System (API calls)

4.9 Interpret common artifact elements from an event to identify an alert

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

1. What is an API Call?

  • API stands for Application Programming Interface.
  • An API call is a request made by a program or system to another system to ask it to do something or provide data.
  • Think of it as a message between software that says:
    “Hey system, give me this data” or “Do this action for me”.

Example in IT context:

  • A security monitoring tool asks a cloud service via an API:
    “Show me all failed login attempts in the last 24 hours”.
    The cloud service responds with a list of events. This is an API call in action.

2. Why API Calls Are Important for Cybersecurity

In cybersecurity, API calls are useful because:

  1. Monitoring Systems:
    • Security tools like SIEMs (Security Information and Event Management) use API calls to pull logs and alerts from other systems.
  2. Automating Alerts:
    • APIs can trigger alerts automatically. For example, if a server detects malware, it can use an API to tell your monitoring tool.
  3. Incident Response:
    • API calls can be used to block IP addresses, disable compromised accounts, or isolate infected machines automatically.
  4. Integration Across Systems:
    • Security systems often need data from multiple sources (firewalls, endpoints, cloud apps). APIs allow them to share that data efficiently.

3. Types of API Calls Relevant in Security Monitoring

  1. GET Request
    • Retrieves information from another system.
    • Example: Get a list of all users who failed login more than 5 times today.
  2. POST Request
    • Sends data to another system or triggers an action.
    • Example: Send a command to block an IP address on the firewall.
  3. PUT/PATCH
    • Updates existing information on a system.
    • Example: Update the status of a ticket in a threat management system.
  4. DELETE
    • Removes information.
    • Example: Delete a temporary user account that was flagged as suspicious.

4. Common Artifacts from API Calls

When analyzing events, you may see artifacts that indicate an API call happened. These include:

  1. Source and Destination
    • Which system made the API call and which system received it.
    • Example: Security tool → Cloud storage API.
  2. Endpoint
    • The specific function or URL the API is requesting.
    • Example: https://cloudservice.com/api/v1/logs
  3. Method
    • Type of API call (GET, POST, PUT, DELETE).
  4. Timestamp
    • When the API call occurred. Important for tracking sequence of events.
  5. Status Codes
    • Indicates if the call succeeded or failed. Common codes:
      • 200 OK → Success
      • 401 Unauthorized → Failed authentication
      • 403 Forbidden → Access denied
      • 500 Internal Server Error → System error
  6. Payload / Parameters
    • The data sent or received in the API call.
    • Example: Sending { "username": "john_doe" } to fetch user logs.

5. How Cybersecurity Analysts Use API Call Data

  • Alert Detection:
    • If an unusual API call happens (e.g., suddenly pulling all user passwords), it can trigger an alert.
  • Threat Hunting:
    • Analysts look at API calls to detect abnormal behavior or suspicious patterns.
  • Incident Response Automation:
    • Automated scripts use API calls to quickly isolate compromised systems without manual intervention.
  • Audit and Compliance:
    • Logging API calls ensures that all access and changes in systems are tracked.

6. Things to Remember for the Exam

  1. API calls are system-to-system communications.
  2. Look for artifacts: endpoint, method, timestamp, source/destination, payload, and status code.
  3. Abnormal API calls can indicate malicious activity, like:
    • Repeated failed logins via API.
    • Unusual data extraction (large data downloads).
    • Unauthorized commands being sent.
  4. Security tools rely heavily on API calls to detect, respond, and report threats.

7. Easy Way to Remember

TermSimple IT Explanation
API CallA message between systems asking for data or action
GET“Give me this info”
POST“Do this action / send data”
PUT/PATCH“Update this data”
DELETE“Remove this data”
EndpointThe exact address or function being accessed
PayloadThe actual data sent or received
Status CodeResult of the API call (success, fail, etc.)

Tip for the Exam: When you see a question about system artifacts or API calls, think:
“What system requested it, what system responded, what type of request, and did it succeed or fail?”

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by