Skip to main content
Features

Search

Data export scripting

© 2024 Cequence Security. All Rights Reserved.

Data export scripting

  • Updated on
  • ~ minute read
Download PDF

The Cequence Unified API Protection (UAP) platform offers deep customization tools for data export integrations.

When you configure a new data export integration, you can configure a transformation script for each of the following event types:

  • Risk events
  • Bot detection events
  • Bot mitigation events
  • Audit Log events

The transformation scripts that you can specify for these events all use the JEXL scripting language.

Transformation script examples

These examples cover several different use cases.

Condensed logs

The following sample transformation script returns a `filteredData` object that contains the following fields.

  • Next
  • interactionLineNumber
  • x-cq
  • x-host
  • authorization

The resulting version of the logs is briefer and confined to pertinent information.

// 'data' is variable containing the full log export
var logList = data;
for (var d : logList) {
  var extractedData = d.get("extracted_data");

  // Check if extractedData exists and then retrieve fields
  if (extractedData != null) {
    var filteredData = {
      "Next": extractedData.get("Next") != null ? extractedData.get("Next") : null,
      "interactionLineNumber": extractedData.get("interactionLineNumber") != null ? extractedData.get("interactionLineNumber") : null,
      "x-cq": extractedData.get("x-cq") != null ? extractedData.get("x-cq") : null,
      "x-host": extractedData.get("x-host") != null ? extractedData.get("x-host") : null,
      "authorization": extractedData.get("authorization") != null ? extractedData.get("authorization") : null
    };
    d.put("extracted_data", filteredData);
  }
}
// Return the modified log list
return logList;

Confidence segmentation

The following transformation script segments log entries into High and Low risk categories based on an event's confidence score.

var logList = data;
for (var d : logList) {
  var confidence = d.get("confidence");
  if (confidence >= 60) {
    d.put("Risk", "High");
  } else {
    d.put("Risk", "Low");
  }
}
return logList;

IP address extraction for blocklisting

The following transformation script finds entries in the log where the Cequence IP block rule recommends the block action, extracts the IP addresses of those entries, and assembles the IP addresses into a list that can be provided to an external WAF for blocking.

var result = {:}; 
result['action']= 'block'; 
result['description']='Cequence IP Block Rule';
var expressionstart = '(ip.src in {';
var expressionend = '})';
var iplist = '';
if (data.size() > 0) {
  for(var d: data){
    var ip = d['client_ip'];
    if(!(iplist =~ ".*"+ip+".*")) {
      iplist = iplist + ' ' + ip ;
    }
  }
} 
result['expression']= expressionstart + iplist + expressionend; 
return result;

 

Related to

Was this article helpful?