Skip to content

API Abuse Prevention profile management

In the API Abuse Prevention section of Wallarm Console you can manage API abuse profiles that are required for configuration of the API Abuse Prevention module.

The section is only available to the users of the following roles:

  • Administrator or Analyst for the regular accounts.

  • Global Administrator or Global Analyst for the accounts with the multitenancy feature.

Creating API abuse profile

To create an API abuse profile:

  1. In Wallarm Console → API Abuse Prevention, click Create profile.

  2. Select applications to protect.

  3. Select accuracy of protection.

  4. Select to add bots in denylist or graylist.

  5. Set name and optionally description.

    API Abuse prevention profile

    Once the API abuse profile is configured, the module will start the traffic analysis and blocking supported automated threats.

Disabling API abuse profile

Disabled profiles are the ones that the API Abuse Prevention module does not use during traffic analysis but that are still displayed in the profile list. You can re-enable disabled profiles at any moment. If there are no enabled profiles, the module does not block malicious bots.

You can disable the profile by using the corresponding Disable option.

Deleting API abuse profile

Deleted profiles are the ones that cannot be restored and that the API Abuse Prevention module does not use during traffic analysis.

You can delete the profile by using the corresponding Delete option.

Exploring blocked malicious bots and their attacks

The API Abuse Prevention module blocks bots by adding them to the denylist or graylist for 1 hour.

You can explore blocked bot's IPs in Wallarm Console → IP listsDenylist or Graylist. Explore IPs added with the Bot Reason.

Denylisted bot IPs

If denylisted or graylisted IP actually does not belong to a malicious bot, you can either delete the IP from the list or allowlist it. Wallarm does not block any requests originating from allowlisted IPs including malicious ones.

You can also explore bot API abuse attacks performed by bots in Wallarm Console → Events section. Use api_abuse search key or select API Abuse from the Type filter.

API Abuse events

The API Abuse Prevention module compiles client traffic into URL patterns. The URL pattern may have the following segments:

Segment Contains Example
SENSITIVE Sensitive data that refers to the internals of the web application. wp-admin
IDENTIFIER Various identifiers like numeric identifiers, UUIDs, etc. -
STATIC Static data. images, js
FILE Non-interactive files. image.png
QUERY Query parameters. -
AUTH Content related to the authentication/authorization endpoints. -
LANGUAGE Language-related segments. en, fr
HEALTHCHECK Content related to the health check endpoints. -
VARY Other data not important for analysis. -