Discover Known and Unknown APIs
Objective
This document provides instructions on how to discover and monitor both known and unknown APIs when regards to API Discovery on the F5® Distributed Cloud platform. It focuses on viewing and analyzing API Discovery results, including insights into API endpoints, detected vulnerabilities, and sensitive data.
Prerequisites
-
An active F5 Distributed Cloud Services account. If you do not have an account, see Getting Started with Console.
-
One or more applications deployed on a Distributed Cloud Customer Edge (CE) Site, with services configured. See App Management and Site Management for more details.
-
An active HTTP load balancer configured for your application within the Distributed Cloud platform. If you do not have an HTTP load balancer, see Create HTTP Load Balancer.
Configuration
The following table provides the configuration sequence for this procedure:
| Activity | Sequence |
|---|---|
| Open load balancer monitoring | Access load balancer monitoring from the Console to view API endpoints. |
| View API endpoints and details | Inspect the discovered API endpoints, including detailed information for each endpoint. |
| Enable columns for additional insights | Customize the view by enabling specific columns, like API attributes. |
| Enable API Definition | Configure API Definition for inventory management through either the API Endpoints table or load balancer configuration. |
| Identify Shadow APIs | Use filters to view endpoints categorized as Shadow APIs in the API Endpoints tab. |
| Move Shadow APIs to inventory | Select shadow API endpoints and move them to your inventory for better management and protection. |
| Analyze API traffic and sensitive data | Review API traffic distribution, sensitive data detection, and activity metrics. |
Procedure
Step 1: Open load balancer monitoring view.
-
In the Multi-Cloud App Connect service, navigate to the desired namespace.
-
Select Overview > Applications and scroll down to the Load Balancers section.
Figure: View All Load Balancers
-
Select your load balancer to view the monitoring options.
-
Alternatively, access via Web Apps & API Protection service by navigating to Overview > Security.
Step 2: View API endpoints and details.
- Select the API Endpoints tab to view a list of all discovered APIs.
Figure: API Endpoints Tab
- Click on an endpoint to open the Endpoint Details slide-out page. Review the following tabs:
- Overview: View error rates, latency data, and request/response information.
- Discovered: See sensitive data detected, authentication types, and OpenAPI schema data.
Figure: Slide-Out Page
Step 3: Enable columns for additional insights.
-
To customize your view, select the gear icon to manage columns.
-
Enable or disable columns, such as API Attributes to gain more detailed insights.
Figure: Select More Columns for Display
Step 4: Enable Shadow API detection.
To enable shadow detection, you must first enable API Definition for the inventory. This can be done using two methods: (1) Via API Endpoints Table, or (2) via load balancer configuration.
Method 1
-
Select the API Endpoints tab.
-
Click Enable next to the API Definition field.
Figure: Enable
- Enter a new name, or use an existing definition.
Figure: Enable Confirmation
- Click Enable API Definition.
Method 2
-
Navigate to Manage > Load Balancers.
-
Select your load balancer and then click Actions > Manage Configuration.
-
Click Edit Configuration.
-
From the API Definition drop-down menu, select Enable.
Figure: Select Option for API Definition
-
Select an existing definition or create a new one (you can also upload OpenAPI specification file to a new definition).
-
Optionally, select whether to validate the definition against the API inventory (requires API Protection subscription).
-
Click Save and Exit.
Step 5: Identify Shadow APIs.
After enabling API Definition, the next discovery cycle will automatically check if endpoints discovered exist in the definition.
Endpoints not found in your API definition will be flagged under the API Category column as Shadow.
Figure: Shadow APIs Displayed
To view all Shadow API endpoints discovered in the load balancer, click Filter > API Category > In > Shadow.
Step 6: Move Shadow APIs to inventory.
-
Select the checkbox next to the shadow API endpoint you want to manage.
-
Click Move to Inventory. A confirmation dialog appears.
Figure: Move to Inventory
- Click Move to Inventory in the confirmation dialog to complete the process. The API endpoints will be categorized as part of your API Inventory.
Figure: Confirmation Dialog
Features
-
API Discovery: The process of identifying both known (Inventory) and unknown (Discovered) APIs within your application. This includes detecting new endpoints and classifying them as Inventory or Shadow APIs based on traffic analysis.
-
Security Monitoring: A tool within the F5 Distributed Cloud Services platform that allows you to monitor API endpoints, view detected vulnerabilities, and analyze traffic patterns and sensitive data.
-
Sensitive Data Detection: The process of identifying sensitive data such as Personally Identifiable Information (PII) within API traffic. This is crucial for maintaining compliance and securing data.
-
API Protection: A set of features designed to safeguard your API endpoints from security threats. This includes configuring protection rules, rate limiting, and enforcing schema validation.