This topic describes how to view and manage risk detection and security event data in Alibaba Cloud API Security. You will learn how to view statistics and details, perform advanced searches, modify statuses, view related API assets, and export data for further analysis.
I. View risk detection data
A security risk is a vulnerability in an interface caused by bugs in development, management, or configuration. A security risk does not mean an attack has occurred, whereas a security event is an alert generated by an attack. You can view details about detected risks by clicking the Risk Detection tab or the View More button in the upper-right corner of the Risk Site Statistics table.
Page features
On the API Security page, go to the Risk Detection tab to view statistical data from API risk analysis and perform conditional searches. This tab has three main modules: Risk Statistics, the risk type list on the left, and API Risk Details.
Risk statistics
The risk statistics section includes Risk Impact Statistics and Risk Status Statistics. The statistical period is set to the last year by default.
Risk Impact Statistics: Shows the number of at-risk domain names and APIs. It also displays a count of high-risk, medium-risk, and low-risk items, and the number of new items added today for each risk level. Click a number to view the corresponding API risk details in the API Risk Details section.
Risk Status Statistics: Displays the number of risks for each status: To Be Confirmed, To Be Fixed, Confirmed, Fixed, and Ignored. Click a number to view the details of the risks for the corresponding status in the API Risk Details section.
Risk type list on the left
The risk type list on the left shows the types of risks associated with your APIs and their corresponding counts. Click a risk type to view its detailed API data in the API Risk Details section.
API risk details
In the API Risk Details section, you can find target API risks using the following methods:
Simple search
Click the
icon in the search box above the API risk list. Select API Operation or Risk ID, enter the API name or ID, and click the Search button. Fuzzy search is supported.Advanced search
Click More Filters to set search conditions such as Time, Risk Level, Status, Business Purpose, Domain Name, and Type. Then, click the Search button. The following table describes the search conditions.
Condition | Description |
Set Display Items | Click the |
Time | The default time range is the last 30 days. This includes the full 24 hours for the past 30 days starting from yesterday, plus data recorded today up to the time of the query. Quick query options include the last 15 minutes, 30 minutes, 1 hour, 24 hours, today, yesterday, and 7 days. The minimum granularity for a custom time query is 10 minutes. |
Risk Level | Multiple selections are supported. |
Status | Multiple selections are supported. |
Business Purpose | Multiple selections are supported. |
Domain Name | Only one selection is supported. |
Type | Only one selection is supported. |
icon in the upper-right corner of the list to select the data fields to display.For more information about risk types, see What API risk types does API Security detect?.
View and manage API risks
After you find a specific API risk, you can view and manage it using the following methods:
Modify the API risk status
Click the
icon in the Status column, select a threat status, and click OK.View the API asset involved in the risk
Click the source API of a specific risk to view the API asset on the API details page. For a detailed description of the API details page, see 3. API details.
View API risk details
In the Actions column for the target risk ID, click View Details. The risk details page displays the following information:
Basic Information
View information such as API, Risk ID, First Discovered, Risk Description, Recommended Action, Domain Name, Business Purpose, Status, and AI Analysis.
Risk Status Description
The initial risk status is To Be Confirmed. You can change this status to Confirmed, To Be Fixed, Pending System Verification, Fixed (Manual Verification), or Ignore and add remarks.
When you set the risk status to Pending System Verification, the system automatically determines whether the risk is fixed based on the following rules. If the conditions are met, the status changes to Fixed (System Verification). Otherwise, the status changes to Verification Failed:
The Unauthenticated Access to Sensitive API risk is resolved when the system detects that the API has implemented authentication or no longer transmits sensitive data.
For the Unauthorized Access to Internal API risk, the system detects if the API is no longer internal or if authentication has been added.
Other risks are identified if the Last Detection Time was more than 7 days ago and the API was accessed within the last 7 days.
Other risks are flagged if the Last Detection Time is more than one day ago and the number of visits today is greater than 100.
Security and business teams can refer to the following flowchart to establish a standard workflow for handling risk statuses.
Risk Verification
On the Risk Verification tab, you can view the request sample and perform the following operations:
On the Risk Verification tab, you can view the request sample.
Click Open In Browser to run the GET request in a browser.
Click Command Line to convert the sample request to a command-line format. Click Copy to copy the request for manual execution.
Click Copy Code to copy the sample request.
Operation Record
On the Operation Record tab, you can view the operation records for the risk event.
Export API risk data
Click the
icon in the upper-right corner of API Risk Details to create an export task.In the upper-right corner of the API Security page, click Export History. Find the file that you want to download and click Download in the corresponding Actions column.
If you set search conditions, the exported file contains only the queried data. Otherwise, it contains all data.
Generated files are temporarily stored in the WAF console and expire after three days. You must download the file before it expires because expired files cannot be downloaded.
The downloaded file is saved to your browser's default download location.
II. View security event data
A security event is an abnormal call or an attack on an API, such as a brute-force attack on a logon API or the abuse of a text message API for message flooding. Security events are categorized by the IP address and account dimensions into two types: IP Security Events and Account Security Events, respectively.
Click the Security Events tab or the View More button in the upper-right corner of the Attacked Site Statistics table to view security event details.
To view Account Security Events, you must configure Account ID Extraction for the protected object. For more information, see Configure Account ID Extraction.
Page feature introduction
IP Security Events
On the Security Events page, go to the IP Security Events tab to view statistics from the analysis of API attack events and perform searches based on specific conditions. This tab contains three main sections: Attack Impact Statistics, the event type list, and API Security Event Details.
Attack Impact Statistics
The Attack Impact Statistics section includes the Number Of Attacked Domain Names, the Number Of Attacked APIs, and the counts of High-risk Events, Medium-risk Events, and Low-risk Events, along with their respective New Today, New Today, and New Today counts. Click a number to view detailed API security event data for the corresponding metric in the API Security Event Details section. The default statistical period is the last year.
Event type list on the left
The event type list on the left displays the event types for your APIs and their corresponding event counts. Click an event type to view a detailed list of events for that type in the API Security Event Details section.
API Security Event Details
In the API Security Event Details section, you can find specific API security events using the following methods:
Simple search
In the search box above the API security event list, click the
icon. Select IP, API Operation, or Event ID, enter an IP address, API name, or event ID, and then click the Search button. Fuzzy search is supported.Advanced search
Click More Filters to specify search conditions such as Time, Event Level, Status, Business Purpose, Domain Name, and Type. Then, click the Search button. The following table describes the search conditions.
Condition | Description |
Set Display Items | Click the |
Time | The default time range is the last 30 days. This includes the full 24 hours for the past 30 days starting from yesterday, plus data recorded today up to the time of the query. Quick query options include the last 15 minutes, 30 minutes, 1 hour, 24 hours, today, yesterday, and 7 days. The minimum granularity for a custom time query is 10 minutes. |
Event Level | Multiple selections are supported. |
Status | Multiple selections are supported. |
Business Purpose | Multiple selections are supported. |
Domain Name | Only one selection is supported. |
Type | Only one selection is supported. |
Account Security Events
On the Security Events page, go to the Account Security Events tab to view statistics about API attack events and search for events based on specific conditions. This tab contains three main modules: Attack Impact Statistics, the event type list on the left, and API Security Event Details.
Attack Impact Statistics
The Attack Impact Statistics section shows the number of Risky Account, along with the number of High-risk Events, Medium-risk Events, and Low-risk Events, along with their respective New Today, New Today, and New Today counts. You can click a number to view the detailed API security event data for the corresponding metric in the API Security Event Details section. The default statistical period is the last year.
Event type list on the left
The event type list on the left shows the event types associated with your APIs and their corresponding counts. Click an event type to view the corresponding event details in the API Security Event Details section.
API Security Event Details
In the API Security Event Details section, you can use the following methods to find target API security events:
Simple search
In the search box above the API security event list, click the
icon and select Account, API Operation, or Event ID. Then, enter the corresponding account, API name, or ID and click the Search button. Fuzzy search is supported.Advanced search
Click More Filters to set search conditions such as Time, Event Level, Status, Domain Name, and Type. After you set the conditions, click the Search button. The following table describes the search conditions.
Condition | Description |
Set Display Items | Click the |
Time | The default time range is the last 30 days. This includes the full 24 hours for the past 30 days starting from yesterday, plus data recorded today up to the time of the query. Quick query options include the last 15 minutes, 30 minutes, 1 hour, 24 hours, today, yesterday, and 7 days. The minimum granularity for a custom time query is 10 minutes. |
Event Level | Multiple selections are supported. |
Status | Multiple selections are supported. |
Domain Name | Only one selection is supported. |
Type | Only one selection is supported. |
For more information about business purpose types, see How API Security classifies API business purposes.
For more information about the security events that API Security can detect, see What abnormal event types does API Security detect?.
View and manage API security events
After you find a specific API security event, you can manage it using the following methods:
Modify the API security event status
Find the row with the target security event ID, click the
icon in the Status column, select a new status, and click OK.Add an IP address or account to the whitelist
In the Actions column of the target event, click Add to Whitelist. This action adds the IP address or account that triggered the event to a whitelist. The event status changes to Confirmed, and the policy type of the event is not checked by default.
Add an IP address to the blacklist
In the Actions column for the target event, click Block IP Address. This adds the IP address that triggered the event to the blacklist. By default, the event status changes to Handled.
View API security event details
In the Actions column for the target event, click View Details. On the event details page, you can view the following information:
Basic Information
View information such as Event ID, Start/End Time, and Status.
Modify the security event status.
When you set a security event's status to Confirmed, Handled, or Ignored, you can add notes.
Attack Details: View information such as data samples and event trends.
To query logs for IP security events, click Log Query in the Actions column of the Attack Source Analysis section.
For account security events, you can query the logs by clicking Log Query in the Actions column of the API Distribution section.
Recommended Action: View recommended actions for handling the security event.
Operation Record: View the history of operations performed on the security event.
Export API security event data
Click the
icon in the upper-right corner of API Security Event Details to create an export task.In the upper-right corner of the API Security page, click Export History. Then, find the file that you want to download and click Download in the Actions column.
If you set search conditions, the exported file contains only the queried data. Otherwise, it contains all data.
Generated files are temporarily stored in the WAF console and expire after three days. You must download the file before it expires because expired files cannot be downloaded.
The downloaded file is saved to your browser's default download location.