API Discovery

Overview

API Discovery provides security by visibility to the API passing to the web server.

API Discovery provides, after a learning period, the suggested initial schema for API Schema validation enforcement, and from then on, assists in maintaining that schema across time by suggesting changes to it according to the actual use.

For a full overview of API Discovery's role within API Security, read here:

Setup API Security

API Discovery supports:

  1. REST API

  2. GraphQL API

GraphQL subscription requests, based on Web Sockets, are not supported yet, and will not be detected.

How does API discovery work?

API discovery learns the actual behavior of the traffic to the web server's exposed URI paths.

API discovery inspects:

  1. Requests to the internal web server that are accepted by it. i.e. their HTTP return codes are not 4XX/5XX.

  2. Traffic blocked by API Schema Validation if active and set to Prevent - In order to suggest missing APIs to the existing validated schema.

Once Schema Validation is active and set to "Prevent", API Discovery must look at traffic blocked by Schema Validation in order to detect potential new APIs or modified APIs that were added to the client and server, but not added to the schema used by Schema Validation Security.

For this reason - Once Schema Validation is active, all new API suggested by schema validation must be reviewed and approved by the security administrator and schema owner before being added to the schema.

The API Discovery will not have knowledge which of the requests for an API that does not appear in the schema are requests that would've been accepted by the

API Discovery Learning engine has 2 stages:

  1. API detection using an iterative Machine Learning A.I. engine that detects usage of APIs (a combination of the method and the endpoint used in the request). Several different endpoints may be joined at this stage to a single API using path parameters.

  2. Schema Builder that looks further at query parameters and the request body, to build the exact schema for each API derived from multiple requests to it. At this stage usage of sensitive data is also detected for each API.

Schema Builder does not yet look at HTTP headers as part of building the schema with the exception of "Content-Type".

Similarly to addition learning mechanisms in CloudGuard WAF, learning levels which track progress.

The Learning mechanism may require the user to decide between several options when the learning result is not conclusive enough.

Where can you see API Discovery Results?

For a full explanation of tracking API Discovery results see:

Track API Discovery Learning

In general, there are 3 locations:

  1. Within each asset, the API Discovery engine shows the detected Schema and its progress across versions. Versions will initially change due to iterative learning as more and more traffic passes through the engine, and later, versions will be created by a change in the behavior of the client requests and the API the web server accepts.

  2. Within each asset, the Learn tab shows a summary of the discovered schema and allows for supervised fine tuning.

  3. An API Dashboard shows cross-asset view of all APIs as well as top APIs (most used, least used, sensitive data APIs, etc.)

Last updated