The event management feature currently supports viewing, analysis, and disposal of discovered API risk events. It combines expert recommendations for classification and categorization of convergent risks and continuously operates defense strategies to achieve a disposal loopback for API risk events. Currently, it supports detection of 17 types of API risk events in 6 major categories:
Permission Exception
Account Exception
Resource Abuse
Business Exception
Sensitive Data Exception
Web Attack
Event Type
Event Description
Miss user value
The request lacks necessary user information, such as user ID and username. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
Miss user parameters
The request lacks necessary parameters, such as user ID and username. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
Miss username and password
The request lacks necessary username and password information. This may indicate that an attacker is attempting an aggressive attempt on the business, such as fuzzing (fuzz testing).
Miss log-in action
The request lacks the necessary log-in action. For example, the log-in request is missing the log-in action parameter. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
Vertical privilege escalation
Users or attackers acquire data outside their permission scope by modifying parameters, URL, etc. This can lead to sensitive data leaks and insufficient internal information security.
Unauthorized access to sensitive information
Users or attackers access sensitive data in the system without authorization, causing sensitive data leaks and insufficient internal information security.
Event Type
Event Description
Brute force cracking
Attackers use automation tools to perform brute force cracking on the target system's password. They often use dictionary attacks or brute force cracking tools to try multiple password combinations until the correct password is found.
Credential stuffing attack
Attackers use known username and password combinations to attempt logging in to the target system, usually through the leaked user information. They often use leaked username and password combinations to try logging in to other websites or systems to see if they can access the target system.
Malicious registration
This means that attackers use false or misappropriated user information to conduct registrations, usually to perform other malicious behaviors such as sending spam.
Event Type
Event Description
SMS API flooding
Attackers use automation tools to frequently request the SMS API, usually to conduct SMS bombing, deplete SMS resources, and perform other malicious behaviors.
Captcha API flooding
Attackers use automation tools to frequently request the Captcha API, usually to conduct CAPTCHA bypass, CAPTCHA resource consumption, and other malicious behaviors.
API Abuse
Users or attackers frequently request the API, exceeding normal usage limits, which may burden the system or pose security risks. Attackers typically use automation tools to send a large number of requests to try to consume system resources or conduct other malicious activities.
Event Type
Event Description
API invocation from unusual regions
Requests to this API are usually concentrated in one region. A large number of requests from other regions have been detected, suspected to be abnormal.
API invocation from unusual source IP
The IPs accessing this API are usually concentrated in a certain IP range. A large number of requests from abnormal IP ranges have been detected, suspected to be abnormal.
API invocation from unusual terminals
The clients accessing this API are usually of a certain type. A large number of requests through other types of clients have been detected, suspected to be abnormal.
Event Type
Event Description
Excessive sensitive data retrieval
Users or attackers access a large amount of sensitive data through this API, potentially causing sensitive data leaks and insufficient internal information security.
Unauthorized access to sensitive information
Users or attackers access sensitive data in the system without authorization, causing sensitive data leaks and insufficient internal information security.
Event Type
Event Description
Web attack
The API frequently suffers from over ten types of Web attacks such as SQL injection attack, XSS attack, command injection attack, illegal access to core files, file upload attack, malicious scanning, Trojan backdoor attack, XML injection attack, Web application vulnerability attack, LDAP injection attack, server-side request forgery, Server-side template injection vulnerability, unauthorized access vulnerability, and non-compliant protocols.
Directions
1. Log in to the WAF console, and choose Event Management > API security events in the left sidebar.
2. On the API security events page, click the "All Domains" dropdown in the upper left corner, and select the domain name you want to view, and the right side shows if API Security is enabled for the current domain name.
If the API security switch is enabled, you can start using the related features.
If the API security switch is not enabled, go to the Access Management page, filter the domain name under the instances that have purchased API security and need to enable the API security switch, and click
to enable the switch.
3. On the API security events page, a statistical overview of various events is displayed, including the total number of events, the number of events detected today, the number of detected events, the number of handled events, and the number of API events in progress.
Field Name
Description
Security events
Total number of API events under the current domain name.
Detected today
Total number of API events detected today under the current domain name.
Detected
Total number of detected API events under the current domain name.
Handled
Total number of handled API events under the current domain name.
In progress
Total number of handled API events under the current domain name.
Ignored
Total number of ignored API events under the current domain name.
4. On the API event management page, you can retrieve API event data within a specified time range.
5. In the event list area, it mainly includes the API event data list, API event status change, API event detail display, API event search, and API event download features.
API event data list: You can view the API event list for the selected time range under the current domain name.
Field Name
Description
Event ID
API event name.
Event type
API event type.
Event level
API event risk level.
Related domain
API event associated API name.
Status
Current event status of the API event.
Detected: detected and unconfirmed API event
In progress: API event with risks being confirmed and related rules being configured. This status includes processing suggestions for the event type (CC/access control/BOT, etc.), and appropriate rules can be added with one click.
Handled: API event with risks confirmed and handling rules added
Ignored: confirmed as not needing handling and ignored
Disabled: Observed access traffic and attack traffic situation, confirming that the event can be completely closed.
Detection time
Earliest detection time of the API event.
Last update
Most recent update time of the API event.
Operation
Status changed and View details.
Status changed: Click Handle event to process the status change of the current API event.
Username: It cannot be empty, default as the current console account name.
Remarks: Enter the corresponding remarks.
Suggestion: Depending on the event type, provide corresponding suggestions. You can click Add now to add the corresponding handling rules.
View details: Click View details to see the event details of the current API event.
Field Name
Description
Basic information
Mainly includes Event ID, Event type, Occurred, Update time, Related APl, Associated domain name, and Event details.
Suggestion
Depending on the event type, provide corresponding suggestions. You can click Add with one click to add the corresponding handling rules.
Rule added
Status of added rules.
Change history
History of event status changes.
Attacker details
Event attack source details.
API event search: You can search by "API name and Related domain name".
API asset download: Click
, select the required fields, and click Export to download the data list.
Event Alarm
On the System Management page, select System Settings > Event alarm to modify the Alert switch or click Settings.
Alert switch: Click
to turn on the switch. The default state is on. Once it is enabled, newly found risk events detected in the Event Management feature are summarized every day/hour, and notifications are pushed through channels such as the message center. Notifications for known risk events are not sent repeatedly.
Settings: Supports customizing Alarm Type and Alarm Frequency.
Alarm type: Supports selecting BOT Events and API security events. It is recommended to select all different risk levels for alarm.
Alarm period: Supports selecting daily or hourly summary alarm. The default is to alarm at 10 AM daily.
Daily summary: Supports setting the notification time for daily alarm, summarizing all new event alarm once at the specified time each day.
Hourly summary: Supports setting the time period for notifications, with alarms pushed hourly at the top of the hour within the specified time range. Notifications will not be sent outside the set time points or time range.
Receiving channel and recipient settings: To modify the message recipient or reception method, go to Message Center and select Product service notifications for settings.
