Skip to content

API Discovery

This section describes how to use the API structure built by the API Discovery module.

The built API structure is presented in the API Discovery section. The section is only available to the users of the following roles:

  • Administrator and Analyst can view and manage the data discovered by the API Discovery module.

    Global Administrator and Global Analyst in the accounts with the multitenancy feature have the same rights.

  • API Developer can view and download the data discovered by the API Discovery module. This role allows distinguishing users whose tasks only require using Wallarm to get actual data on company APIs. These users do not have access to any Wallarm Console sections except for API Discovery and Settings → Profile.

To provide users with familiar format of API representation, Wallarm provides list of discovered APIs and details on them in a Swagger-like interface.

The API structure includes the following elements:

  • Customer applications with discovered API hosts.

  • Discovered endpoints grouped by API hosts. For each endpoint, the HTTP method is displayed.

Endpoints discovered by API Discovery

Filtering endpoints

Among a wide range of API endpoint filters, you can choose the ones corresponding to your analysis purpose, e.g.:

  • Find the endpoints that have been changed or newly discovered in the last week and that process PII data. This kind of request can help you to stay up to date with critical changes in your APIs.

  • Find the endpoints being used to upload data to your server by the PUT or POST calls. Since such endpoints are a frequent attack target, they should be well secured. Using this kind of request you can check that endpoints are known to the team and are well secured from attacks.

  • Find the endpoints processing customers' bank card data. With this request, you can check that sensitive data is processed only by secured endpoints.

  • Find the endpoints of a deprecated API version (e.g. by searching /v1) and make sure that they are not used by clients.

All filtered data can be exported in the OpenAPI v3 for additional analysis.

Viewing endpoint parameters

By clicking the endpoint, you can also find the set of required and optional parameters with the relevant data types:

Request parameters discovered by API Discovery

To sort, click the name of the column. To change the sorting order, click again.

Each parameter information includes:

  • Parameter name and the part of request this parameter belongs to

  • Presence and type of sensitive data (PII) transmitted by this parameter, including:

    • Technical data like IP and MAC addresses
    • Login credentials like secret keys and passwords
    • Financial data like bank card numbers
    • Medical data like medical license number
    • Personally identifiable information (PII) like full name, passport number or SSN
  • Date and time when parameter information was last updated

  • Type/format of data sent in this parameter

Tracking changes in API structure

You can check what changes occurred in API structure within the specified period of time. To do that, from the Changes since filter, select the appropriate period or date. The following markers will be displayed in the endpoint list:

  • New for the endpoints added to the list within the period.

  • Changed for the endpoints that have new or removed parameters. In the details of the endpoint such parameters will have a corresponding mark.

  • Removed for the endpoints that did not receive any traffic within the period. For each endpoint this period will be different - calculated based on the statistics of accessing each of the endpoint. If later the "removed" endpoint is discovered as having some traffic again it will be marked as "new".

API Discovery - track changes

Using the Changes since filter only highlights the changed endpoints among the others. If you want to see only changes, additionally use the Changes in API structure filter where you can select one or several types of changes:

  • New endpoints

  • Changed endpoints

  • Removed endpoints

Selecting values from this filter will show only the endpoints correspondingly changed within the specified period.

To see attacks and incidents for the last 7 days related to some endpoint, in the endpoint menu select Search for attacks on the endpoint:

API endpoint - open events

The Events section will be displayed with the filter applied:

attacks incidents last 7 days d:<YOUR_API_HOST> u:<YOUR_ENDPOINT>

You can also copy some endpoint URL to the clipboard and use it to search for the events. To do this, in this endpoint menu select Copy URL.

API structure and rules

You can quickly create a new custom rule from any endpoint of API structure:

  1. In this endpoint menu select Create rule. The create rule window is displayed. The endpoint address is parsed into the window automatically.

  2. In the create rule window, specify rule information and then click Create.

Create rule from endpoint

Download OpenAPI specification (OAS) for your API structure

Click Download OAS to get a swagger.json file with the description of the API structure discovered by Wallarm. The description will be in the OpenAPI v3 format.

Filtered download

When downloading the description of the API structure, applied filters are taken into account. Only filtered data is downloaded.

API host information in downloaded Swagger file

If a discovered API structure contains several API hosts, endpoints from all API hosts will be included in the downloaded Swagger file. Currently, the API host information is not included in the file.

Using the downloaded data, you can discover:

  • The list of endpoints discovered by Wallarm, but absent in your specification (missing endpoints, also known as "Shadow API").

  • The list of endpoints presented in your specification but not discovered by Wallarm (endpoints that are not in use, also known as "Zombie API").