT_DETECTED
  • REACHABLE
exposurestring

The level of exposure of the attacked target

  • NOT_AVAILABLE
  • NOT_DETECTED
  • PUBLIC_NETWORK
numberOfReachableDataAssetsinteger

The number of data assets reachable by the attacked target.

The Vulnerability object

Describes the exploited vulnerability.

ElementTypeDescription
codeLocationCodeLocation

Information about a code location.

displayNamestring

The display name of the vulnerability.

vulnerabilityIdstring

The id of the vulnerability.

vulnerableFunctionFunctionDefinition

Information about a function definition.

vulnerableFunctionInputVulnerableFunctionInput

Describes what got passed into the code level vulnerability.

The VulnerableFunctionInput object

Describes what got passed into the code level vulnerability.

ElementTypeDescription
inputSegmentsVulnerableFunctionInputSegment[]

A list of input segments.

typestring

The type of the input.

  • COMMAND
  • HTTP_CLIENT
  • JNDI
  • SQL_STATEMENT

The VulnerableFunctionInputSegment object

Describes one segment that was passed into a vulnerable function.

ElementTypeDescription
typestring

The type of the input segment.

  • MALICIOUS_INPUT
  • REGULAR_INPUT
  • TAINTED_INPUT
valuestring

The value of the input segment.

Response body JSON model

{
  "affectedEntities": {
    "processGroup": {
      "id": "string",
      "name": "string"
    },
    "processGroupInstance": {}
  },
  "attackId": "string",
  "attackTarget": {
    "entityId": "string",
    "name": "string"
  },
  "attackType": "COMMAND_INJECTION",
  "attacker": {
    "location": {
      "city": "string",
      "country": "string",
      "countryCode": "string"
    },
    "sourceIp": "string"
  },
  "displayId": "string",
  "displayName": "string",
  "entrypoint": {
    "codeLocation": {
      "className": "string",
      "columnNumber": 1,
      "displayName": "string",
      "fileName": "string",
      "functionName": "string",
      "lineNumber": 1,
      "parameterTypes": {
        "truncationInfo": {
          "truncated": true
        },
        "values": [
          "string"
        ]
      },
      "returnType": "string"
    },
    "entrypointFunction": {
      "className": "string",
      "displayName": "string",
      "fileName": "string",
      "functionName": "string",
      "parameterTypes": {},
      "returnType": "string"
    },
    "payload": [
      {
        "truncationInfo": {},
        "values": [
          {
            "name": "string",
            "type": "HTTP_BODY",
            "value": "string"
          }
        ]
      }
    ]
  },
  "managementZones": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "request": {
    "host": "string",
    "path": "string",
    "protocolDetails": {
      "http": {
        "headers": {
          "truncationInfo": {},
          "values": [
            {
              "name": "string",
              "value": "string"
            }
          ]
        },
        "parameters": {
          "truncationInfo": {},
          "values": [
            {
              "name": "string",
              "value": "string"
            }
          ]
        },
        "requestMethod": "string"
      }
    },
    "url": "string"
  },
  "securityProblem": {
    "assessment": {
      "dataAssets": "NOT_AVAILABLE",
      "exposure": "NOT_AVAILABLE",
      "numberOfReachableDataAssets": 1
    },
    "securityProblemId": "string"
  },
  "state": "ALLOWLISTED",
  "technology": "DOTNET",
  "timestamp": 1,
  "vulnerability": {
    "codeLocation": {},
    "displayName": "string",
    "vulnerabilityId": "string",
    "vulnerableFunction": {},
    "vulnerableFunctionInput": {
      "inputSegments": [
        {
          "type": "MALICIOUS_INPUT",
          "value": "string"
        }
      ],
      "type": "COMMAND"
    }
  }
}