API observations

WAAS can automatically learn the API endpoints in your app, show an endpoint usage report, and let you export all discovered endpoints as an OpenAPI 3.0 spec file.

Enable API discovery

When API discovery is enabled, Defender inspects API traffic routed to the protected app. Defenders learn the endpoints in your API by analyzing incoming requests and generating a tree of API paths. Every 30 minutes, Defender sends Console a diff of what it has learned since its last update. Console merges the update with what it already knows about the API.
The API discovery subsystem attempts to ignore all HTTP traffic that doesn’t resemble an API call. Defender uses some criteria for identifying which requests to inspect:
  • Requests must have non-error response codes.
  • Requests must not have an extension (.css, .html, etc).
  • Requests content type must be textual (text/), application (application/), or empty.
API discovery is enabled by default. Learning is either on or off. (Compare this to container runtime protection, where there’s a learning period, and after the learning period has elapsed, the model of "known good activity" is locked.)
To enable API discovery for a protected app:
  1. Log into Console, and go to
    Defend > WAAS > {Container | Host | App-Embedded}
    .
  2. If you’re setting up WAAS to protect an app, then follow these substeps. Otherwise, if you’ve already defined an app, expand the rule, click on the app from the apps list, and proceed to the next step.
    1. Click
      Add rule
      .
    2. Specify a rule name and a scope.
    3. Click
      Add new app
      .
  3. Click the
    App definition
    tab.
  4. In the
    Endpoint setup
    tab, set
    API discovery
    to
    On
    .

Inspect discovered endpoints

The endpoint report enumerates discovered APIs on a per-app basis. It shows information such as HTTP method, path (including path parameters), request content-type, query parameters, hit count, and last seen date. To view the report, go to
Monitor > WAAS > API Observations
.
Click the
Refresh
button to force Console to poll Defenders for the latest data, analyze it, and present the results in the table.
You can export the discovered endpoints for an app as an OpenAPI spec file. Alternatively, you can delete everything that WAAS has learned about the API for an app so far.
If a rule with an app is deleted from the WAAS policy, its learned endpoints are also deleted.

Recommended For You