Skip to content

Exploring API Sessions

As soon as Wallarm's API Sessions identified user sessions related to your applications, you can explore them in the API Sessions section of Wallarm Console. Learn from this article how to go through the discovered data.

Full context of threat actor activities

Once the malicious request is detected by Wallarm and displayed in the Attacks or Incidents section as the part of some attack, you have an ability to know the full context of this request: to which user session it belongs and what the full sequence of requests in this session is. This allows investigating all activity of the threat actor to understand attack vectors and what resources can be compromised.

To perform this analysis, in Wallarm Console → Attacks or Incidents, access the attack, and then specific request details. In request details, click Explore in API Sessions. Wallarm will open the API Session section filtered: the session, the initial request belongs to is displayed, only the initial request is displayed within this session.

Remove the filter by request ID to see all other requests in the session: now you have the full picture of what was going on within the session the malicious request belongs to.

Activities within specific time

You can investigate what happened within the specified time interval. To do so, set the date/time filter. Only sessions with the requests that took place at specified time will be displayed - only requests from that time interval will be displayed within each session.

!API Sessions - activities within specific time

Hint: use the link to your session in your own browser and then set time interval to see only requests from the selected session within the selected time.

Specific activities within session

The session may contain a lot of requests of different types (POST, GET, etc.), with different response codes, from different IPs, legitimate and malicious with the different attack types.

In session details, you can see a comprehensive statistics providing information on its request distribution by different criteria. You can apply in-session filters (one or several) to see only specific requests.

!API Sessions - filters inside session

Note that is-session filters communicate with general filters of the API Sessions section:

  • Any session opened after general filters applied will share these filters (inside the session, you can click Show all requests to cancel that).

  • Use the Apply filters button to apply general filters within your current session.

Inspecting affected endpoints

Use the API Discovery insights in the session request details to inspect the affected endpoints. You can immediately get information whether the endpoint is at risk, whether this risk is caused by the endpoint being rogue (specifically, shadow or zombie APIs) and how well and by what measures it is protected.

!API Sessions - APID endpoint insights

Click Explore in API Discovery to switch to the endpoint information in the API Discovery section.

Identifying performance issues

Use the Time,ms and Size,bytes columns in the session request details to compare presented data with the average expected values. Significantly exceeded values signal about possible performance issues and bottlenecks and the possibility to optimize the user experience.

Verifying API abuse detection accuracy

Once the malicious bot activity is detected by Wallarm's API Abuse Prevention and displayed in the Attacks section, you have an ability to know the full context of this attack's requests: to which user session they belong and what the full sequence of requests in this session is. This allows investigating all activity of the actor to verify whether the decision to mark this actor as malicious bot was correct.

To perform this analysis, in Wallarm Console → Attacks, access the bot attack details, then click Explore in API Sessions. Wallarm will open the API Session section filtered: the session(s) related to this bot activities will be displayed.

!API Sessions section - monitored sessions

Sharing session information

If you found suspicious behavior in the session and would like to share insights with colleagues and store the session for further analysis, use the Copy link or Download CSV in the session details.

!API Sessions - sharing session information