API Sessions ¶
The API Sessions module depicts the interaction of individual actors with the business logic of APIs or applications. API Sessions allow identify various behavioral and business-logic flaws and facilitate investigations of security incidents. This article gives an overview of API Sessions: describes how it works, enabled and configured, which limitations it currently has.
How API Sessions work¶
API Sessions group all requests (legitimate and attacks) within a session according to predetermined rules. Only certain metadata is saved for requests, which eliminates the transfer and processing of sensitive information in the Wallarm Cloud. The identified sequence of requests allows you to analyze the context around a certain event and understand what the attacker did before the recorded incident and what happened after. API Sessions give the security team a convenient tool for conducting investigations and allow you to easily validate identified malicious behavioral patterns detected using Abuse Prevention.
Use the API Sessions section of the Wallarm Console to analyze session content. When working with data, consider existing limitations.
Enabling and configuring¶
API Sessions operate in beta mode and is enabled and configured through Wallarm support. This functionality requires node version 4.10.2 or later.
To make the API Sessions functionality more precise, it is recommended to enable JA3 fingerprinting for better identification of the the unauthenticated traffic.
Limitations¶
Currently API Sessions have some limitations. In the API Sessions section:
-
Only sessions for the last 7 days are stored and displayed. Older sessions are automatically deleted.
-
The credential stuffing, brute force, forced browsing, and BOLA attack types are not marked.
-
The denylisted events are not presented.