1. Overview

WAAS can automatically learn the API endpoints in your app, show an endpoint usage report, and let you export all discovered endpoints as an OpenAPI 3.0 spec file.

2. Enable API discovery

When API discovery is enabled, Defender inspects API traffic routed to the protected app. Defenders learn the endpoints in your API by analyzing incoming requests and generating a tree of API paths. Every 30 minutes, Defender sends Console a diff of what it has learned since its last update. Console merges the update with what it already knows about the API.

The API discovery subsystem attempts to ignore all HTTP traffic that doesn’t resemble an API call. Defender uses some criteria for identifying which requests to inspect:

  • Requests must have non-error response codes.

  • Requests must not have an extension (.css, .html, etc).

  • Requests content type must be textual (text/), application (application/), or empty.

API discovery is enabled by default. Learning is either on or off. (Compare this to container runtime protection, where there’s a learning period, and after the learning period has elapsed, the model of "known good activity" is locked.)

To enable API discovery for a protected app:

  1. Log into Console, and go to Defend > WAAS > {Container | Host | App-Embedded}.

  2. If you’re setting up WAAS to protect an app, then follow these substeps. Otherwise, if you’ve already defined an app, expand the rule, click on the app from the apps list, and proceed to the next step.

    1. Click Add rule.

    2. Specify a rule name and a scope.

    3. Click Add new app.

  3. Click the App definition tab.

  4. In the Endpoint setup tab, set API discovery to On.

3. Inspect discovered endpoints

The endpoint report enumerates discovered APIs on a per-app basis. It shows information such as HTTP method, path (including path parameters), request content-type, query parameters, hit count, and last seen date. To view the report, go to Monitor > WAAS > API Observations.

Click the Refresh button to force Console to poll Defenders for the latest data, analyze it, and present the results in the table.

waas api observation

You can export the discovered endpoints for an app as an OpenAPI spec file. Alternatively, you can delete everything that WAAS has learned about the API for an app so far.

waas api observation actions
If a rule with an app is deleted from the WAAS policy, its learned endpoints are also deleted.