45. Appendix 4 – Attributes & Tokens

The columns from the tables listed below contain the following data:

● Attribute is the left operand used in Response preconditions. In older Wanguard versions the term used was “Conditional Parameter”

● Token is a placeholder that can be used as parameter or script argument in most Response actions because, at run-time, the software translates it into the requested value. Each token is defined within curly brackets. In older Wanguard versions the term used was “dynamic parameters”

● Data Type shows the returned value type and which comparison operators are accepted by the Attribute:

• String returns a variable-length string. It accepts the comparison operators:

▪ equal to - it implies a perfect match without any differences. E.g. if the Attribute is “apple” and the Value is also “apple”, then equal to is true

▪ not equal to - it implies any difference qualifies for this condition to be true. E.g. if the Attribute is “apple” and the Value is “orange”, then not equal to is true

▪ includes - the “Value” can be a part or a segment of the “Attribute”. E.g. if the Attribute is “apple pie” and the Value is “apple”, then includes is true because “apple pie” contains “apple”

▪ included in - is true if the “Value” contains the “Attribute” as a substring. This is the inverse relationship of includes. E.g. if the Attribute is “apple” and the Value is “apple pie”, then included in is true because “apple” is part of the larger string “apple pie”

▪ excludes - is true if the “Attribute” does not contain the “Value” as a substring. This indicates the absence of the “Value” within the “Attribute”. E.g. if the Attribute is “apple pie” and the Value is “cherry”, then excludes is true because “apple pie” does not contain “cherry”

▪ excluded from - is true if the “Value” does not contain the “Attribute” as a substring. This is the opposite of included in. E.g. if the Attribute is “cherry” and the Value is “apple pie”, then excluded from is true because “cherry” is not part of “apple pie”

▪ regexp - is true when the “Attribute” matches the regular expression from “Value”. E.g. when “Value” is “[A-Z]”, the precondition is true only when the “Attribute” contains an upper-case letter

• Integer returns a 64-bit unsigned integer number. It accepts the comparison operators:

▪ equal to - is true when “Attribute” and “Value” are identical

▪ not equal to - is true when “Attribute” and “Value” are not identical

▪ greater than - is true when “Attribute” is larger than “Value”

▪ less than - is true when “Attribute” is smaller than “Value”

▪ divisible by - is true when “Attribute” can be divided by “Value” without leaving a remainder

• Integer* accepts the same comparison operators as Integer. The values can be returned in multiples of 1,000 by appending “_kilo” to the token name. The same goes for 1,000,000 by appending “_mega” and for 1,000,000,000 by appending “_giga”. To return the value and the biggest multiplier (k, M, G) for the value, append “_prefix”. To also return the decoder before the biggest multiplier (k, M, G) value, append “_decoder_prefix”

• Float returns an unsigned floating point number when the comparison operator is greater than or less than, or an unsigned integer when the comparison operator is equal to, not equal to or divisible by

• Prefix returns a string containing a subnet or IP. It accepts the comparison operators equal to, not equal to, includes, included in, excludes and excluded from. The inclusion/exclusion operators compare prefixes, not strings

● Description provides a short explanation of the parameter

45.1. Anomaly-Related Tokens

#	Attribute	Token	Data Type	Description
1	Anomaly #	{anomaly_id}	Integer	Returns the unique ID number of the anomaly.
2	Prefix	{prefix}	Prefix	Returns the Victim IP/CIDR (inbound anomalies) or Source IP/CIDR (outbound anomalies). CIDR mask is omitted for hosts (/32 for IPv4, /128 for IPv6).
3	IP Address	{ip}	Prefix	Returns the IP of {prefix}, excluding the CIDR mask.
4	IP Version	{ip_version}	Prefix	Returns the IP version of {prefix}, either 4 or 6.
		{ip_dns}	String	Returns the reverse DNS of {ip}. If lookup fails, returns {ip} instead.
5	IP AS Number	{ip_asn}	Integer	Returns the AS Number of {ip}. If no AS is found in GeoIP DB, returns 0.
6	CIDR	{cidr}	Integer	Returns the CIDR mask of {prefix}.
7	IP Group	{ip_group}	String	Returns the IP Group of {prefix}.
8	Anomaly	{anomaly}	String	Returns a description of the anomaly. By default, describes the threshold rule that triggered it.
9	Anomaly Classification	{classification}	String	Returns the classification set by Console users: Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack, or Crippling Attack.
10	Anomaly Comment	{comment}	String	Returns a user-submitted comment regarding the anomaly, if any.
11	Direction	{direction}	String	Returns incoming for inbound anomalies, outgoing for outbound.
		{Direction}	String	Same as {direction} but capitalized (Incoming, Outgoing).
		{direction_to_from}	String	Returns to for inbound anomalies, from for outbound.
		{direction_receives_sends}	String	Returns receives for inbound anomalies, sends for outbound.
12	Domain	{domain}	String	Returns the domain used by the threshold: internal IP if a /32 (IPv4) or /128 (IPv6) host, subnet or external IP.
		{Domain}	String	Same as {domain} but capitalized.
13	Anomaly Class	{class}	String	Returns threshold for threshold-based anomalies, profile for profiling-based anomalies.
14	Threshold Type	{threshold_type}	String	Returns the threshold value type, which can be either absolute or percentage.
15	Anomaly Decoder (Protocol)	{decoder}	String	Returns the decoder used to detect the anomaly.
16	Comparison	{operation}	String	Returns over or under, referencing the threshold rule comparison.
		{comparison}	String	Returns > if {operation} = over; < if {operation} = under.
17	Unit	{unit}	String	Returns the measurement unit of the threshold rule: pkts/s or bits/s.
18	Threshold Value	{rule_value}	Integer*	Returns the traffic value specified by the threshold.
19	Computed Threshold	{computed_threshold}	Integer*	Returns the dynamically adjusted threshold for profiling or percentage anomalies.
20	Sensor	{sensor}	String	Returns the name of the Sensor detecting the anomaly, plus [Interface Name] for SNMP Sensor & Flow Sensor.
21	Sensor Name	{sensor_name}	String	Returns the name of the detecting Sensor. For SNMP Sensor & Flow Sensor, it does not return the interface name.
22	Sensor Group	{sensor_group}	String	Returns the Device Group set in the Sensor configuration.
23	Sensor IP	{sensor_ip}	Prefix	Returns the IP address of the server running the Sensor.
24	Sensor Type	{sensor_type}	String	Returns the type of Sensor: Packet Sensor, Flow Sensor, SNMP Sensor, or Sensor Cluster.
25	Sensor ID	{sensor_id}	Integer	Returns the Server ID of the server that hosts the Sensor.
26	Flow Exporter IP	{router_ip}	Prefix	Returns the IP address of the flow exporter if this is a Flow Sensor; otherwise empty.
27	IP Zone	{ipzone}	String	Returns the IP Zone used by the Sensor.
28	IP Zone Prefix	{ipzone_prefix}	Prefix	Returns the most specific IP Zone prefix that includes {prefix}.
29	IP Zone Parent Prefix	{ipzone_parent_prefix}	Prefix	Returns the parent of the most specific IP Zone prefix that includes {prefix}.
30	Response	{response}	String	Returns the Response triggered by the threshold rule.
31	Response Actions	{response_actions}	String	Returns a list with the Response actions executed. Only includes actions where Record Action is checked.
32	Threshold Template	{template}	String	Returns the Threshold Template containing the threshold rule, if any.
33	Expiration Delay	{expiration}	Integer	Returns the number of inactivity seconds before the anomaly expires.
34	Peak Packets/s	{anomaly_pps}	Integer*	Returns the highest packets/s rate observed.
35	Peak Bits/s	{anomaly_bps}	Integer*	Returns the highest bits/s rate observed.
36	Latest Packets/s	{latest_anomaly_pps}	Integer*	Returns the most recent packets/s value.
37	Latest Bits/s	{latest_anomaly_bps}	Integer*	Returns the most recent bits/s value.
38	Peak Value	{value}	Integer*	Returns the peak abnormal traffic value, and also {unit}.
39	Latest Value	{latest_value}	Integer*	Returns the latest abnormal traffic value, and also {unit}.
40	Sum Value	{sum_value}	Integer*	Returns the number of packets counted during the anomaly if {unit} = pkts/s, or number of bits counted if {unit} = bits/s.
41	Peak Rule Severity	{severity}	Float	Returns the ratio between peak abnormal traffic rate and the threshold.
42	Latest Rule Severity	{latest_severity}	Integer	Returns the ratio between latest abnormal traffic rate and the threshold.
43	Peak Link Severity	{link_severity}	Integer	Returns the ratio between peak abnormal traffic rate and the interface’s traffic rate.
44	Latest Link Severity	{latest_link_severity}	Integer	Returns the ratio between latest abnormal traffic rate and the interface’s traffic rate.
45	Latest Link Utilization	{latest_link_utilization}	Integer	Returns the percentage of the interface’s capacity currently in use by the IP decoder. Computed as (latest_traffic / interface_speed) x 100.
46	Captured Packets	{captured_pkts}	Integer	Returns the number of successfully captured packets if the Response includes a packet-capturing action.
47	BGP Log Size	{bgplog_bytes}	Integer	Returns the size of the BGP announcement log, >0 only if a BGP routing update was triggered for the anomaly.
48	Unique Tokens	N/A	String	Used to avoid Response action duplication if another active anomaly matches the same user-defined token list (e.g., “{ip} {decoder}”). Action triggers only if no other anomaly with identical tokens is active. Operator must be set to equal to.
49	Custom Script Return Value	N/A	Integer	Executes only if the user-specified script returns exit status 0. Pass tokens as arguments. Operator must be equal to. The script must finish quickly since it blocks the originating process.
		{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000}	String	Returns the first 10/50/100/500/1000 packets (if packet-capturing is enabled) or flows (if Flow Collector is enabled) with anomalous traffic.
		{attacked_isp}	String	Returns the abuse contact mailbox or email for the victim’s ISP if found in the whois database.
		{software_version}	String	Returns the Wanguard version.
		{json_anomaly_tokens}	String	Returns a JSON string with all anomaly-related tokens + list of filtering rules. If token ends with ‘_brief’, only essential tokens are included. If ‘_pretty’, tokens appear in a multi-line JSON.

45.2. Time-Related Tokens

#	Attribute	Token	Data Type	Description
50	From (ISO 8601)	{from}	String	Returns the start time of the anomaly in ISO 8601 format (YYYY-MM-DD HH:MM:SS).
51	From (unixtime)	{from_unixtime}	Integer	Returns the start time of the anomaly in Unix time (seconds since Jan 1, 1970).
52	From (minute)	{from_minute}	Integer	Returns the start minute of the anomaly.
53	From (hour)	{from_hour}	Integer	Returns the start hour of the anomaly.
54	From (day)	{from_day}	Integer	Returns the start day (1–31) of the anomaly.
55	From (dow)	{from_dow}	Integer	Returns the start day-of-week (0–6, possibly 1–7) of the anomaly, depending on system locale.
56	From (month)	{from_month}	Integer	Returns the start month (1–12) of the anomaly.
57	From (year)	{from_year}	Integer	Returns the start year (four-digit) of the anomaly.
58	Until (ISO 8601)	{until}	String	Returns the stop/expiration time of the anomaly in ISO 8601 format (YYYY-MM-DD HH:MM:SS).
59	Until (unixtime)	{until_unixtime}	Integer	Returns the stop/expiration time of the anomaly in Unix time (seconds since Jan 1, 1970).
60	Until (minute)	{until_minute}	Integer	Returns the stop/expiration minute of the anomaly.
61	Until (hour)	{until_hour}	Integer	Returns the stop/expiration hour of the anomaly.
62	Until (day)	{until_day}	Integer	Returns the stop/expiration day (1–31) of the anomaly.
63	Until (dow)	{until_dow}	Integer	Returns the stop/expiration day-of-week (0–6, or 1–7 depending on system locale) of the anomaly.
64	Until (month)	{until_month}	Integer	Returns the stop/expiration (1-12) month of the anomaly.
65	Until (year)	{until_year}	Integer	Returns the stop/expiration year (four-digit) of the anomaly.
66	Duration	{duration}	Integer	Returns the duration of the anomaly, in seconds.
		{duration_clock}	String	Returns a textual duration, e.g. ‘<5sec’ or ‘5h 4m 3s’.
		{duration_clock_full}	String	Returns a more verbose duration of the anomaly, e.g. ‘<5 seconds’ or ‘5 hours 4 minutes 3 seconds’.
67	Internal Ticks	{tick}	Integer	Returns the internal tick count from the Sensor. Packet Sensor increments tick every 5s (default Granularity). Flow Sensor increments tick every X seconds, where X = Granularity).

45.3. IP Decoder-Related Tokens

#	Attribute	Token	Data Type	Description
68	Peak IP Pkts/s	{total_pps}	Integer*	Returns the peak packets/s for {prefix} and the IP decoder.
69	Peak IP Bits/s	{total_bps}	Integer*	Returns the peak bits/s for {prefix} and the IP decoder.
70	Latest IP Pkts/s	{latest_total_pps}	Integer*	Returns the most recent packets/s for {prefix} and the IP decoder.
71	Latest IP Bits/s	{latest_total_bps}	Integer*	Returns the most recent bits/s for {prefix} and the IP decoder.
72	IP Packets	{sum_total_pkts}	Integer*	Returns the number of packets (for the IP decoder) counted during the anomaly, for {prefix}.
73	IP Bits	{sum_total_bits}	Integer*	Returns the number of bits (for the IP decoder) counted during the anomaly, for {prefix}.

45.4. Filter-Related Tokens

#	Attribute	Token	Data Type	Description
74	Number of Filters	{filters}	Integer	Returns the number of Filter instances activated for this anomaly.
75	Filters Pkts/s	{filters_pps}	Integer*	Returns the most recent packets/s rate recorded by the Filter instance(s).
76	Filters Bits/s	{filters_bps}	Integer*	Returns the most recent bits/s rate recorded by the Filter instance(s).
77	Filters Peak Pkts/s	{filters_max_pps}	Integer*	Returns the peak packets/s rate recorded by the Filter instance(s).
78	Filters Peak Bits/s	{filters_max_bps}	Integer*	Returns the peak bits/s rate recorded by the Filter instance(s).
79	Filtered Packets	{filters_filtered_packets}	Integer*	Returns the number of packets blocked by the Filter instance(s).
80	Filtered Bits	{filters_filtered_bits}	Integer*	Returns the number of bits blocked by the Filter instance(s).
81	Filters CPU Usage	{filters_max_cpu_usage}	Integer	Returns the maximum CPU% used among the Filter instance(s).
82	Filters IPs (Ext.)	{filters_ips}	Integer	Returns the number of external IPs detected by the Filter instance(s) in the last 5 seconds.
83	Number of Filtering Rules	{filtering_rules}	Integer	Returns the number of filtering rules identified by the Filter instance(s).

45.5. Filtering Rule-Related Tokens

#	Attribute	Token	Data Type	Description
84	Filtering Rule #	{filtering_rule_id}	Integer	Returns a unique ID of the filtering rule.
85	Filtering Rule Type	{filtering_rule_type}	String	Returns the type of filtering rule (e.g., IP Address, Src Port, Dst Port, Protocol, etc.) listed in Anomaly Mitigation.
86	Filtering Rule Value	{filtering_rule_value}	String	Returns the specific value for this rule (IP, port number, protocol number, etc.).
		{filtering_rule_ip_dns}	String	Returns the reverse DNS of the IP if {filtering_rule_type} = IP Address.
87	Filtering Rule ISP	{filtering_rule_ip_isp}	String	Returns the Organization/ISP name from a GeoIP database if {filtering_rule_type} = IP Address.
88	Filtering Rule ASN	{filtering_rule_ip_asn}	Integer	Returns the AS number from GeoIP DB if {filtering_rule_type} = IP Address.
		{attacker_isp}	String	Returns the email address of {filtering_rule_ip_isp}, if found in whois database.
89	Filtering Rule Country	{filtering_rule_ip_country}	String	Returns the country of the IP if {filtering_rule_type} = IP Address.
90	Filtering Rule Pkts/s	{filtering_rule_pps}	Integer*	Returns the latest packets/s rate of traffic matched by the filtering rule.
91	Filtering Rule Bits/s	{filtering_rule_bps}	Integer*	Returns the latest bits/s throughput of traffic matched by the filtering rule.
92	Filtering Rule Peak Pkts/s	{filtering_rule_max_pps}	Integer*	Returns the peak packets/s rate of traffic matched by the filtering rule.
93	Filtering Rule Peak Bits/s	{filtering_rule_max_bps}	Integer*	Returns the peak bits/s throughput of traffic matched by the filtering rule.
94	Filtering Rule Unit/s	{filtering_rule_unit}	Integer*	Returns {filtering_rule_pps} for packets/s thresholds, or {filtering_rule_bps} for bits/s thresholds.
95	Filtering Rule Peak Unit/s	{filtering_rule_max_unit}	Integer*	Returns {filtering_rule_max_pps} or {filtering_rule_max_bps}, depending on threshold unit.
96	Filtering Rule Packets	{filtering_rule_packets}	Integer*	Returns the number of packets matched by the filtering rule.
97	Filtering Rule Bits	{filtering_rule_bits}	Integer*	Returns the number of bits matched by the filtering rule.
98	Filtering Rule Time Interval	{filtering_rule_difftime}	Integer	Returns the duration (in seconds) while the filtering rule was detected.
99	Filtering Rule Severity	{filtering_rule_severity}	Integer	Returns the ratio between traffic matched by the rule and the threshold value.
100	Filtering Rule Whitelist	{filtering_rule_whitelisted}	Integer	Returns 1 if the filtering rule is whitelisted, 0 otherwise.
101	Filtering Rule Traffic Sample Size	{filtering_rule_log_size}	Integer*	Returns the size (in bytes) of the packet dump (if a capturing action is in the Response).
102	Filtering Rule Scrubbed %	{firewall_drop_percent}	Integer	Returns the percentage of scrubbed traffic by a firewall.
103	Netfilter Firewalled	{netfilter_firewalled}	Integer	Returns 1 if the rule is applied on Netfilter, 0 otherwise.
104	Flowspec Firewalled	{flowspec_firewalled}	Integer	Returns 1 if the rule is applied via BGP Flowspec, 0 otherwise.
105	Hardware Offloaded	{hardware_firewalled}	Integer	Returns 1 if the rule is enforced on NIC hardware filters, 0 otherwise.
106	Custom Firewalled	{custom_firewalled}	Integer	Returns 1 if the rule is applied to a custom firewall, 0 otherwise.
107	Dataplane Firewalled	{dataplane_firewalled}	Integer	Returns 1 if the rule is enforced on a Dataplane Firewall, 0 otherwise.
108	Filter	{filter}	String	Returns the name of the Filter that identified the rule.
109	Filter Group	{filter_group}	String	Returns the Device Group assigned in the Filter configuration.
110	Filter Type	{filter_type}	String	Returns the type of Filter: Packet Filter, Flow Filter, or Filter Cluster.
111	Filter ID	{filter_id}	Integer	Returns the unique ID of the Filter that detected the filtering rule.
		{filtering_rule_first_time}	String	Returns the first time (ISO 8601) the filtering rule was detected.
		{filtering_rule_first_unixtime}	Integer	Returns the first time (Unix time) the filtering rule was detected.
		{filtering_rule_last_time}	String	Returns the most recent time (ISO 8601) the filtering rule was detected.
		{filtering_rule_last_unixtime}	Integer	Returns the most recent time (Unix time) the filtering rule was detected.
		{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000}	String	Returns the first 10/50/100/500/1000 packets matched by the filtering rule (if packet capturing is enabled in Response).
		{json_filtering_rule_tokens}	String	Returns a JSON string of all filtering rule-related tokens. Appending ‘_pretty’ includes each token on a new line.

45.6. System-Wide Tokens

Attribute	Token	Data Type	Description
Anomalies (all Sensors, Decoders, Prefixes)	{anomalies}	Integer	Returns the number of active anomalies regardless of Sensor, Decoder, Unit, or Prefix.
Anomalies (same Sensor)	{anomalies_sensor}	Integer	Returns the number of active anomalies from the same Sensor.
Anomalies (same Decoder)	{anomalies_decoder}	Integer	Returns the number of active anomalies using the same Decoder and Unit (pkts/s or bits/s).
Anomalies (same Sensor, Decoder)	{anomalies_sensor_decoder}	Integer	Returns the number of active anomalies from the same Sensor and using the same Decoder and Unit.
Anomalies (same Sensor, Decoder, Prefix/X)	{anomalies_sensor_decoder_cidr_X}	Integer	Returns the number of active anomalies from the same Sensor, same Decoder and Unit, and the same Prefix with a certain CIDR mask (X).