Cisco Secure Access Alerts for API Usage Anomalies, Overview

Alerts for API Anomalies

In Secure Access, add Alert Rules and enable alerts and push notifications for API anomalies. Secure Access alerts on the unexpected usage of the Secure Access APIs in the organization.

Use the Secure Access Third-Party Integrations API to add a Webhook and receive the push notifications from Secure Access. For more information, see Third-Party Integrations API.

Secure Access sends alerts formatted using the Secure Access Alerts JSON schema for API anomalies.

Overview

• API Anomalies Alerts Schema
• Example of API Anomalies Alert
• Download API Anomalies Alert Schema

API Anomalies Alerts Schema

{
    "$schema": "https://json-schema.org/draft/2020-12/schema",
    "$id": "https://api.sse.cisco.com/api.anomaly.alerts.schema.json",
    "title": "Cisco Secure Access API Anomaly Alerts",
    "description": "A description of the Secure Access API Anomaly Alerts schema.",
    "type": "object",
    "required": [
        "data"
    ],
    "properties": {
        "data": {
            "type": "object",
            "required": [ "severity", "ruleName", "ruleId", "userAgents", "ruleExpression", "apiKeyId" ],
            "description": "The properties of the data for the alert.",
            "properties": {
                "severity": {
                    "type": "string",
                    "enum": [
                        "Low", "Warning", "High"
                    ],
                    "description": "The label that describes the severity of the alert."
                },
                "ruleName": {
                    "type": "string",
                    "description": "The name of the alert rule."
                },
                "ruleId": {
                    "type": "string",
                    "description": "The ID of the alert rule."
                },
                "userAgents": {
                    "type": "array",
                    "description": "The list of integrated Webhooks configured for the alert.",
                    "items": {
                        "type": "string",
                        "description": "The label for the integrated Webhook."
                    }
                },
                "ruleExpression": {
                    "type": "string",
                    "description": "The description of the alert."
                },
                "apiKeyId": {
                    "type": "string",
                    "description": "The ID of API key associated with the alert."
                }
            }
        }
    }
}

Example of API Anomalies Alert

{
  "data": {
    "severity": "High",
    "ruleName": "Unusual API Key Usage Pattern",
    "ruleId": "unusual-api-key-usage",
    "userAgents": ["SBG Cloud Security API Anomalies Detector", "Postman/8.10.0"],
    "ruleExpression": "API Key was used from an unusual geographic location or IP address in the last interval.",
    "apiKeyId": "ak_xyz789def012"
  }
}

Download API Anomalies Alert Schema

The Cisco Secure Access Alerts schema for API anomalies is described in the Cisco Secure Access Alerts for API Anomalies JSON Schema Document.