API observations

WAAS can automatically learn the API endpoints in your app, show an endpoint usage report, and let you export all discovered endpoints as an OpenAPI 3.0 spec file.

Enable API discovery

When API discovery is enabled, Defender inspects API traffic routed to the protected app. Defenders learn the endpoints in your API by analyzing incoming requests and generating a tree of API paths. Every 30 minutes, Defender sends Console a diff of what it has learned since its last update. Console merges the update with what it already knows about the API.
The API discovery subsystem attempts to ignore all HTTP traffic that doesn’t resemble an API call. Defender uses some criteria for identifying which requests to inspect:
  • Requests must have non-error response codes.
  • Requests must not have an extension (.css, .html, etc).
  • Requests content type must be textual (text/), application (application/), or empty.
API discovery is enabled by default. Learning is either on or off. (Compare this to container runtime protection, where there’s a learning period, and after the learning period has elapsed, the model of "known good activity" is locked.)
To enable API discovery for a protected app:
  1. Log in to the Console, and go to
    Defend > WAAS > {Container | Host | Out-of-band }
    .
  2. Click
    Add rule
    .
  3. Select
    API endpoint discovery
    .
  4. Save
    the rule.
    If you have not enabled
    API endpoint discovery
    while creating a rule, you can also enable it after the rule creation.

Inspect discovered endpoints

The endpoint report enumerates discovered APIs on a per-app basis. It shows information such as HTTP method, path (including path parameters), request content-type, query parameters, message JSON structure, hit count, and last seen date. To view the report, go to
Monitor
>
WAAS
>
API Observations
>
Discovered endpoints
.
To view the report for Out-of-band WAAS rules, go to
Monitor
>
WAAS
>
API Observations
>
Out-of-band observations
.
Select
Refresh
to force Console to poll Defenders for the latest data, analyze it, and present the results in the table.
Clicking on a line will present the recoded message body (currently, only JSON learning is supported)
You can export the discovered endpoints for an app as an OpenAPI spec file. Alternatively, you can select the 3 dots …​ and Delete, to delete everything that WAAS has learned about the API for an app so far.
If a rule with an app is deleted from the WAAS policy, its learned endpoints are also deleted.

Recommended For You