analyzing-api-gateway-access-logs

Solid

Parses API Gateway access logs (AWS API Gateway, Kong, Nginx) to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts. Uses pandas for statistical analysis of request patterns and anomaly detection. Use when investigating API abuse or building API-specific threat detection rules.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
79
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing API Gateway Access Logs ## When to Use - When investigating security incidents that require analyzing api gateway access logs - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Parse API gateway access logs to identify attack patterns including broken object level authorization (BOLA), excessive data exposure, and injection attempts. ```python import pandas as pd df = pd.read_json("api_gateway_logs.json", lines=True) # Detect BOLA: same user accessing many different resource IDs bola = df.groupby(["user_id", "endpoint"]).agg( unique_ids=("resource_id", "nunique")).reset_index() suspicious = bola[bola["unique_ids"] > 50] ``` Key detection patterns: 1. BOLA/IDOR: sequential resource ID enumeration 2. Rate limit bypass via header manipulation 3. Credential scanning (401 surges from single source) 4. SQL/NoSQL injection in query parameters 5. Unusual HTTP methods (DELETE, PATCH) on read-only endpoints ## Examples ```python # Detect 401 surges indicating credential scanning auth_failures = df[df["status_code"] == 401] scanner_ips = auth_...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Listed

analyzing-api-gateway-access-logs

解析 API 网关访问日志(AWS API Gateway、Kong、Nginx),检测 BOLA/IDOR 攻击、速率限制绕过、凭据扫描和注入尝试。使用 pandas 进行请求模式的统计分析和异常检测。适用于调查 API 滥用或构建 API 专项威胁检测规则。

16 Updated 1 months ago
killvxk
AI & Automation Featured

detecting-api-enumeration-attacks

Detect and prevent API enumeration attacks including BOLA and IDOR exploitation by monitoring sequential identifier access patterns and authorization failures.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-aws-cloudtrail-anomalies

Detect unusual API call patterns in AWS CloudTrail logs using boto3, statistical baselining, and behavioral analysis to identify credential compromise, privilege escalation, and unauthorized resource access.

12,642 Updated today
mukul975
AI & Automation Solid

analyzing-cloud-storage-access-patterns

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS audit logs, and Azure Storage Analytics. Identifies after-hours bulk downloads, access from new IP addresses, unusual API calls (GetObject spikes), and potential data exfiltration using statistical baselines and time-series anomaly detection.

12,642 Updated today
mukul975
DevOps & Infrastructure Solid

analyzing-web-server-logs-for-intrusion

Parse Apache and Nginx access logs to detect SQL injection attempts, local file inclusion, directory traversal, web scanner fingerprints, and brute-force patterns. Uses regex-based pattern matching against OWASP attack signatures, GeoIP enrichment for source attribution, and statistical anomaly detection for request frequency and response size outliers.

12,642 Updated today
mukul975