Security events
Security events are API attacks and associated malicious activities detected as violations of the AppSentinels API Security policy you enforce in your environment. Such security events result from threat actors exploiting the known and unreported vulnerabilities in the APIs. Security events can also result from the non-conformance of APIs with the API schema.
Security events are assigned unique event IDs, categorized into severity levels and risk levels depending on their impact and categories and subcategories depending on the type of rule violation that resulted in the event.
Events can be moved to various management states such as In Progress, Resolved, Fixed, False Positive, and Inconclusive, depending on how and when they will be remediated.
Security events are accessible from the Security Events tab in the left navigation menu. Events are displayed in two views: Summary view and Events List view.
| Summary view is a collection of widgets with Client errors, Server errors, Severity, Status, Age, and other statistics. Events List view is a listing of the events with their timestamp, event ID, category, subcategory, threat actor, and other operational data. |
|
In the List view, the events are listed with the following data:
Severity
The AppSentinels-assigned severity level for the security event based on the risk posed by the event— Critical, Major, Minor, or Info.
Action
The current security policy-assigned action in response to the security event— Blocked or Allowed.
Risk Level
The AppSentinels-assigned level for the risk posed by the security event— Critical, High, Medium, Low, Sub low, or None.
Endpoint
The URL of the API relevant to the security event. For example, POST /rest/user/login
Timestamp
The date and time when the security event occurred.
Event ID
The AppSentinels-generated event ID for the security event.
Category
The AppSentinels-assigned category of the security event based on the type of policy violation. For example, Core Rule Set.
Sub Category
The AppSentinels-assigned subcategory of the security event based on the nature of the policy violation. For example, APPLICATION-ATTACK-XSS.
Summary
A summary of the security event. For example, XSS Attack Detected via libinjection.
User
The user (threat actor) relevant to the security event.
Status
The analysis status of the security event.
| Open | The impact of the event is yet to be analyzed. |
| In Progress |
The impact of the event is currently being analyzed. |
| Analyzed |
The impact of the event is analyzed. |
| Resolved |
The impact of the event is remediated. |
The status can be changed only when the events list is set to be seen in the Show Aggregation mode. Also, a change in the status is effective for all events under the event group.
Resolution
The resolution statuses of the event. The resolution status can be changed only when the events list is set to be seen in the Event Aggregation mode.
| New |
The event is yet to be resolved. |
| Fixed |
The event is fixed. |
| False Positive |
The event does not pose a negative impact, and remediation is not required. |
| Inconclusive | The details gathered about the event and its impact is inconclusive to be considered for remediation. |
The resolution status can be changed only when the events list is set to be seen in the Show Aggregation mode. Also, a change in the resolution status is effective for all events under the event group.