All Products
Search

This Product

    Web Application Firewall:Compliance check and tracing and auditing of API security

    Document Center

    Web Application Firewall:Compliance check and tracing and auditing of API security

    Last Updated:Aug 29, 2024

    This topic describes the compliance check and tracing and auditing features of the API security module. You can use the features to monitor the cross-border transfer of sensitive data and trace sensitive data leaks.

    1. Compliance check

    The compliance check feature monitors and collects statistics on API-based cross-border data transfer to check whether risks exist. This helps you understand the cross-border transfer of sensitive data in your business. You can complete the security assessment and filing of cross-border data transfer based on the statistics. On the Compliance Check tab of the API Security page, you can view the compliance check data of the protected objects for which the feature is enabled within the period from January 1, 2023 to the current time.

    Important

    • The feature is supported only for subscription Web Application Firewall (WAF) instances that are deployed in regions in the Chinese mainland and support the API security module.

    • By default, the compliance check feature is disabled. To enable the feature, go to the Policy Configurations > Applicable Object Configurations tab on the API Security page, find the protected object that you want to manage, and then turn on the switch in the Compliance Check column. For more information, see Policy configurations.

    Configure protected objects

    After you enable the compliance check feature for protected objects, the feature analyzes the traffic of the protected objects. If you no longer want to analyze the traffic of the protected objects, you can disable the feature for the protected objects. For more information, see Policy configurations.

    View compliance check results and details

    The following table describes the sections on the Compliance Check tab.

    Note

    • Deduplication is performed on the check results.

    • By default, the check data in the period from January 1, 2023 to the current time is displayed. You can select Last 1 Month, Last 3 Months, Last 6 Months, and Last 12 Months to display check data in sections other than the Detection Results and Detection Items sections on the Compliance Check tab.

    Section

    Description

    Detection Results

    Displays statistical check results below the Personal Information Data Type and Personal Sensitive Data Type parameters within a specific period of time.

    • No risks exist in cross-border data transfer.

    • Risks exist in cross-border data transfer and an application for security assessment is required.

    Detection Items

    Displays statistical check results in the Required Compliance, Detection Item, and Evaluation Result columns.

    Outbound Transferred Data Trend

    Displays the trend of entries of sensitive personal information that is transferred across borders, trend of total personal information entries, and trend of entries of personal information that is transferred across borders within a specific period of time in a chart.

    Top Distribution for Outbound Transferred Personal Information

    Displays the top 10 countries to which the most data is transferred across borders and the number of entries of personal information that is transferred to each country in the left-side part. You can adjust the high-low slider to highlight specific countries on the map. The country rankings remain unchanged after the adjustment of the slider. This section also displays the distribution of data that is transferred across borders on a world map. A darker color indicates that more data is transferred to the country.

    • You can move the pointer over the world map to view the locations to which the data is transferred and the numbers of entries of personal information and sensitive personal information that are transferred across borders.

    • You can zoom in or zoom out on the world map.

    Statistics on Types of Outbound Transferred Personal Information

    Displays the personal information and sensitive personal information that are transferred across borders at different data volume levels as well as the evaluation results within a specific period of time. The data is displayed in a list. You can filter statistics by using different attributes such as data types and sensitivity levels. For more information, see What are the standards for the security assessment and filing of cross-border data transfer?

    Statistics on Domain Names in Personal Information and API Names

    Displays the numbers of entries of personal information and sensitive personal information that are transferred across borders by calling API operations at different sites within a specific period of time. The data is displayed in a list.

    2. Tracing and auditing

    You can use the tracing and auditing feature to monitor sensitive data traffic within the previous 30 days and trace and query sensitive data. If a sensitive data leak occurs, you can use the feature to identify the possible point of time at which the data leak occurs and trace how the data is leaked. This helps you handle the leak at the earliest opportunity and reduce business loss. On the Tracing and Auditing tab of the API Security page, you can obtain information about tracing and auditing.

    Important

    • The feature is supported only for subscription WAF instances that are deployed in regions in the Chinese mainland and support the API security module.

    • By default, the tracing and auditing feature is disabled. To enable the feature, go to the Policy Configurations > Applicable Object Configurations tab on the API Security page, find the protected object that you want to manage, and then turn on the switch in the Tracing and Auditing column. For more information, see Policy configurations.

    Tab

    Description

    Log Query

    Allows you to obtain the IP addresses, APIs, domain names, and details of sensitive data leaks.

    • IP Address Statistics: displays the IP addresses that are used to obtain sensitive data. The IP addresses are sorted in descending order based on the number of leaked sensitive data entries.

    • Domain Name Statistics: displays the domain names whose sensitive data is leaked. The domain names are sorted in descending order based on the number of leaked sensitive data entries.

    • Sensitive Data Type Statistics: displays the types of leaked sensitive data. The sensitive data types are sorted in descending order based on the number of leaked sensitive data entries.

    • API Statistics: displays the APIs over which sensitive data is leaked and the domain names whose sensitive data is leaked. The APIs and domain names are sorted in descending order based on the number of leaked sensitive data entries.

    • Details: displays the logs of sensitive data leaks. You can specify conditions such as the domain name, API, sensitive data type, and IP address to search for specific logs.

    Note

    For more information about the types of sensitive data, see What types of sensitive data can be detected by the API security module?

    For more information about API sensitivity levels, see What are the sensitivity levels of the API security module?

    Data Traceability

    Allows you to enter sample sensitive data that you want to query and obtain tracing results.

    1. On the Policy Configurations > Applicable Object Configurations tab, find the protected object that you want to manage and turn on the switch in the Tracing and Auditing column.

    2. Select the type of sensitive data that you want to trace and enter sample data.

      Note

      The accuracy of tracing results after cross-validation increases with the number of sample data entries entered. You can enter up to five sample data entries. Separate multiple sample data entries with commas (,).

    3. Find the tracing result and click View Details in the Actions column. On the Log Query tab, view tracing information.