How to identify the Top IPs generating attack traffic using GraphQL API

You can use information from the httpEvents dataset to monitor traffic patterns, detect anomalies, and analyze potential threats. This guide explains how to filter the 5 IPs that generated the most requests identified by the WAF as attacks.

Querying data

To query the Top 5 IPs generating attack traffic, according to the WAF, proceed as follows:

Access the GraphiQL Playground at this link: https://api.azion.com/v4/metrics/graphql.
- You must be logged in to your Azion account. Otherwise, you’ll receive an error message.
Send a query following this format:

query TOP5IPsWAFRequests {
  httpEvents(
    limit: 5
    filter: {
      tsRange: {
        begin:"2025-01-15T00:00:00"
        end:"2025-01-15T20:00:00"
      },
      wafMatchNe: "-"
      wafAttackFamilyNe: "-"
    }
    aggregate: {
      count: rows
    }
    groupBy:[remoteAddress, wafAttackFamily]
    orderBy:[count_DESC]
  )
  {
    remoteAddress
    wafAttackFamily
    count
  }
}

Where:

Field	Description
`limit`	Specifies the maximum number of results to return. In this case, `5`
`filter`	Defines the criteria used to filter the data returned by the query
`tsRange`	A subfield of `filter`. Specifies a time range for filtering data. It includes `begin` and `end` fields to define the start and end date and times. Format: `"YYYY-MM-DDTHH:mm:ss"`; example: `"2024-04-11T00:00:00"`
`wafMatchNe`	Filters out entries where the `wafMatch` field is equal to ”-”, meaning it only includes events with valid WAF matches
`wafAttackFamilyNe`	Filters out entries where the `wafAttackFamily` field is equal to ”-”, ensuring only events with identified WAF attack families are included
`count: rows`	As a subfield of `aggregate`, counts the number of events matching the query’s filters and groups
`orderBy`	Specifies the order in which the results should be returned. Examples: `[count_DESC]`, for descending order, and `[count_ASC]`, for ascending order
`groupBy`	Specifies the fields by which the query results should be grouped. In the example: `[remoteAddress, wafAttackFamily]` to group by IP and the family of attacks detected by the WAF

You’ll receive a response similar to this:

{
  "data": {
    "httpEvents": [
      {
        "remoteAddress": "123.456.789.123",
        "wafAttackFamily": "$SQL, $XSS",
       "count": 1384
      },
       {
        "remoteAddress": "987.654.321.123",
        "wafAttackFamily": "$TRAVERSAL",
       "count": 1224
      },
      {
        "remoteAddress": "12.123.1.123",
        "wafAttackFamily": "$SQL, $XSS",
       "count": 1194
      },
       {
        "remoteAddress": "123.321.123.321",
        "wafAttackFamily": "$OTHERS",
       "count": 690
      },
      {
        "remoteAddress": "123.456.456.000",
        "wafAttackFamily": "$RFI",
       "count": 363
      }
    ]
  }
}

Where:

Field	Description
`remoteAddress`	IP address of the origin that generated the requests. Example: 127.0.0.1
`wafAttackFamily`	Category or type of attack detected by the Web Application Firewall (WAF), based on their characteristics. Example: `$SQL`, `$RFI`, `$SQL`, `$XSS`, `$OTHERS`
`count`	Requests identified by the WAF as attacks. Example: `1194`