How to identify the top attacks using GraphQL API

You can use information from the httpMetrics dataset to monitor traffic patterns, detect anomalies, and analyze potential threats. This guide explains how to filter the top attack types, ranked by occurrence, as identified by the WAF.

Querying data

To query the Top 5 attacks, identified by the WAF and ranked by occurrence, proceed as follows:

  1. Access the GraphiQL Playground at this link: https://manager.azion.com/metrics/graphql.
    • You must be logged in to your Azion account. Otherwise, you’ll receive an error message.
  2. Send a query following this format:
query Top5Attacks {
  httpMetrics(
    limit: 5
    filter: {
      tsRange: {
        begin:"2025-01-15T00:00:00"
        end:"2025-01-15T20:00:00"
      }
    }
    groupBy:[wafAttackFamily]
    orderBy:[wafRequestsThreat_DESC]
  )
  {
    wafAttackFamily
    wafRequestsThreat
  }
}

Where:

FieldDescription
limitSpecifies the maximum number of results to return. In this case, 5
filterDefines the criteria used to filter the data returned by the query
tsRangeA subfield of filter. Specifies a time range for filtering data. It includes begin and end fields to define the start and end date and times. Format: "YYYY-MM-DDTHH:mm:ss"; example: "2024-04-11T00:00:00"
orderBySpecifies the order in which the results should be returned. Examples: [wafRequestsThreat_DESC], for descending order, and [wafRequestsThreat_ASC], for ascending order
groupBySpecifies the fields by which the query results should be grouped. In the example: [wafAttackFamily] to group by attack families detected by the WAF
  1. You’ll receive a response similar to this:
{
  "data": {
    "httpMetrics": [
      {
        "wafAttackFamily": "$OTHERS",
       "wafRequestsThreat": 1449942
      },
       {
        "wafAttackFamily": "$SQL, $XSS",
       "wafRequestsThreat": 1171825
      },
      {
        "wafAttackFamily": "$RFI",
       "wafRequestsThreat": 370811
      },
       {
        "wafAttackFamily": "$SQL, $XSS, $TRAVERSAL",
       "wafRequestsThreat": 216747
      },
      {
        "wafAttackFamily": "$SQL",
       "wafRequestsThreat": 191808
      }
    ]
  }
}

Where:

FieldDescription
wafAttackFamilyCategory or type of attack detected by the Web Application Firewall (WAF), based on their characteristics. Example: $SQL, $RFI, $SQL, $XSS, $OTHERS
wafRequestsThreatTotal number of requests flagged as threats by the WAF, ranked by the most frequent attack types. Example: 216747

Contributors