API Abuse Prevention profile management¶
In the API Abuse Prevention section of Wallarm Console you can manage API abuse profiles that are required for configuration of the API Abuse Prevention module.
The section is only available to the users of the following roles:
-
Administrator or Analyst for the regular accounts.
-
Global Administrator or Global Analyst for the accounts with the multitenancy feature.
Creating API abuse profile¶
To create an API abuse profile:
-
In Wallarm Console → API Abuse Prevention, click Create profile.
-
Select applications to protect.
-
Select accuracy of protection.
-
Select to add bots in denylist or graylist.
-
Set name and optionally description.
Once the API abuse profile is configured, the module will start the traffic analysis and blocking supported automated threats.
Disabling API abuse profile¶
Disabled profiles are the ones that the API Abuse Prevention module does not use during traffic analysis but that are still displayed in the profile list. You can re-enable disabled profiles at any moment. If there are no enabled profiles, the module does not block malicious bots.
You can disable the profile by using the corresponding Disable option.
Deleting API abuse profile¶
Deleted profiles are the ones that cannot be restored and that the API Abuse Prevention module does not use during traffic analysis.
You can delete the profile by using the corresponding Delete option.
Exploring blocked malicious bots and their attacks¶
The API Abuse Prevention module blocks bots by adding them to the denylist or graylist for 1 hour.
You can explore blocked bot's IPs in Wallarm Console → IP lists → Denylist or Graylist. Explore IPs added with the Bot Reason.
If denylisted or graylisted IP actually does not belong to a malicious bot, you can either delete the IP from the list or allowlist it. Wallarm does not block any requests originating from allowlisted IPs including malicious ones.
You can also explore bot API abuse attacks performed by bots in Wallarm Console → Events section. Use api_abuse search key or select API Abuse from the Type filter.
The API Abuse Prevention module compiles client traffic into URL patterns. The URL pattern may have the following segments:
| Segment | Contains | Example |
|---|---|---|
| SENSITIVE | Sensitive data that refers to the internals of the web application. | wp-admin |
| IDENTIFIER | Various identifiers like numeric identifiers, UUIDs, etc. | - |
| STATIC | Static data. | images, js |
| FILE | Non-interactive files. | image.png |
| QUERY | Query parameters. | - |
| AUTH | Content related to the authentication/authorization endpoints. | - |
| LANGUAGE | Language-related segments. | en, fr |
| HEALTHCHECK | Content related to the health check endpoints. | - |
| VARY | Other data not important for analysis. | - |