How to identify the Top IPs generating attack traffic using GraphQL API

You can use information from the httpEvents dataset to monitor traffic patterns, detect anomalies, and analyze potential threats. This guide explains how to filter the 5 IPs that generated the most requests identified by the WAF as attacks.

Querying data

To query the Top 5 IPs generating attack traffic, according to the WAF, proceed as follows:

  1. Access the GraphiQL Playground at this link: https://manager.azion.com/metrics/graphql.
    • You must be logged in to your Azion account. Otherwise, you’ll receive an error message.
  2. Send a query following this format:
query TOP5IPsWAFRequests {
  httpEvents(
    limit: 5
    filter: {
      tsRange: {
        begin:"2025-01-15T00:00:00"
        end:"2025-01-15T20:00:00"
      },
      wafMatchNe: "-"
      wafAttackFamilyNe: "-"
    }
    aggregate: {
      count: rows
    }
    groupBy:[remoteAddress, wafAttackFamily]
    orderBy:[count_DESC]
  )
  {
    remoteAddress
    wafAttackFamily
    count
  }
}

Where:

FieldDescription
limitSpecifies the maximum number of results to return. In this case, 5
filterDefines the criteria used to filter the data returned by the query
tsRangeA subfield of filter. Specifies a time range for filtering data. It includes begin and end fields to define the start and end date and times. Format: "YYYY-MM-DDTHH:mm:ss"; example: "2024-04-11T00:00:00"
wafMatchNeFilters out entries where the wafMatch field is equal to ”-”, meaning it only includes events with valid WAF matches
wafAttackFamilyNeFilters out entries where the wafAttackFamily field is equal to ”-”, ensuring only events with identified WAF attack families are included
count: rowsAs a subfield of aggregate, counts the number of events matching the query’s filters and groups
orderBySpecifies the order in which the results should be returned. Examples: [count_DESC], for descending order, and [count_ASC], for ascending order
groupBySpecifies the fields by which the query results should be grouped. In the example: [remoteAddress, wafAttackFamily] to group by IP and the family of attacks detected by the WAF
  1. You’ll receive a response similar to this:
{
  "data": {
    "httpEvents": [
      {
        "remoteAddress": "123.456.789.123",
        "wafAttackFamily": "$SQL, $XSS",
       "count": 1384
      },
       {
        "remoteAddress": "987.654.321.123",
        "wafAttackFamily": "$TRAVERSAL",
       "count": 1224
      },
      {
        "remoteAddress": "12.123.1.123",
        "wafAttackFamily": "$SQL, $XSS",
       "count": 1194
      },
       {
        "remoteAddress": "123.321.123.321",
        "wafAttackFamily": "$OTHERS",
       "count": 690
      },
      {
        "remoteAddress": "123.456.456.000",
        "wafAttackFamily": "$RFI",
       "count": 363
      }
    ]
  }
}

Where:

FieldDescription
remoteAddressIP address of the origin that generated the requests. Example: 127.0.0.1
wafAttackFamilyCategory or type of attack detected by the Web Application Firewall (WAF), based on their characteristics. Example: $SQL, $RFI, $SQL, $XSS, $OTHERS
countRequests identified by the WAF as attacks. Example: 1194

Contributors