We’ve improved the endpoint risk score feature in the Wallarm API Discovery module. Now you can set the rules for calculating the score for yourself. You can include and exclude risk factors from the calculation, change their weights and change the calculation formula.

The Wallarm security research team has created default calculation rules based on our extensive experience in Cyber Security. You can now modify these calculations based on your specific needs. For example, you can add more weight to the presence of sensitive data or open vulnerabilities.

See our documentation for more details.

To make sure that your Wallarm security service works as you expect, you need to be aware of changes in its settings. In addition to the Activity log, it's a good practice to receive notifications of critical changes made by your team to keep everyone in the loop.

Wallarm can send you notifications about important changes in your settings, such as:

• granting user account administrator rights
• removing an important security rule
• changing a BOLA or Brute Force trigger

Notifications are sent to any service convenient for you, for example, Slack, Splunk or Datadog.

See the Wallarm documentation for more details.

Your API inventory may contain thousands of endpoints. Some may handle sensitive data, and others may become targets of attack. In addition, your endpoints may have open vulnerabilities with different threat levels. And of course your API inventory is constantly and rapidly changing - new endpoints are added, existing endpoints are changed or removed. With such large amounts of data to assess, it can be difficult to focus on the endpoints issues that have the most significant impact your security posture. 

To keep your applications safe, the Wallarm API Discovery provides the following data:

Which of your endpoints are attacked the most
The Wallarm API Discovery module displays the number of malicious requests (hits) executed against your endpoints on a per-endpoint basis. You can triage your endpoints by filtering and sorting the list to find those that have been attacked the most.
 
Stay on top of your riskiest endpoints
The Wallarm API Discovery module automatically calculates a risk score from 1 (low risk) to 10 (high risk) for each endpoint in your API inventory. The risk score criteria includes: the presence of sensitive data, the number of parameters passed to the endpoint, etc. This score enables you to understand which endpoints are most likely to be an attack target and therefore should be the focus of your security efforts. For example, an endpoint that handles sensitive data and can be the target of a BOLA attack would have a higher risk score than an endpoint that simply passed an JSON object with several parameters.

You can find more detailed information about these features in our documentation.

Thousands of companies – from startups to Fortune 500 enterprises – use Kong API Gateway. With blazingly fast performance, it comes with a perfect feature set for everyone who manages microservices, APIs or serverless stacks. APIs need protection against modern attacks, like Injections, BOLA and others from the OWASP API Security Top-10.

Wallarm provides a native integration with Kong Ingress Controller 3.0 for both the Kong Open-Source (CE) and Enterprise (EE) editions. Following the instructions in the documentation, you can protect your APIs with Wallarm in just a few minutes.

You can find more detailed information about this integration in our website and documentation.

Wallarm now offers extended integration with Splunk via a native Splunk application! The Wallarm API Security application for Splunk helps to organize the events logged by Wallarm into the ready-to-use dashboard. 

Wallarm makes it a priority to provide native integrations with specialized tools used by DevOps and SecOps teams. This integration with Splunk furthers that prerogative. 

 Integrating Wallarm and Splunk enables you to:

• Get and analyze data on malicious traffic against your applications and APIs
• Analyze vulnerabilities found in applications
• Receive alerts and events generated by the Wallarm triggers
• Receive alerts about Wallarm service events, such as a new account added to Wallarm personal account, changing integration settings with a third-party service, etc.

With the Wallarm API Security application for Splunk application available from the official Splunk applications library, you can make event analyzing seamless.

You can find more detailed information about the Wallarm API Security application for Splunk in our documentation.

Sometimes you may need to combine Wallarm findings with data from other services (e.g., your application logs) for in-depth analysis and investigation of attacks, incidents, and vulnerabilities. Or you may want to get a list of indicators of compromise (IOCs) from detected attacks and incidents, such as attacker IP addresses, detected malicious payloads, and so on. These IOCs are necessary to conduct in-depth security incident investigations.

For these and other similar scenarios, you can get a CSV formatted report with attack, incident, and vulnerability events. Just perform a search query for the events you need and request a report with them in the CSV format. The generated report will be sent to your email address.

See the Wallarm documentation for more details.

Wallarm rules are one of the critical mechanisms by which the Wallarm API Security solution adapts to your applications. Therefore, it is crucial to have a backup copy of your rules in case of unforeseen situations; for example, important rules were deleted by mistake.

To undo the changes and return to the previous version of the ruleset, create backup copies of your Wallarm rules. There are two types of backups available to you:

• Backups that are created automatically on any change in a ruleset.
• Backups that you create manually.

Backups are managed in the Rules section of Wallarm Console. You can create a new backup of the rules anytime or restore the ruleset from a created copy.

You can find more detailed information on this capability in our documentation.

Wallarm now offers native integration with Datadog! Datadog is a SaaS-based dynamic data analytics platform used in many security and operational tech stacks.  

Wallarm has made it a priority to include native integration with specialized tools used by DevOps and SecOps teams. This integration with Datadog furthers that vision. 

This integration allows you to analyze and process Wallarm API Security events along with data from your other services and products in Datadog. Thus you will have a complete picture of what is happening in your infrastructure.

You can find more detailed information on this capability in our documentation.

The new event grouping method enables the grouping of hits originating from the same IP address into one attack that optimizes the view and analysis of attacks generated by bots and third-party scanners.

Generally, a bot or a third-party scanner generates the set of hits with different malicious payloads and sends it from the same IP address. Each such hit is displayed as a separate event in Wallarm Console by default. The number of such hits can reach hundreds or even thousands taking a significant amount of time for its analysis. With the new hit grouping method enabled, hits generated by the bot or third-party scanner can be analyzed as a single entity since they are grouped into one attack.

To enable new grouping of hits, configure the special trigger:

Restriction: Hits of the Brute force, Forced browsing, Resource overlimit, Data bomb and Virtual patch attack types cannot be grouped into attacks using the new method.

Notifications to your Microsoft Teams channel are now available.
Get updates for security and system events:

• Vulnerabilities detected
• Scope changed: updates in hosts, services, and domains
• Exceeded threshold of attack, hit, or incident number
• Newly added users
• Deleted or disabled integration

Read more about setting up the integration with Microsoft Teams on our documentation portal.