API Discovery and Sensitive Data

After onboarding an application, it is important to review the discovered APIs and sensitive data to validate security classifications and ensure proper handling of personally identifiable information (PII).

🔍 API Discovery Review

Unauthenticated APIs:
Review all APIs marked as UnAuth in the API Catalogue to confirm whether they are truly intended to be publicly accessible.
If the application uses a custom authentication attribute, verify it under Settings → Session & User Attribution.
Privileged APIs:
APIs with elevated access (e.g., admin-only operations) are automatically tagged using system-learned privilege tags.
Review and update these tags to ensure accurate access levels and policy enforcement.

🔁 Reviewing and Merging Parameterized APIs

The AppSentinels Platform auto-identifies and merges parameterized API URIs to reduce noise in the API catalogue.

🔹 Auto-Parameterization Behavior

Dynamic path segments like /user/123/profile are normalized to /user/{id}/profile.
If the parameter is the last segment and a string (e.g., /product/abc123), it may not be auto-parameterized.

🔹 Manual Merging

Go to API Catalogue → API Tree
Review URIs that need merging
Use the interface to merge and parameterize endpoints appropriately

✅ Regularly reviewing and merging API paths improves catalogue clarity, reduces redundant analysis, and enhances threat detection accuracy.

🔐 PII & Sensitive Data Review

The platform detects common PII fields (e.g., Aadhaar, email, phone).
Review identified fields to assess if data exposure can be minimized.
If custom PII types exist, define them in the platform to ensure detection, anonymization, and hashing both at the Controller and in storage.

✅ Regular review of discovered APIs and sensitive data ensures stronger threat detection and compliance with privacy policies.

⚙️ Configuring Governance Alerts

Governance alerts allow proactive monitoring of API changes and risks, supporting better API hygiene.

🔹 Types of Governance Alerts

Newly Discovered APIs
Inactive APIs
Unauthenticated APIs
Modified APIs

These alerts help identify unauthorized changes, unused or exposed endpoints, and enforce proper authentication.

🔹 Configuration Location

Navigate to Settings → Vulnerability Configuration → Governance Controls.
Toggle and customize alert rules to receive notifications.

✅ Enabling governance alerts ensures continuous monitoring and internal API policy enforcement.

⯇ Onboarding an Application Passive Scanning Vulnerabilities ⯈