Retrieve a Daily Report on Detected Malware Types¶
Overview¶
You can use the REST API to retrieve a daily report of detected malware types.
Prerequisites¶
- Fraud Protection Service (FPS) logging nodes must be configured on the BIG-IQ.
Query the BIG-IQ API¶
The value of size
in the query is the number of all alert types or
the number of alerts you want in the response. If size
is not used,
the default is 10 alerts. The value of precision_threshold
specifies
the count below which counts are expected to be close to accurate.
To query for a report, you can send a POST request to the BIG-IQ API.
POST /mgmt/cm/shared/es/logiq/websafe/alert/_search/?size=0 HTTP/1.1
Host: [host_IP]
Authorization: Basic [basic_authorization]
Cache-Control: no-cache
The JSON in the body of the request can look similar to the following.
{
"aggs": {
"alerts_over_time": {
"date_histogram": {
"field": "eventConversionDateTime",
"interval": "day",
"format": "MMM, dd yyyy"
},
"aggs": {
"group_by_alert": {
"terms": {
"field": "fpmAlertComponentCategory"
"size": 117
}
},
"distinct_alerts": {
"cardinality": {
"field" : "fpmAlertComponentCategory",
"precision_threshold": 100
}
}
}
}
}
}
The JSON returned in the body of a successful response may look similar
to the following example. The value of distinct_alerts
is the number
of alerts found.
{
"took": 858,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 128,
"max_score": 0,
"hits": []
},
"aggregations": {
"alerts_over_time": {
"buckets": [
{
"key_as_string": "Jun, 20 2017",
"key": 1497916800000,
"doc_count": 109,
"distinct_alerts": {
"value": 32
},
"group_by_alert": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 33,
"buckets": [
{
"key": "man in the middle",
"doc_count": 17
},
{
"key": "device/app security",
"doc_count": 14
},
{
"key": "custom",
"doc_count": 10
},
{
"key": "malformed json alert",
"doc_count": 8
},
{
"key": "malware",
"doc_count": 8
},
{
"key": "browser automation",
"doc_count": 5
},
{
"key": "external sources",
"doc_count": 4
},
{
"key": "phishing user",
"doc_count": 4
},
{
"key": "forbidden words found",
"doc_count": 3
},
{
"key": "identify stolen",
"doc_count": 3
}
]
}
},
{
"key_as_string": "Jun, 21 2017",
"key": 1498003200000,
"doc_count": 12,
"distinct_alerts": {
"value": 2
},
"group_by_alert": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": "init symmetric key failed",
"doc_count": 11
},
{
"key": "validation error",
"doc_count": 1
}
]
}
}
]
}
}
}