This topic describes the API asset management feature of Alibaba Cloud API Security, including how to view API asset details, manage API assets, view API details, and export and download data.
Page features
You can view API asset details in one of the following ways:
On the API Security page, click the Asset Management tab.
On the Overview tab, click View More in the Request Sensitive Data Type Statistics table, or the View More button in the upper-right corner of the Response Sensitive Data Type Statistics table.
The Asset Management tab on the API Security page displays API asset statistics and provides search filters. The tab consists of three main sections: an API asset overview, the site list, and the API asset list.
API asset overview
The overview displays statistics for Total API assets, New Events Today, Active APIs, Inactive APIs, Sites With Sensitive Data In Responses, APIs With Sensitive Data In Responses, Cross-border Data Transmission APIs, and APIs With Machine-generated Requests.
You can click the values for New Events Today, Inactive APIs, Sites With Sensitive Data In Responses, and APIs With Sensitive Data In Responses to view the corresponding details in the API Asset List. The default statistical period is 30 days.
Site list on the left
The site list on the left displays your site names and the number of APIs for each site. Click a site to view its details in the API Asset List.
API asset list
In the API Asset List, you can search for API assets in one of the following ways:
Simple search
In the search box above the API asset list, click the
icon. Select API Operation or Remarks and enter the API operation address or remarks.Advanced search
Click More Filters to specify search conditions. After you specify the conditions, click Search to perform the query. The following table describes the available search conditions.
Condition Name | Description |
Display Items | Click the |
Time | The last active time of the API asset. The default time range is the last 30 days. This includes the 30 full days before today and any data from today up to the query time. You can also select quick search options: Last 15 minutes, Last 30 minutes, Last 1 hour, Last 24 hours, Today, Yesterday, or Last 7 days. The minimum granularity for a custom time query is 10 minutes. |
Request Sensitive Data Type | Multiple selections are supported. |
Response Sensitive Data Type | Multiple selections are supported. |
Service Object | Multiple selections are supported. |
Business Purpose | Multiple selections are supported. |
Request Method | Multiple selections are supported. |
Activity Status | Only one selection is supported. |
Follow Status | Only one selection is supported. |
Authentication | Only one selection is supported. |
API Sensitivity Level | Multiple selections are supported. |
icon in the upper-right corner of the list and select the data fields to display.Manage target APIs
After you find an API asset using the specified conditions, you can manage the asset using the features in the list. The following table describes the fields in the list.
List Field | Field Description |
API | This field displays the API name, API status, and request method.
|
AI Analysis | Use the AI security assistant to analyze assets and provide information such as business purposes, call trends, and security suggestions. Analysis of objects accessed through hybrid clouds is not currently supported. |
Domain Name/IP | The domain name or IP address to which the API operation belongs. |
Call Volume | The number of times the API operation was accessed in the last 30 days. |
API Sensitivity Level | Rated based on the type and volume of sensitive data in the response. The levels are High, Medium, Low, and Non-sensitive. |
Request Sensitive Data Type | The types of sensitive data contained in the request. |
Response Sensitive Data Type | The types of sensitive data contained in the response. |
Bot Request Count | The number of requests initiated by bots. The system analyzes Layer 4 and Layer 7 traffic fingerprints to count requests from source IPs identified as bots. |
Cross-border Request Count | The number of requests from source IPs outside the Chinese mainland. |
Business Purpose | Identifies the function of the API operation. The purpose is determined by matching the API path and parameter names with built-in and custom business purpose fields. Customize these settings based on your business needs by navigating to Policy Configuration> Business Purpose Configuration. For more information, see Business purpose configuration. |
Service Object | The caller or user of the API operation. It is determined based on API naming conventions and the clustering of access sources. The categories are Internal Office, Third-party Cooperation, and Public Service. |
Authentication | The authentication field for the API operation. The system has built-in logic to identify authentication credentials. Customize these settings based on your business needs by navigating to Policy Configuration > Authentication Credential Configuration. For more information, see Authentication credential configuration. |
Threats/IP Events/Account Events | Click the number in the Threats/IP Events/Account Events column to view threat or event details in the API threat details list. For more information about threats and events, see Threats and events. |
First Discovered | The time when the API operation was first discovered. |
Last Active | The time when the API operation was last accessed. |
Follow | You can change your follow status for the API operation by clicking the |
Remarks | You can add remarks for the API operation as needed by clicking the |
icon in the Follow column.
icon in the Remarks column, entering the remarks, and then clicking the 
icon.For more information about sensitive data types, see What sensitive data can API Security detect?.
For more information about service object types, see How does API Security distinguish the service objects of an API?.
For more information about business purpose types, see How does API Security classify API business purposes?.
For more information about API sensitivity levels, see How does API Security classify API sensitivity levels?.
API details
Click an API link in the API Asset List to open the API details drawer. In the upper-right corner of the drawer, you can also click the 
icon to open the full API details page.
The API details page contains detailed information about the API asset on the following tabs: Request Sample, Network Traffic Analysis, Threats And Events, and Protection Suggestions.
Request sample
The request sample contains up to five random request samples. You can switch between Split View and Merged View.
The split view divides samples into the General, Request Header, Response Header, Request Body, and Response Body sections, which you can view and copy individually.
The merged view divides samples into Request Samples and Response Samples, which you can view and copy separately to facilitate traffic replay.
Click Open In Browser for quick validation. Click Command Line to obtain the command for manual access validation.
The Request Parameter Types and Response Parameter Types sections show the Parameter Name, Value Feature, and Parameter Location for the request and response parameters of the current sample. API Security obtains this information by identifying and marking parameters in the sample based on the traffic baseline.
Network traffic analysis
This section shows the access trend for the API operation over the last 30 days. It provides statistics for the Total Call Volume, Bot Request Volume, and Cross-border Request Volume. The TOP 20 Access Sources list shows the top 20 access sources in the last 30 days, categorized by total traffic, bot traffic, and cross-border traffic. The Client Source Statistics section provides statistics on client sources over the last 30 days based on four dimensions: Referer, client, geographic location, and account.
Threats and events
This section displays the threat events, IP security events, and account security events that are related to the API. You can quickly navigate to the event details from this section.
Protection suggestions
This section provides protection suggestions based on the API call baseline.
Export and download
Click the
icon in the upper-right corner of the API list. API Security then creates an export task.In the upper-right corner of the API Security page, click Export Records. Find the file that you want to download and click Download in the Actions column.