Apigee Sense gives you tools to prevent unwanted request activity from reaching your API proxies. However, not all activity that looks unwanted actually is. And the last thing you want to do is keep friendly traffic away from your APIs.
For the best start with Apigee Sense, be sure to follow the steps in this topic. In particular, before you begin blocking clients whose behavior seems unwanted, be sure to whitelist friendly client IP addresses.
Understand your detection results
When you get your first batches of detection results, take some time to look them over in the Apigee Sense console. Understand what you see there before you take action.
When you look at the detection report, ask yourself questions such as the following:
Do any of the IP addresses shown there belong to clients whose requests you welcome, such as partners? It's unlikely you want to block friendly activity, even if it falls into your detection results. A client might be friendly if:
- It belongs to a partner you know to be consuming your APIs in production.
- It belongs to someone who is running tests against your APIs.
For more on responding to friendly requests, see Account for requests from desired clients below.
After accounting for friendly clients, ask yourself the following about the others -- where your answers are true, you might be seeing a coordinated attack.
- Do the requests in a given detection rule pattern originate from a wide variety of geographic locations, but a comparatively small number of autonomous system organizations?
- Are there a large number of requests coming from a small number of user agents?
To see details about clients in the detection report
- In the Apigee Sense console, click Detection, then click Report.
- Starting with the detection rules with the highest bot counts and bot traffic, click the View button for each rule. In the List View, you'll see a list of the IP addresses whose requests fit the detection rule's pattern.
- View information about the client by:
- Examining values in its row in the list -- values such as its geographic location.
- Click the IP address to see more detail about the request, such as its user agent.
Account for requests from desired clients
As you examine detection results, you'll be tempted to block or flag everything that looks suspicious. But even if you see quite a lot of activity in your detection results, some of what's there might be from clients whose requests you want to keep.
- Whitelist the IP addresses of friendly clients. While this won't keep those IP addresses from appearing in your detection rule report, it will help prevent you from accidentally blocking the client.
- Disable a detection rule. You might want to disable a detection rule completely if its results are dominated by friendly clients. Reducing noise this way can help you focus on where the genuine threats are.
To whitelist a client IP address
An essential early step with Apigee Sense is whitelisting your partners and other clients who might make requests that happen to fit detection patterns. That way, when you take action to block a unwanted client, you aren't accidentally blocking a friend. Note that this won't keep those IP addresses from appearing in your detection rule report.
You can whitelist a client IP address by taking the "allow" action for that address.
- In the Apigee Sense console, click the Detection menu, then click Report.
- In the list of IP addresses, locate the address of a client you want to add to the whitelist.
- In that IP address's row, in the ACT column, click the dropdown, then click Allow.
To disable a detection rule
Disabling a detection rule removes it from the set of rules that appears in your detection report. This can be useful when the rule appears to be detecting only (or primarily) friendly clients.
- In the Apigee Sense console, click the Detection menu, then click Rules.
- In the Detection Rules list, locate the rule you want to disable.
Hover your mouse over the rule's row in the list, then click Disabled at the far right end of the row.
After an hour, examine analysis results in the Detection report to evaluate whether your changes have had the result you want.
Monitor Apigee availability
Subscribe to updates about the Apigee Sense system, including disruption to the service.
To get updates about Apigee Sense
- In a web browser, navigate to the Apigee Sense Disruption page.
- Click the Subscribe to Updates button.
To request support about Apigee Sense, open a support case as the Apigee Edge Support Portal.