tencent cloud

Feedback

API Event Management

Last updated: 2024-09-05 11:30:07

    Overview

    The event management feature currently supports viewing, analysis, and disposal of discovered API risk events. It combines expert recommendations for classification and categorization of convergent risks and continuously operates defense strategies to achieve a disposal loopback for API risk events. Currently, it supports detection of 17 types of API risk events in 6 major categories:
    Permission Exception
    Account Exception
    Resource Abuse
    Business Exception
    Sensitive Data Exception
    Web Attack
    Event Type
    Event Description
    Miss user value
    The request lacks necessary user information, such as user ID and username. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
    Miss user parameters
    The request lacks necessary parameters, such as user ID and username. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
    Miss username and password
    The request lacks necessary username and password information. This may indicate that an attacker is attempting an aggressive attempt on the business, such as fuzzing (fuzz testing).
    Miss log-in action
    The request lacks the necessary log-in action. For example, the log-in request is missing the log-in action parameter. This may indicate that an attacker is attempting an aggressive attempt on the business, such as Fuzzing (fuzz testing).
    Vertical privilege escalation
    Users or attackers acquire data outside their permission scope by modifying parameters, URL, etc. This can lead to sensitive data leaks and insufficient internal information security.
    Unauthorized access to sensitive information
    Users or attackers access sensitive data in the system without authorization, causing sensitive data leaks and insufficient internal information security.
    Event Type
    Event Description
    Brute force cracking
    Attackers use automation tools to perform brute force cracking on the target system's password. They often use dictionary attacks or brute force cracking tools to try multiple password combinations until the correct password is found.
    Credential stuffing attack
    Attackers use known username and password combinations to attempt logging in to the target system, usually through the leaked user information. They often use leaked username and password combinations to try logging in to other websites or systems to see if they can access the target system.
    Malicious registration
    This means that attackers use false or misappropriated user information to conduct registrations, usually to perform other malicious behaviors such as sending spam.
    Event Type
    Event Description
    SMS API flooding
    Attackers use automation tools to frequently request the SMS API, usually to conduct SMS bombing, deplete SMS resources, and perform other malicious behaviors.
    Captcha API flooding
    Attackers use automation tools to frequently request the Captcha API, usually to conduct CAPTCHA bypass, CAPTCHA resource consumption, and other malicious behaviors.
    API Abuse
    Users or attackers frequently request the API, exceeding normal usage limits, which may burden the system or pose security risks. Attackers typically use automation tools to send a large number of requests to try to consume system resources or conduct other malicious activities.
    Event Type
    Event Description
    API invocation from unusual regions
    Requests to this API are usually concentrated in one region. A large number of requests from other regions have been detected, suspected to be abnormal.
    API invocation from unusual source IP
    The IPs accessing this API are usually concentrated in a certain IP range. A large number of requests from abnormal IP ranges have been detected, suspected to be abnormal.
    API invocation from unusual terminals
    The clients accessing this API are usually of a certain type. A large number of requests through other types of clients have been detected, suspected to be abnormal.
    Event Type
    Event Description
    Excessive sensitive data retrieval
    Users or attackers access a large amount of sensitive data through this API, potentially causing sensitive data leaks and insufficient internal information security.
    Unauthorized access to sensitive information
    Users or attackers access sensitive data in the system without authorization, causing sensitive data leaks and insufficient internal information security.
    Event Type
    Event Description
    Web attack
    The API frequently suffers from over ten types of Web attacks such as SQL injection attack, XSS attack, command injection attack, illegal access to core files, file upload attack, malicious scanning, Trojan backdoor attack, XML injection attack, Web application vulnerability attack, LDAP injection attack, server-side request forgery, Server-side template injection vulnerability, unauthorized access vulnerability, and non-compliant protocols.

    Directions

    1. Log in to the WAF console, and choose Event Management > API security events in the left sidebar.
    2. On the API security events page, click the "All Domains" dropdown in the upper left corner, and select the domain name you want to view, and the right side shows if API Security is enabled for the current domain name.
    
    If the API security switch is enabled, you can start using the related features.
    If the API security switch is not enabled, go to the Access Management page, filter the domain name under the instances that have purchased API security and need to enable the API security switch, and click
    
    to enable the switch.
    
    3. On the API security events page, a statistical overview of various events is displayed, including the total number of events, the number of events detected today, the number of detected events, the number of handled events, and the number of API events in progress.
    
    Field Name
    Description
    Security events
    Total number of API events under the current domain name.
    Detected today
    Total number of API events detected today under the current domain name.
    Detected
    Total number of detected API events under the current domain name.
    Handled
    Total number of handled API events under the current domain name.
    In progress
    Total number of handled API events under the current domain name.
    Ignored
    Total number of ignored API events under the current domain name.
    4. On the API event management page, you can retrieve API event data within a specified time range.
    
    5. In the event list area, it mainly includes the API event data list, API event status change, API event detail display, API event search, and API event download features.
    
    API event data list: You can view the API event list for the selected time range under the current domain name.
    Field Name
    Description
    Event ID
    API event name.
    Event type
    API event type.
    Event level
    API event risk level.
    Related domain
    API event associated API name.
    Status
    Current event status of the API event.
    Detected: detected and unconfirmed API event
    In progress: API event with risks being confirmed and related rules being configured. This status includes processing suggestions for the event type (CC/access control/BOT, etc.), and appropriate rules can be added with one click.
    Handled: API event with risks confirmed and handling rules added
    Ignored: confirmed as not needing handling and ignored
    Disabled: Observed access traffic and attack traffic situation, confirming that the event can be completely closed.
    Detection time
    Earliest detection time of the API event.
    Last update
    Most recent update time of the API event.
    Operation
    Status changed and View details.
    Status changed: Click Handle event to process the status change of the current API event.
    
    Username: It cannot be empty, default as the current console account name.
    Remarks: Enter the corresponding remarks.
    Suggestion: Depending on the event type, provide corresponding suggestions. You can click Add now to add the corresponding handling rules.
    View details: Click View details to see the event details of the current API event.
    
    Field Name
    Description
    Basic information
    Mainly includes Event ID, Event type, Occurred, Update time, Related APl, Associated domain name, and Event details.
    Suggestion
    Depending on the event type, provide corresponding suggestions. You can click Add with one click to add the corresponding handling rules.
    Rule added
    Status of added rules.
    Change history
    History of event status changes.
    Attacker details
    Event attack source details.
    API event search: You can search by "API name and Related domain name".
    
    API asset download: Click
    
    , select the required fields, and click Export to download the data list.
    

    Event Alarm

    On the System Management page, select System Settings > Event alarm to modify the Alert switch or click Settings.
    
    Alert switch: Click
    
    to turn on the switch. The default state is on. Once it is enabled, newly found risk events detected in the Event Management feature are summarized every day/hour, and notifications are pushed through channels such as the message center. Notifications for known risk events are not sent repeatedly.
    Settings: Supports customizing Alarm Type and Alarm Frequency.
    
    Alarm type: Supports selecting BOT Events and API security events. It is recommended to select all different risk levels for alarm.
    Alarm period: Supports selecting daily or hourly summary alarm. The default is to alarm at 10 AM daily.
    Daily summary: Supports setting the notification time for daily alarm, summarizing all new event alarm once at the specified time each day.
    Hourly summary: Supports setting the time period for notifications, with alarms pushed hourly at the top of the hour within the specified time range. Notifications will not be sent outside the set time points or time range.
    Receiving channel and recipient settings: To modify the message recipient or reception method, go to Message Center and select Product service notifications for settings.
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support