Getting Started Guide

ThreatX’s Attack Dashboard offers comprehensive visibility into how the platform secures APIs and web applications from security threats. Within the dashboard, security teams and application owners can view vital data collected about each protected API endpoint, web application, or website. ThreatX analytics automatically correlates vast amounts of data related to the suspicious and malicious traffic the platform has identified, tracked, and blocked, providing teams with real-time situational awareness essential for safeguarding their Internet-facing assets.

The Attack Dashboard consists of three main views: Threat Entities, Top Targets, and Threat Map. Each view offers a unique perspective on an organization’s attack surface.

The data in the dashboard is live and reflects active site traffic. By default, it updates every few seconds with real-time dynamic data. Users can opt for a historical data view at specified times using the time picker. An interactive graph and high-level details, such as request statistics and maximum entity risk, are displayed across the three main views. Hovering over a point on the graph allows users to see the total numbers of matched and blocked requests at specific times, encouraging further investigation into the attack state of an entity.

As ThreatX analyzes HTTP traffic, the platform extracts identifying metadata, including IP addresses, user agents, TLS fingerprints, and other characteristics to formulate profiles and identifiers for each attacker. The Threat Entities view equips security teams with the necessary visibility to swiftly assess Entities prioritized by risk and explore a fully correlated view of the suspicious and malicious behaviors observed. Users can delve further by searching, sorting, and filtering based on specific attack states and classifications to better comprehend the implied risk.

The information is presented clearly below, with special emphasis on key attributes that assist in identifying trends and patterns.

Remembering specific IP addresses can be difficult, and it’s common for attackers to use multiple IP addresses in a single attack. Therefore, ThreatX uses a human-readable name format consisting of a “negative” adjective (such as Smelly) and a pirate name (such as Blackbeard) to identify each unique attacker. ThreatX users will see lists of entities containing names such as SmellyBlackbeard, AnnoyingSpider, and MoodyMorris.

By clicking on a specific Entity name in the Threat Entities view, users will be taken to the Entity Details page where they can view more specific event metadata and request and response information.

The Top Targets view features API and web hostnames that have been targeted during the time selected. Administrators can easily see the assets that are most frequently or aggressively targeted,  [line-through]## gaining insight and understanding of their risk profile, and the protection they are receiving from ThreatX. The Top Targets view makes it easy for the user to drill into each hostname to view the details for each path.

Threat Map is another key view in the Attack Dashboard. It provides visibility into the location of each unique entity and its associated risk. The interactive map allows the user to identify how many unique attackers are acting from each country. Users can hover over a country on the Threat Map, and a pop-up will display the number of attacking entities originating in that country.

The API Defender dashboard provides visibility into the APIs and their endpoints discovered and protected by the ThreatX platform. API traffic analytics, error code summaries, and a visualization of API schema conformance are displayed in API Defender, as shown below in Figure 5, providing the ability to compare what API traffic is expected vs. variances against your organization’s API specifications. The API Defender dashboard brings together API discovery, observability, and the context needed to understand your organization’s entire attack surface and what is being seen in the wild.

ThreatX’s API Defender makes it easier than ever for organizations to drill into the finer points of API attacks. With a comprehensive set of data available, customers can quickly take responsive actions, such as enabling automatic blocking, establishing geo-fencing to block traffic from parts of the globe where there shouldn’t be clients, or tarpitting attacks to prevent overconsumption of backend resources.

ThreatX’s API Discovery capabilities analyze and profile legitimate, suspicious, and malicious API use to discover and enumerate endpoints. While monitoring API interactions in real-time, ThreatX can accurately detect real API endpoints and determine their active tech stacks or markup encodings for JSON, XML, GraphQL, and URL-encoded endpoints. The ThreatX platform is actively expanding its support for additional API tech stacks such as gRPC and SOAP.

The API Defender dashboard gives users the ability to upload, manage, and cross-compare which API traffic is expected according to your organization’s schema vs. what is being seen in the wild. Manage your organization’s API schemas within the API Defender page to gain risk visibility and simplify schema enforcement. API traffic analytics will display and highlight the anomalies seen based on your organization’s API specifications, as seen in Figure 7.

In addition, ThreatX’s real-time discovery capabilities pinpoint API endpoints that may be out of the view of security and development teams, such as zombie and rogue APIs. Overall, these capabilities give an organization a holistic and clear picture of their API attack surface, along with an understanding of when and where APIs are being managed appropriately. Build more confidence in your API specifications with the ability to customize or create API-centered protection rules.