| name | analyzing-api-gateway-access-logs |
| description | Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.
|
| domain | cybersecurity |
| tags | ["analyzing","api","gateway","access"] |
| subdomain | security-operations |
| version | 1.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | ["DE.CM-01","RS.MA-01","GV.OV-01","DE.AE-02"] |
Analyzing Api Gateway Access Logs
Overview
Cybersecurity skill for analyzing api gateway access logs. Follows industry best practices and security standards.
When to Use
Trigger phrases:
-
"analyzing api gateway access logs"
-
"When investigating security incidents that require analyzing api gateway access"
-
"When building detection rules or threat hunting queries for this domain"
-
"When SOC analysts need structured procedures for this analysis type"
-
When investigating security incidents that require analyzing api gateway access logs
-
When building detection rules or threat hunting queries for this domain
-
When SOC analysts need structured procedures for this analysis type
-
When validating security monitoring coverage for related attack techniques
When NOT to Use
- When you lack proper authorization for testing
- For production systems without change management
- When the task requires legal or compliance expertise beyond technical scope
Prerequisites
- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
Workflow
import re
IOC_PATTERNS = {
"ip": r"\b(?:\d{1,3}\.){3}\d{1,3}\b",
"domain": r"\b[a-z0-9-]+\.[a-z]{2,}\b",
"hash_md5": r"\b[a-f0-9]{32}\b",
"hash_sha256": r"\b[a-f0-9]{64}\b",
}
def extract_iocs(text: str) -> dict:
return {k: re.findall(v, text) for k, v in IOC_PATTERNS.items()}
- Scope the Analysis — Define what api gateway access logs artifacts or data sources to examine and the investigation timeline.
- Preserve Evidence — Create forensic copies of relevant data. Maintain chain of custody documentation.
- Extract Key Indicators — Parse and extract relevant api gateway access logs data points from collected artifacts.
- Correlate Findings — Cross-reference extracted data with other sources (threat intel, logs, timelines).
- Build Timeline — Construct a chronological sequence of events related to api gateway access logs.
- Document Analysis — Write findings report with evidence, conclusions, and recommendations.
Tools
- Forensic Toolkit — Evidence collection and analysis
- Timeline Tools — Chronological event reconstruction
- Log Analysis Platform — Centralized log parsing and search
Process
- Design — Define interface, identify patterns, plan implementation
- Implement — Write code following existing conventions, add tests
- Verify — Run tests, check integration, validate behavior
Verification
Anti-Rationalization
| Rationalization | Reality |
|---|
| "We are too small to be targeted" | Automated attacks target everyone. Size does not matter. |
| "Security slows us down" | A breach slows you down 100x more. Build security in from the start. |
| "We will fix it after launch" | Vulnerabilities in production are exploited within hours. Fix before deploy. |