This topic describes how to view and manage risk detection data and security event data on the API Security page. You can perform various operations on the page, such as viewing risk statistics, event types, event details, and API details, searching data based on advanced conditions, changing status, and exporting logs for further analysis.
1. View risk detection data
Risks refer to API security risks or security threats that are caused by development, management, or configuration defects. Security risks are different from security events. Security risks can be detected regardless of whether attacks are initiated. Security events can be detected only when attacks are initiated and alerts are generated. You can view risk detection data on the Risk Detection tab of the API Security page. Alternatively, you can click More in the upper-right corner of the Risky Site Statistics section on the Overview tab to go to the Risk Detection tab.
Modules on the Risk Detection tab
On the Risk Detection tab of the API Security page, you can view the analysis statistics of API risk detection and the supported filter conditions. The Risk Detection tab consists of the following modules: risk statistics, risk types, and API risk details.
Risk statistics
This module supports the Risk Impact Statistics and Risk Status Statistics sections. The default statistical period is the previous year.
The Risk Impact Statistics section displays the following items: Risky Domain Names and Risky APIs, High Risks and New Events Today, Medium Risks and New Events Today, and Low Risks and New Events Today. You can click the number next to an item to view details in the API Risk Details section.
The Risk Status Statistics section displays the following items: To Be Confirmed, To Be Fixed, Confirmed, Fixed, and Ignore. You can click the number below an item to view details in the API Risk Details section.
Risk types
This module displays the types of risks and numbers of risks for each type. You can click a risk type to view details in the API Risk Details section.
API risk details
This module allows you to search for API risks in the API Risk Details section. You can use one of the following methods:
Basic search
Above the list in the API Risk Details section, click the icon to expand the drop-down list. In the drop-down list, select API Operation or Risk Item ID. Then, enter an API name or a risk ID and click Search to search for API risks. Fuzzy search is supported.
Advanced search
Click More to show advanced search conditions, including the time range, risk level, status, purpose, domain name, and type. After you configure the conditions, click Search to search for API risks. The following table describes the search conditions that you can configure.
Search condition | Description |
Display setting | Click the icon in the upper-right corner above the list to specify the fields that you want to display in the list. |
Time range | The default time range is 30 days. If you set the time range to 30 Days, the system searches data that is generated within the previous 30 days, excluding the current day, and the system also searches data that is generated on the current day before the system starts the search. You can also select Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, or 7 Days to quickly search data. The custom time range that you can specify supports 10-minute precision. |
Risk level | You can select multiple options. |
Status | You can select multiple options. |
Purpose | You can select multiple options. |
Domain name | You can select only one option. |
Type | You can select only one option. |
For more information about risk types, see What types of API risks can be detected by the API security module?
View and manage an API risk
After you search for an API risk, you can perform the following operations to view and manage the API risk:
Change the status of the API risk
Click the icon in the Status column. In the ModifyRisk Status dialog box, select the status that you want to use and click OK.
View the API details of the API risk
Click the source API of the risk in the API column. In the API Details panel, view the API details. For more information about the API Details panel, see API details.
View risk details of the API risk
Click View Details in the Actions column. In the panel that appears, you can view the following information:
Basic information
You can view basic information, including API, Risk Item ID, First Detected At, Risk Description, Suggestions, Domain Name, and Purpose. You can also view the API risk status.
You can change the API risk status.
You can change the API risk status to To Be Confirmed, Confirmed, To Be Fixed, Fixed, or Ignore. You can also enter remarks in the Remarks field.
Risk verification
On the Risk Verification tab, you can view sample requests. You can perform the following operations:
On the Risk Verification tab, view sample requests.
Click Browser to open a new page in your browser. Then, you can view a GET request.
Click Command Line to convert a sample request to a command line. Click Copy to manually access the request.
Click Copy Code to copy the sample requests.
Operation records
On the Operation Records tab, you can view the handling record of the risk.
Export API risk data
You must use an Alibaba Cloud account to export data.
Click the icon in the upper-right corner above the list in the API Risk Details section. The API security module creates an export task.
Click Export Record in the upper-right corner of the API Security page. Find the file that you want to download and click Download in the Actions column.
If you specify search conditions, the exported file contains only data that meets the conditions. If you do not specify search conditions, the exported file contains all data.
An exported file is temporarily stored in the Web Application Firewall (WAF) console for three days. After three days, you can no longer download the file. We recommend that you download an exported file in a timely manner.
A downloaded file is stored in the default location of your browser. You can view the file in the default location.
2. View security event data
Security events are generated when errors occur during API calls or attacks are initiated. For example, when a brute-force attack is initiated against the logon interface or an SMS flooding attack is initiated by abusing the SMS sending interface, a security event is generated. Built-in events are detected by IP address. If events are of the same CIDR block, API, and type and are generated on the same day, the events are aggregated and one alert is generated for the events. You can view security event data on the Security Events tab of the API Security page. Alternatively, you can click More in the upper-right corner of the Statistics on Attacked Sites section on the Overview tab to go to the Security Events tab.
Modules on the Security Events tab
On the Security Events tab of the API Security page, you can view the analysis statistics of API attack events and the supported filter conditions. The Security Events tab consists of the following modules: attack impact statistics, event types, and API security event details.
Attack impact statistics
This module displays the following items: Attacked Domain Names and Attacked APIs, High-Risk Events and New Events Today, Moderate-Risk Events and New Events Today, and Low-Risk Events and New Events Today. You can click the number next to an item to view details in the Details of API Security Events section. The default statistical period is the previous year.
Event types
This module displays the types of events and numbers of events for each type. You can click an event type to view details in the Details of API Security Events section.
API security event details
This module allows you to search for API security events in the Details of API Security Events section. You can use one of the following methods:
Basic search
Above the list in the Details of API Security Events section, click the icon to expand the drop-down list. In the drop-down list, select API Operation or Event ID. Then, enter an API name or an event ID and click Search to search for API security events. Fuzzy search is supported.
Advanced search
Click More to show advanced search conditions, including the time range, event level, status, purpose, domain name, and type. After you configure the conditions, click Search to search for API security events. The following table describes the search conditions that you can configure.
Search condition | Description |
Display setting | Click the icon in the upper-right corner above the list to specify the fields that you want to display in the list. |
Time range | The default time range is 30 days. If you set the time range to 30 Days, the system searches data that is generated within the previous 30 days, excluding the current day, and the system also searches data that is generated on the current day before the system starts the search. You can also select Last 15 Minutes, Last 30 Minutes, Last 1 Hour, Last 24 Hours, Today, Yesterday, or 7 Days to quickly search data. The custom time range that you can specify supports 10-minute precision. |
Event level | You can select multiple options. |
Status | You can select multiple options. |
Purpose | You can select multiple options. |
Domain name | You can select only one option. |
Type | You can select only one option. |
For more information about the purposes of API calls, see What are the purposes of API calls that are classified by the API security module?
For more information about the security events that can be detected by the API security module, see What types of exception events can be detected by the API security module?
View and manage an API security event
After you search for an API security event, you can perform the following operations to manage the API security event:
Change the status of the API security event
Click the icon in the Status column. In the ModifyEvent Status dialog box, select the status that you want to use and click OK.
View the API details of the API security event
Click the source API of the security event in the API column. In the API Details panel, view the API details. For more information about the API Details panel, see API details.
View details of the API security event
Click View Details in the Actions column. In the panel that appears, you can view the following information:
Basic information
You can view basic information, including API, Event ID, and Domain Name. You can also view the status of the security event.
You can change the status of the security event.
You can change the status of the security event to To Be Confirmed, Confirmed, or Ignore. You can also enter remarks in the Remarks field.
Event details
On the Event Details tab, you can view the following information: Attack Source, Start Time/End Time, Attacks, Event Description, Sample Request Data, Sample Response Data, and Suggestions.
You can click Log Details to view the log details of the security event.
Operation records
On the Operation Records tab, you can view the handling record of the security event.
Export API security event data
You must use an Alibaba Cloud account to export data.
Click the icon in the upper-right corner above the list in the Details of API Security Events section. The API security module creates an export task.
Click Export Record in the upper-right corner of the API Security page. Find the file that you want to download and click Download in the Actions column.
If you specify search conditions, the exported file contains only data that meets the conditions. If you do not specify search conditions, the exported file contains all data.
An exported file is temporarily stored in the WAF console for three days. After three days, you can no longer download the file. We recommend that you download an exported file in a timely manner.
A downloaded file is stored in the default location of your browser. You can view the file in the default location.