API discovery process
API Behavioral Security (ABS) discovery process starts when the API Security Enforcer (ASE) sends the access log files to ABS.
The discovery process and reporting interval are defined by the variables configured using Global configuration update REST API.
-
ABS processes the ASE log files and looks for new APIs. During the discovery period, ABS monitors the traffic on the API JSON (root API) and requires only one valid request to report an API. ABS considers only valid (200-OK response) requests for discovering APIs. At the end of the discovery period, ABS publishes the discovered APIs. ABS specifically looks for the following four values in the incoming traffic on the root API:
-
Hostname
-
Pathinfo
-
Scheme or protocol
-
Backend server. If ASE is deployed in a sideband mode, then backend server is not reported.
-
-
At the end of the initial discovery period, ABS does one of the following:
-
If the API definition was learned, then ABS outputs the discovered APIs with the parameters as detailed in the [table_discovery_parameters] below.
-
If the API definition is incomplete, then ABS repeats the discovery process (Step 1) for a
discovery_update_interval
(default is 1 hour).
-
The following illustration shows an example of the API discovery process:
The illustration shows three APIs, API 1, API 2, and API 3 are the undiscovered APIs in your environment. The traffic for these APIs is coming through the root API configured in ASE. The following points explain the discovery process:
-
API 1 receives a request in the initial training period with a 200-OK response. This API is discovered at the end of
discovery_initial_period
T1. -
API 2 receives one invalid request (404 response) during the initial discovery period. This API is not reported at T1.
-
API 3 did not receive any request in the initial discovery period. Hence it was not reported at T1. However, API 3 got one valid request (200-OK response) in the time-period T1-T2, hence it was reported at time T2. The time period T1-T2 is
discovery_update_interval
.
The initial discovery period applies only to fresh installation of PingIntelligence components. If you are upgrading an existing deployment, the |
ABS API definition reports include the following information for each discovered API:
Information | Description |
---|---|
|
Hostname or IP address that is serving the API. |
|
The base path on which the API is served. The base path is relative to the host. The value starts with a leading / (slash). |
|
API protocol - value must be HTTP, HTTPS, WS, or WSS. |
|
A list of MIME types that the APIs can consume. |
|
A list of MIME types that the APIs can produce. |
|
Relative paths to the individual endpoints. |
|
Placeholder to hold responses. |
|
Backend servers for the API. |
|
Value is |
You can add the discovered APIs automatically to ASE using Discovered APIs in PingIntelligence for APIs Dashboard. Note that when the root API is configured with the token, cookie, or API key parameter, PingIntelligence will expect all discovered APIs to use the defined identifiers for authentication. If this is not the case, then add the discovered APIs manually in ASE.