How to investigate requests with Real-Time Events GraphQL API
Constant monitoring can help you identify unusual behaviors in your applications and possible attacks. For this guide, you’ll use an example scenario where there are requests coming from Brazil, a country you don’t want to allow access to, and you want to filter requests from Chile, the country most of your safe requests come from.
See the steps described in this guide to investigate requests and the next steps to resolve the situation if you’re being attacked.
Using GraphQL API playground for investigation
- Make sure you’re logged in on your Azion account, via Real-Time Manager or via Console.
- Access Real-Time Events GraphQL API playground.
- Create a query with the filter and time range you want to use.
Step 1. Investigating countries
Begin your investigation with a query focused on the countries making requests.
- In Real-Time Events GraphQL API playground, add the following query:
query requestsInvestigationCountries { httpEvents( limit: 100, filter: { tsRange: {begin:"2024-03-20T10:10:10", end:"2024-03-27T10:10:10"}
geolocCountryNameNotIn: ["Chile"] hostIn: ["myhost.net", "anotherhost.com"] } aggregate: {count: geolocCountryName} groupBy: [host, geolocCountryName, requestUri, status] orderBy: [count_DESC] ) { geolocCountryName host requestUri status count }}- Run the query in the GraphQL API playground.
- You’ll receive a response similar to:
{ "data": { "httpEvents": [ { "geolocCountryName": "Brazil", "host": "myhost.com", "requestUri": "/directory/file.html", "status": 200, "count": 22041 }, { "geolocCountryName": "United States", "host": "host.com.br", "requestUri": "/directory/file.html", "status": 200, "count": 9596 }, { "geolocCountryName": "Brazil", "host": "anotherhost.org", "requestUri": "/directory/file.html", "status": 200, "count": 29582 }, { "geolocCountryName": "United States", "host": "host.org", "requestUri": "/directory/file.html", "status": 200, "count": 9578 }, { "geolocCountryName": "United States", "host": "host.net", "requestUri": "/directory/file.html", "status": 403, "count": 9564 } ] }}- Analyze the query response and check if there are incoming requests from the countries you don’t want to allow. In this case, from Brazil.
If you’re running a general investigation query, you can check if the same country that doesn’t usually access your application made an abnormal amount of request to you host in a short amount a time, as in the same minute. This is a common indicator your application is under attack.
Creating a network list
As you’ve identified a country you don’t want to allow access to is accessing your application, you can create a network list to block the country.
- Access Azion Console > Network Lists.
- Click + Network List.
- Give your network list a unique and easy-to-remember name.
- In Type, choose Countries.
- In Countries, select the countries you want to add to the list. In this case, Brazil.
To have your network list running, you need to go to Edge Firewall > Rules Engine and create a rule associated with the network list you’ve just created.
Go to associate network list to rule guideAfter the propagation time for the rule, your domain, associated with the edge firewall you added the list to, will block all requests from that country. In this case, Brazil.
Monitoring on playground again
After creating the rule on Rules Engine for Edge Firewall, you need to continue monitoring your application traffic to guarantee the rule has been applied and the application traffic is normalized.
In your query, update the tsRange to match the period after you’ve created the rule. Remember to give the time for it to propagate.
Now, in the query response for the example of this guide, the requests coming from Brazil must have a status indicating blocking, such as 403.
query requestsInvestigationStatus { httpEvents( limit: 100, filter: { tsRange: {begin:"2024-03-20T10:10:10", end:"2024-03-27T10:10:10"}
geolocCountryNameNotIn: ["Chile"] hostIn: ["myhost.net", "anotherhost.com"] statusIn: "403"
} aggregate: {count: geolocCountryName} groupBy: [host, geolocCountryName, requestUri, status] orderBy: [count_DESC] ) { geolocCountryName host requestUri status count }}Step 2. Investigating User-Agent header
Next, you’ll investigate the User-Agent header being used in the requests from the countries you’ve blocked, to create other rules and further improve your security.
- On Real-Time Events GraphQL’s playground, run the following query:
query requestsInvestigationUserAgent { httpEvents( limit: 100, filter: { tsRange: {begin:"2024-03-20T10:10:10", end:"2024-03-27T10:10:10"}
statusIn: [403]
} aggregate: {count: geolocCountryName} groupBy: [geolocCountryName, status, httpUserAgent] orderBy: [count_DESC] ) { geolocCountryName status httpUserAgent count }}You’ll receive a response similar to:
{ "data": { "httpEvents": [ { "geolocCountryName": "Brazil", "status": 403, "httpUserAgent": "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Mobile Safari/537.36", "count": 70587 }, { "geolocCountryName": "United States", "status": 403, "httpUserAgent": "Java/11.0.19", "count": 35736 }, { "geolocCountryName": "Brazil", "status": 403, "httpUserAgent": "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Mobile Safari/537.36", "count": 19322 }, { "geolocCountryName": "Brazil", "status": 403, "httpUserAgent": "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/24.0 Chrome/117.0.0.0 Mobile Safari/537.36", "count": 8638 }, { "geolocCountryName": "United States", "status": 403, "httpUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36", "count": 2878 } ] }}- Analyze the query response and find the
User-Agentheader being used by the request you want to block. - Create a rule on Rules Engine for Edge Firewall to block it.
Creating a rule on Rules Engine for Edge Firewall
Attackers can change the country their requests are coming from, so by blocking their User-Agent header, you’ll add another layer of protection against known attacks.
In this example, the Ubuntu User-Agent will be used.
- Access Console > Edge Firewall.
- Select an existing edge firewall or create a new one.
- Select the Rules Engine tab in the selected edge firewall.
- Give your rule a name.
- In Criteria, add the
if Header User Agent matches Ubuntucriteria. - In Behaviors, select Deny (403 Forbidden).
Other secure configuration options
If you don’t want to block all requests from a country through a network list, there are other features of Azion Secure products you can use.
- Create a rule with the Set Rate Limit behavior.
- Use WAF Tuning to monitor and create specific allowed rules.
If you use other configurations, modify your GraphQL API query filters to match the other configurations. For example, using the stacktrace field or adding another status, such as 429 for the Set Rate Limit rule.
Other monitoring queries
Here are some other options of queries you can use to investigate and monitor attacks:
Contributors
