Retrieve Alerts for a User and Session ID¶
Overview¶
You can use the REST API to retrieve alerts for a specified user and session.
Prerequisites¶
- Fraud Protection Service (FPS) logging nodes must be configured on the BIG-IQ.
Query the BIG-IQ¶
To query for a report, you can send a POST request to the BIG-IQ API.
POST /mgmt/cm/shared/es/logiq/websafe/alert/_search/?size=10 HTTP/1.1
Host: [host_IP]
Authorization: Basic [basic_authorization]
Cache-Control: no-cache
The JSON in the body of the request can look similar to the following.
{
"query": {
"query_string": {
"query": "username: Unknown AND fpmGuid: 948L26tGR406"
}
}
}
The JSON returned in the body of a successful response may look similar to the following example.
{
"took": 17,
"timed_out": false,
"_shards": {
"total": 5,
"successful": 5,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 4.5445056,
"hits": [
{
"_index": "websafe_2017-06-20t00-00-00-0700",
"_type": "alert",
"_id": "646aa9c3-8b8b-4d89-9df4-c093381efb1d",
"_score": 4.5445056,
"_source": {
"feed": "20",
"eventValue": "13",
"host": "vAlert",
"connection": "Keep-Alive",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36",
"acceptEncoding": "identity",
"fpsLicense": "7ea0adaf",
"query": "client_request_uri=http://192.0.2.242/login.aspx&fpm_additional_info=&fpm_alert_component=1&fpm_alert_details=63&fpm_alert_id=d4&fpm_alert_type=4&fpm_guid=948L26tGR406&fpm_score=0&fpm_transaction_data=&fpm_url_name=/login.aspx&http_referrer=/login.aspx&fpm_defined_value=&fpm_resolved_value=",
"fpmGuid": "948L26tGR406",
"fpmAlertTypeCount": "4",
"fpmAlertTypeCategory": "missing components",
"fpmAlertComponentCount": "1",
"fpmAlertComponentCategory": "components validation: missing cookie",
"fpmAlertId": "d4",
"fpmAlertDetails": "Secure Channel Cookie;Rules Cookie;Username Cookie;Malware Guid Cookie;Encryption Disabled Cookie;Components State Cookie",
"clientRequestUri": "http://192.0.2.242/login.aspx",
"fpmTransactionData": "",
"httpReferrer": "http://192.0.2.242/login.aspx",
"fpmAdditionalInfo": "",
"id": "646aa9c3-8b8b-4d89-9df4-c093381efb1d",
"fpmScoreCount": "50",
"alertStatus": "New",
"domain": "192.0.2.242",
"fpmUrlName": "/login.aspx",
"fpmDefinedValue": "",
"fpmResolvedValue": "",
"clientIp": "192.168.101.165",
"eventConversionDateTime": "2017-06-20T13:22:30.673Z",
"alertUrl": "http://192.0.2.242/login.aspx",
"hasUsername": false,
"hasGuid": true,
"username": "Unknown",
"locationLong": 0,
"locationLat": 0,
"additionalJson": {}
}
}
]
}
}