Retrieve a Daily Report on Detected Malware Types

Overview

You can use the REST API to retrieve a daily report of detected malware types.

Prerequisites

  • Fraud Protection Service (FPS) logging nodes must be configured on the BIG-IQ.

Query the BIG-IQ API

The value of size in the query is the number of all alert types or the number of alerts you want in the response. If size is not used, the default is 10 alerts. The value of precision_threshold specifies the count below which counts are expected to be close to accurate.

To query for a report, you can send a POST request to the BIG-IQ API.

POST /mgmt/cm/shared/es/logiq/websafe/alert/_search/?size=0 HTTP/1.1
Host: [host_IP]
Authorization: Basic [basic_authorization]
Cache-Control: no-cache

The JSON in the body of the request can look similar to the following.

{
  "aggs": {
        "alerts_over_time": {
            "date_histogram": {
                "field": "eventConversionDateTime",
                "interval": "day",
                "format": "MMM, dd yyyy"
            },
            "aggs": {
                "group_by_alert": {
                    "terms": {
                        "field": "fpmAlertComponentCategory"
                        "size": 117
                    }
                },
                "distinct_alerts": {
                    "cardinality": {
                        "field" : "fpmAlertComponentCategory",
                        "precision_threshold": 100
                    }
                }
            }
        }
    }
}

The JSON returned in the body of a successful response may look similar to the following example. The value of distinct_alerts is the number of alerts found.

{
    "took": 858,
    "timed_out": false,
    "_shards": {
        "total": 5,
        "successful": 5,
        "failed": 0
    },
    "hits": {
        "total": 128,
        "max_score": 0,
        "hits": []
    },
    "aggregations": {
        "alerts_over_time": {
            "buckets": [
                {
                    "key_as_string": "Jun, 20 2017",
                    "key": 1497916800000,
                    "doc_count": 109,
                    "distinct_alerts": {
                        "value": 32
                    },
                    "group_by_alert": {
                        "doc_count_error_upper_bound": 0,
                        "sum_other_doc_count": 33,
                        "buckets": [
                            {
                                "key": "man in the middle",
                                "doc_count": 17
                            },
                            {
                                "key": "device/app security",
                                "doc_count": 14
                            },
                            {
                                "key": "custom",
                                "doc_count": 10
                            },
                            {
                                "key": "malformed json alert",
                                "doc_count": 8
                            },
                            {
                                "key": "malware",
                                "doc_count": 8
                            },
                            {
                                "key": "browser automation",
                                "doc_count": 5
                            },
                            {
                                "key": "external sources",
                                "doc_count": 4
                            },
                            {
                                "key": "phishing user",
                                "doc_count": 4
                            },
                            {
                                "key": "forbidden words found",
                                "doc_count": 3
                            },
                            {
                                "key": "identify stolen",
                                "doc_count": 3
                            }
                        ]
                    }
                },
                {
                    "key_as_string": "Jun, 21 2017",
                    "key": 1498003200000,
                    "doc_count": 12,
                    "distinct_alerts": {
                        "value": 2
                    },
                    "group_by_alert": {
                        "doc_count_error_upper_bound": 0,
                        "sum_other_doc_count": 0,
                        "buckets": [
                            {
                                "key": "init symmetric key failed",
                                "doc_count": 11
                            },
                            {
                                "key": "validation error",
                                "doc_count": 1
                            }
                        ]
                    }
                }
            ]
        }
    }
}