Query security events through the API
Use the NGINX One Console API to query F5 WAF for NGINX security events programmatically. The API exposes the same security event store the security monitoring dashboard reads from, so any view you can build in the dashboard can also be reproduced through the API. Use the API to integrate WAF activity into your own dashboards, automated reports, Security Information and Event Management (SIEM) enrichment pipelines, or alerting workflows.
For the full request and response schema of each operation, including the supported filter fields and group-by dimensions, see the API reference guide.
| Category | Operation | Purpose |
|---|---|---|
| Events | List security events | Returns a paginated list of F5 WAF for NGINX security events. Accepts filter_fields, a time range, and standard pagination parameters. |
| Events | Get security event details | Returns the full detail for a single security event by ID, including all triggered violations, signatures, threat campaign matches, and the raw matched request when available. |
| Attack analytics | Query attack analytics | Returns event counts grouped by an event-level dimension (request_status, ip, country, policy, url, hostname, and others). Supports filter fields, time range, group-by, and limit. |
| Attack analytics | Query attack analytics time series | Returns the same counts bucketed over time. Use this to drive time-series widgets and trend reports. |
| Signature analytics | Query signature analytics | Returns event counts grouped by a signature-level dimension (signature, accuracy, risk, cve, request_status). Filtering on signature-level fields narrows results to events whose matching signatures pass the filter. |
| Signature analytics | Query signature analytics time series | Returns the same counts bucketed over time. |
| Violation analytics | Query violation analytics | Returns event counts grouped by a violation-level dimension (violation, sub_violation, context, context_key, context_value). |
For more information, see: