This topic describes the API asset management features of the API security module. The features include viewing API asset data details, managing APIs, viewing API details, and exporting and downloading API lists.
1. Functional sections on the Asset Management tab
To view the details of an API, you can use one of the following methods:
On the API Security page, click the Asset Management tab.
On the Overview tab, click More in the Statistics on Request Sensitive Data Types section or click More in the upper-right corner of the Statistics on Response Sensitive Data Types section.
On the Asset Management tab of the API Security page, you can view the statistics on API asset management and search for API assets based on specific conditions. The Asset Management tab contains three functional sections: API Asset Overview, left sidebar, and API Assets.
API Asset Overview
This section displays the following information: total number of API assets, number of new assets today, number of active APIs, number of deactivated APIs, number of response-sensitive sites, number of response-sensitive APIs, number of cross-border data transmission APIs, and machine-requested APIs.
In the API Assets section, you can click the numbers to view the corresponding details. The default statistical period is 30 days.
Left sidebar
The left sidebar displays your site names and the number of APIs of the sites. You can click the site names to view the details in the API Assets section.
API Assets
In the API Assets section, you can use the following methods to search for specific API assets:
Basic search
In the upper part of the API Assets section, click the icon, select API Operation or Remarks, and then enter the API endpoint or remarks.
Advanced search
Click More and specify more search conditions. Then, click Search to search for APIs.
Condition | Description |
Data fields to display | Click the icon in the upper-right corner of the API Assets section and select the data fields that you want to display in the API assets list. |
Time | The most recent active time of API assets. By default, data within the previous 30 days is queried, including data within 30 full days before today and data up to the query time today. Quick queries are also supported for data within the previous 15 minutes, 30 minutes, 1 hour, 24 hours, today, yesterday, and 7 days. The minimum time range to query is 10 minutes. |
Request Sensitive Data Type | You can select multiple sensitive data types. |
Response Sensitive Data Type | You can select multiple sensitive data types. |
Service Object | You can select multiple service recipients. |
Purpose | You can select multiple business purposes. |
Request Method | You can select multiple request methods. |
Status | You can select only one option to specify whether the API is active. |
Track | You can select only one option to specify whether the API is followed. |
Authentication | You can select only one option to specify whether authentication is required. |
API Sensitivity Level | You can select multiple sensitivity levels. |
2. API management
You can manage API assets in the API assets list.
Field | Description |
API | The API name, API status, and request method.
|
Domain Name/IP Address | The domain name or IP address of the API endpoint. |
Calls Within Last 30 Days | The number of calls to this API in the previous 30 days. |
API Sensitivity Level | The API sensitivity level is assessed based on the types and amounts of sensitive data contained in the response. API sensitivity is classified into four levels: high sensitivity, moderate sensitivity, low sensitivity, and non-sensitivity. |
Request Sensitive Data Type | The type of sensitive data contained in the request. |
Response Sensitive Data Type | The type of sensitive data contained in the response. |
Bot Requests | The number of bot-initiated requests. The number of requests originating from bot IP addresses is counted by analyzing Layer 4 and Layer 7 traffic fingerprinting. |
Cross-border Requests | The number of requests originating from IP addresses outside the Chinese mainland. |
Purpose | The business purpose of the API. The characteristics of the API endpoint paths and parameter names are matched against built-in and custom business purpose fields. You can also choose Policy Configurations > Business Purpose to configure business purposes. For more information, see security policy configuration. |
Service Object | The callers or users of the API that are categorized based on the naming characteristics of the API and the aggregation of access sources. The callers or users are classified into three groups: internal office, cooperation with third-party partners, and public services. |
Authentication | The authentication fields. The system has built-in logic for recognizing authentication credentials. You can also choose Policy Configurations > Authentication Credential Configurations to configure custom logic based on your business requirements. For more information, see security policy configuration. |
Risk Items/Events | Click a number in the Risk /Event column to view the risk or event details. For more information about risks or events, see Risks and events. |
First Detected At | The time when the API was first detected. |
Last Active Time | The most recent access time of the API. |
Follow | Indicates whether the API is followed. You can click the icon in the Follow column to follow the API. |
Remarks | In the Remarks column, you can add remarks about the API based on your business requirements.. Click the icon in the Remarks column, enter the remarks, and then click the icon. |
For more information about sensitive data types, see What types of sensitive data can be detected by the API security module?
For more information about service recipients, see What are the objects for which the API is called to provide services?
For more information about business purposes, see What are the purposes of API calls that are classified by the API security module?
For more information about API sensitivity levels, see How does the API security module divide the API sensitivity levels?
3. API details
To view the details of an API, click the link in the API column. The API Details panel displays the API details. You can also click the icon in the API Details panel to view the information on the API Details page.
The API Details page contains the details of the API and includes the Sample Request, Traffic Analytics, Risks and Events, and Protection Suggestions tabs.
Sample Request
This tab includes up to five randomly sampled API request examples and allows you to switch between split display and merge display modes.
In split display mode, samples are divided into standard, request header, response header, request body, and response body, which allows you to individually view and copy each segment.
In merge display mode, samples are divided into request samples and response samples, which allows you to individually view and copy request and response samples. This facilitates traffic replay.
You can click Browser to quickly verify the sample request or click Command Line to obtain the command for manual verification.
The Request Parameter Type and Response Parameter Type sections display parameter names, value characteristics, and parameter positions that are obtained by the API security module based on baseline traffic identification and sample request marking.
Traffic Analysis
This tab displays the API access trends over the previous 30 days, and the total number of calls to the API, number of bot requests, and number of cross-border requests. The Top 20 Access Sources section displays the top 20 access sources within the previous 30 days in terms of total traffic, bot traffic, and cross-border traffic. The Client Source Statistics section provides statistics on the sources of clients over the previous 30 days from three dimensions: Referer, client type, and geographical location.
Risks and Events
This tab displays the risks and security events of the API and you can click View Details in the Actions column to view the details.
Protection Suggestions
This tab provides protection suggestions based on the baseline of the API calls.
4. Export and download API assets
Only Alibaba Cloud accounts support this feature.
In the upper-right corner of the API list, click the icon. An export task is created.
In the upper-right corner of the API Security page, click Export Record. Find the file that you want to download and click Download in the Actions column.