Retrieve Alerts for a User and Session ID

Overview

You can use the REST API to retrieve alerts for a specified user and session.

Prerequisites

  • Fraud Protection Service (FPS) logging nodes must be configured on the BIG-IQ.

Query the BIG-IQ

To query for a report, you can send a POST request to the BIG-IQ API.

POST /mgmt/cm/shared/es/logiq/websafe/alert/_search/?size=10 HTTP/1.1
Host: [host_IP]
Authorization: Basic [basic_authorization]
Cache-Control: no-cache

The JSON in the body of the request can look similar to the following.

{
  "query": {
        "query_string": {
            "query": "username: Unknown AND fpmGuid: 948L26tGR406"
        }
    }
}

The JSON returned in the body of a successful response may look similar to the following example.

{
    "took": 17,
    "timed_out": false,
    "_shards": {
        "total": 5,
        "successful": 5,
        "failed": 0
    },
    "hits": {
        "total": 1,
        "max_score": 4.5445056,
        "hits": [
            {
                "_index": "websafe_2017-06-20t00-00-00-0700",
                "_type": "alert",
                "_id": "646aa9c3-8b8b-4d89-9df4-c093381efb1d",
                "_score": 4.5445056,
                "_source": {
                    "feed": "20",
                    "eventValue": "13",
                    "host": "vAlert",
                    "connection": "Keep-Alive",
                    "userAgent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36",
                    "acceptEncoding": "identity",
                    "fpsLicense": "7ea0adaf",
                    "query": "client_request_uri=http://192.0.2.242/login.aspx&fpm_additional_info=&fpm_alert_component=1&fpm_alert_details=63&fpm_alert_id=d4&fpm_alert_type=4&fpm_guid=948L26tGR406&fpm_score=0&fpm_transaction_data=&fpm_url_name=/login.aspx&http_referrer=/login.aspx&fpm_defined_value=&fpm_resolved_value=",
                    "fpmGuid": "948L26tGR406",
                    "fpmAlertTypeCount": "4",
                    "fpmAlertTypeCategory": "missing components",
                    "fpmAlertComponentCount": "1",
                    "fpmAlertComponentCategory": "components validation: missing cookie",
                    "fpmAlertId": "d4",
                    "fpmAlertDetails": "Secure Channel Cookie;Rules Cookie;Username Cookie;Malware Guid Cookie;Encryption Disabled Cookie;Components State Cookie",
                    "clientRequestUri": "http://192.0.2.242/login.aspx",
                    "fpmTransactionData": "",
                    "httpReferrer": "http://192.0.2.242/login.aspx",
                    "fpmAdditionalInfo": "",
                    "id": "646aa9c3-8b8b-4d89-9df4-c093381efb1d",
                    "fpmScoreCount": "50",
                    "alertStatus": "New",
                    "domain": "192.0.2.242",
                    "fpmUrlName": "/login.aspx",
                    "fpmDefinedValue": "",
                    "fpmResolvedValue": "",
                    "clientIp": "192.168.101.165",
                    "eventConversionDateTime": "2017-06-20T13:22:30.673Z",
                    "alertUrl": "http://192.0.2.242/login.aspx",
                    "hasUsername": false,
                    "hasGuid": true,
                    "username": "Unknown",
                    "locationLong": 0,
                    "locationLat": 0,
                    "additionalJson": {}
                }
            }
        ]
    }
}