Skip to content

API Details

1. ApiTrafficController

The ApiTrafficController class contains REST endpoints that perform operations such as filtering, listing, masking, log management, and security assessment of API traffic in the system. It supports both SOAP and REST traffic and interacts with traffic data stored in Redis.

[GET] /api/apitraffic/{id}

Retrieves a unique traffic record for the given ID. The data is read from the system's in-memory traffic set, enabling fast access. The returned content includes request and response details and security information.

  • Authentication: Required (Bearer Token)
  • Parameters:
Parameter Type Description
id String ID of the traffic record to get

[GET] /api/apitraffic

Lists all traffic records in a paginated format. This endpoint is currently inactive.

  • Authentication: Required (Bearer Token)
  • Parameters:
Parameter Type Description
page Integer Page number (default: 0)
size Integer Number of results per page (default: 20)
sort String Sort criteria (e.g. timestamp, desc)

[POST] /api/apitraffic

Searches and lists traffic records according to certain filter criteria. Evaluates SOAP and non-SOAP traffic separately and groups SOAP traffic according to method, sensitiveUrl and apiCatalogId fields. It retrieves the most recent record in the groups and collects the number of hits. Non-SOAP traffic is added directly to the list. The results are sorted and paginated.

  • Authentication: Required (Bearer Token)
  • Sample Request Body:
JSON
{
  "methods": ["GET", "POST"],
  "url": "/api/user",
  "minRiskScore": 3,
  "maxRiskScore": 8,
  "sourceIp": "192.168.1.10",
  "applicationId": "7c2c5c62-4a9b-40ad-9796-dfd0bb5d1ccf",
  "apiCatalogId": "6c7087aa-f6db-4f6c-b44e-2647c1e2485d",
  "minHit": 10,
  "maxHit": 1000,
  "statusCodes": ["200", "404"],
  "httpType": "REST",
  "updateStartDate": "2025-07-01T00:00:00",
  "updateEndDate": "2025-07-15T23:59:59",
  "isApi": true,
  "isSecure": true
}

[GET] /api/apitraffic/byCatalog/{id}

Retrieves traffic records with the specified ApiCatalog ID. Results are returned in descending order by date created and are paginated.

  • Authentication: Required (Bearer Token)
  • Path Parameters:
Parameter Type Description
id String ApiCatalog ID to filter by
  • Query Parameters:
Parameter Type Description
page Integer Page number (default: 0)
size Integer Number of results per page (default: 20)
sort String Sort criteria (e.g. timestamp, desc)

[GET] /api/apitraffic/byApplication/{id}

Retrieves traffic data for all ApiCatalog records belonging to the specified Application ID. For each ApiCatalog, the associated traffic records are collected and returned paginated in descending order by date created.

  • Authentication: Required (Bearer Token)
  • Path Parameters:
Parameter Type Description
id String Application ID to filter by
  • Query Parameters:
Parameter Type Description
page Integer Page number (default: 0)
size Integer Number of results per page (default: 20)
sort String Sort criteria (e.g. timestamp, desc)

[POST] /api/apitraffic/setLimit

Adds limit-based brute-force protection to a specified API traffic (ApiTraffic) record. If a limit has already been assigned with the same ID, the operation is canceled and a 409 Conflict error is returned. Otherwise, the limit setting is updated or added for the first time.

  • Authentication: Required (Bearer Token)
  • Sample Request Body:
JSON
{
  "apiTrafficId": "6c7087aa-f6db-4f6c-b44e-2647c1e2485d",
  "capacity": 100,
  "durationInMinutes": 15,
  "ipBased": true,
  "userLimit": false,
  "type": "BRUTE_FORCE"
}

[POST] /api/apitraffic/removeLimit

Deletes a specific limit rule that was previously assigned to the specified ApiTraffic record. The target rule is detected and removed via the apiTrafficId and type fields.

  • Authentication: Required (Bearer Token)
  • Sample Request Body:
JSON
{
  "apiTrafficId": "6c7087aa-f6db-4f6c-b44e-2647c1e2485d",
  "type": "BRUTE_FORCE"
}

[POST] /api/apitraffic/setMask

Updates the existing masking rules (Mask) for a specified ApiTraffic record. The existing mask list is completely replaced by the newly given list. This is used to hide fields of interest, especially in sensitive data analysis.

  • Authentication: Required (Bearer Token)
  • Request Parameters:
Parameter Type Description
apiTrafficId UUID Identity of the traffic record to add a masking rule
  • Sample Request Body:
JSON
[
  {
    "name": "authorization",
    "value": "Bearer .*",
    "valueRegex": true,
    "allApplications": true
  },
  {
    "name": "ssn",
    "value": "\\d{3}-\\d{2}-\\d{4}",
    "valueRegex": true,
    "allApplications": false
  }
]

[PUT] /api/apitraffic/logUpdate

Optionally updates the request and/or response logging settings of the specified ApiTraffic record. This feature is used to control the logging level for a given API traffic.

  • Authentication: Required (Bearer Token)
  • Request Parameters:
Parameter Type Description
apiTrafficId UUID ID of the traffic record
requestLog Boolean If true, request logging is activated
responseLog Boolean If true, response logging is activated

[POST] /api/apitraffic/getByIds

Retrieves ApiTraffic records that match multiple given UUID values from an in-memory repository. This endpoint is used for bulk querying of specific traffic records.

  • Authentication: Required (Bearer Token)
  • Sample Request Body:
JSON
[
  "6c7087aa-f6db-4f6c-b44e-2647c1e2485d",
  "7b96aafc-82e9-422c-8d58-7a35b2a2ce77"
]

[DELETE] /api/apitraffic/{id}

Deletes the specified ApiTraffic record from the system. This operation performs a thorough cleanup, not only of the in-memory data, but also of the index, composite key and detail records held on Redis. Intelligence insight data associated with the record is also deleted.

  • Authentication: Required (Bearer Token)
  • Path Parameters:
Parameter Type Description
id UUID ID of the traffic record to delete

[GET] /api/apitraffic/{id}/detail

Returns detailed information about the specified ApiTraffic record. These details include both the traffic record and the ApiCatalog object it is associated with.

  • Authentication: Required (Bearer Token)
  • Path Parameters:
Parameter Type Description
id UUID ID of the ApiTraffic record for which detail information is requested

[POST] /api/apitraffic/rescanProtected/start

Starts an asynchronous rescan process that re-runs the isSecure() analysis on all ApiTraffic records. It scans the records on Redis with the SCAN command, re-evaluates the security of ApiTraffic objects and updates them if necessary. To enable working with large data sets, the process is divided into batches.

  • Authentication: Required (Bearer Token)
  • Query Parameters:
Parameter Type Description
batchSize Integer Determines how many records are processed in each scan batch

[GET] /api/apitraffic/rescanProtected/status

Returns the current status and progress information of the rescan process that is running in the background or was last run. It contains information such as whether the batch process for which the isSecure field was recalculated has completed, the last cursor value, the total number of records processed and the time of the last batch.

  • Authentication: Required (Bearer Token)
  • Sample Response Body:
JSON
{
  "lastCursor": "0",
  "totalProcessed": 127842,
  "lastBatchTime": "2025-07-16T14:25:48.234",
  "completed": true
}

[POST] /api/apitraffic/soap-operations

Groups traffic records of SOAP type according to the combination of method, sensitiveUrl and apiCatalogId. It takes the most recent record for each group and converts it to SoapTrafficOperationDto object. The results can be sorted and paged by fields such as hit, statusCode. In this way, all SOAP operations and details can be monitored centrally.

  • Authentication: Required (Bearer Token)
  • Sample Request Body:
JSON
{
  "applicationId": "c3b94...",
  "apiCatalogId": "f5c1a...",
  "methods": ["POST"],
  "updateStartDate": "2025-06-01T00:00:00",
  "updateEndDate": "2025-07-01T00:00:00",
  "isSecure": true,
  "pagingAndSorting": {
    "page": 0,
    "size": 10,
    "sortBy": "hit",
    "sortDir": {
      "descending": true
    }
  }
}

2. AttackController

AttackController class provides REST endpoints to manage the details of attacks (attack and attack group) detected in the system. It supports operations such as filtering, sending alarms, false-positive update, displaying attack raw model. It also includes advanced security functions such as analyzing vulnerabilities derived from SOAP/REST traffic and showing attack locations on a map.

[POST] /api/attack/filter

It lists the attack groups (AttackGroup) in the system according to the specified filter criteria. This endpoint allows the authorized user to query only the attack data of the applications to which they have access. Filtering is done through the AttackGroup object and each group returns the associated attack list as empty.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
"methods": ["GET", "POST"],
  "url": "/api/user",
  "vulnerabilityCategories": ["Injection", "Auth"],
  "vulnerabilityIds": ["AUTH-001", "INJ-002"],
  "severities": ["HIGH", "MEDIUM"],
  "sourceIp": "192.168.1.10",
  "minHits": 5,
  "maxHits": 200,
  "apiCatalogIds": ["6c7087aa-f6db-4f6c-b44e-2647c1e2485d"],
  "applicationNames": ["petstore-dev"],
  "fingerPrint": "xxx-yyy-zzz",
  "api": true,
  "successful": false,
  "pagingAndSorting": {
    "page": 0,
    "size": 10,
    "sortBy": "hit",
    "sortDir": {
      "descending": true
    }
  }
}

[POST] /api/attack/filterByGroupId

Lists all Attack records belonging to the specified attackGroupId value. Optionally, it can be narrowed with source IP (sourceIp) and time range (startDate, endDate) filters. The results are sorted in descending order by creation time (created) and returned paginated. This endpoint is especially used to examine the activities of an attack group in detail.

Authentication: Required (Bearer Token)
Request Parameters:

Parameter Type Description
groupId UUID Unique ID of the attack group (AttackGroup ID)
sourceIp String (Optional) Filtering by IP address
startDate Instant (Optional) Start time (in ISO-8601 format)
endDate Instant (Optional) End time (in ISO-8601 format)
page Integer Page number (default: 0)
size Integer Number of results per page (default: 20)
sort String Sort criteria (e.g. timestamp,desc)

[POST] /api/attack/vulnerabilityDetails

Returns the vulnerability rule corresponding to the specified vulnerabilityId. Among all the security rules in the system, the one with the requested ID is returned. It is usually used in the detail screen or rule analysis of an attack.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
    "vulnerabilityId": "AUTH-001"
}

[GET] /api/attack/knownVulnerabilities

Returns all vulnerabilities and related rules (Rule) defined in the system in a key-value (Map) structure. Each key represents a unique vulnerabilityId and its value is the detailed rule information.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
    "vulnerabilityId": "AUTH-001"
}

[GET] /api/attack/vulnerabilityIds

Returns all vulnerability IDs defined in the system. With this endpoint you can only get a list of vulnerabilityId values.

Authentication: Required (Bearer Token)

[POST] /api/attack/sendEvent/{attackId}

Sends an event (for example notification/alarm with Jira integration) to the attack group (AttackGroup) with the specified attackId value. Triggering is done according to the default integrations defined in the system settings.

Authentication: Required (Bearer Token)
Request Parameters:

Parameter Type Description
attackId UUID Attack group ID to send event to

[PUT] /api/attack/update-falsePositive

Marks the specified attack group (AttackGroup) as false positive or updates the existing false positive information. Related fields (user, description, date, etc.) are updated. Also, when marked as false positive, all associated attack records (Attack) are deleted in bulk.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
  "id": "7d9c0cd8-8b62-4eeb-9f1f-d2f64a81b709",
  "falsePositive": true,
  "falsePositiveUser": "securityadmin",
  "falsePositiveDescription": "Yanlış pozitif: test endpoint",
  "note": "Gözden geçirildi ve yanlış alarm olarak kaydedildi."
}

[DELETE] /api/attack/remove-batch-exclude-list

Collectively removes the specified attack group ID list (attackGroupIdList) from the exclude list. If the list is empty or the relevant record is not found, a 404 NOT_FOUND error is returned. If the operation is successful, it completes with 200 OK.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
    "attackGroupIdList": [
    "7d9c0cd8-8b62-4eeb-9f1f-d2f64a81b709",
    "2b9b1782-bf3a-4d0d-bada-80cbe537bc5f"
  ]
}

[GET] /api/attack/getFalsePositive

Returns all AttackGroup records that are linked to the given Application ID and marked as false positive. The system finds all ApiCatalog records of the given application and collects all AttackGroups that are connected to them and marked as false positive.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
applicationId UUID False positive attack groups application ID to be queried

[GET] /api/attack/getRawModel

Returns the raw HTTP request of the specified attack record (attackId) as a string. If the system stores the original traffic model of the attack in JSON format, it will return it. If parsing fails on the expected model, it returns only the original request data as fallback. Endpoint is especially used for security teams who want to examine the actual HTTP traffic and payload of attacks.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackId UUID ID of the attack record to query

[GET] /api/attack/getCurl

Returns the automatically generated cURL command as a string corresponding to the raw HTTP request of the specified attack record (attackId). This cURL command includes the attack method, endpoint, headers and body information if available. If the cmd parameter is true, it generates a cURL command that is fully terminal compatible with the Host header.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackId UUID ID of the attack record to query
cmd Boolean (Optional) If true, returns the full cURL command to be executed directly on the terminal. (Default: false)

[GET] /api/attack/getRawResponseModel

Returns the raw response model of the specified Attack record, parsed if possible, as JSON. In cases where the response model cannot be parsed, it fallbacks with the original response string. The data returned is the masked or raw version of the actual HTTP response content recorded during the attack.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackId UUID Response model requested attack ID

[POST] /api/attack/vulnerabilityDetailsByAttackId

Returns the vulnerability detail of the attack group to which the specified attack record (attackId) belongs. Returns the Rule (vulnerability rule) object corresponding to the vulnerabilityId value of the relevant attack group among all vulnerabilities registered in the system.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackId UUID ID of the attack log for which vulnerability detail is requested

[POST] /api/attack/sendAlert

Triggers an alert for the specified attack group (attackGroupId) via the selected integration (integrationId). With this endpoint, for example, the relevant attack can be communicated as a notification to an external service such as Slack, Jira, Email or similar.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackGroupId UUID ID of the attack group to send an alert to
integrationId String ID of the integration to send notifications to
---

[PUT] /api/attack/update-attackGroup

Updates the description (note) field of the selected attack group (attackGroupId). This endpoint allows a description/text to be added or an existing description to be modified by an administrator or user to an attack group.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackGroupId UUID ID of the attack group to send an alert to
integrationId String ID of the integration to send notifications to

[DELETE] /api/attack/deleteByFilter

Deletes attack (Attack) and attack group (AttackGroup) records that match the filter criteria entered. The deletion process is initiated asynchronously in the background and returns an instant response. Only the filtered records are deleted, suitable for extensive cleaning operations.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
  "methods": ["GET", "POST"],
  "url": "/api/user",
  "vulnerabilityCategories": ["Injection"],
  "vulnerabilityIds": ["AUTH-001"],
  "severities": ["HIGH"],
  "sourceIp": "192.168.1.10",
  "minHits": 5,
  "maxHits": 100,
  "apiCatalogIds": ["6c7087aa-f6db-4f6c-b44e-2647c1e2485d"],
  "applicationNames": ["petstore-dev"],
  "fingerPrint": "xxx-yyy-zzz",
  "api": true,
  "successful": false
}

[GET] /api/attack/locations

It returns the geographical locations of all attacks detected in the system on a country basis in aggregated and summarized form. For each country code, the total number of attacks and the country's latitude and longitude information are also provided. The results are suitable for map visualizations and statistical analysis. Results are read from cache for performance.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackGroupId UUID Attack group ID whose description will be updated
description String New statement/text

Sample Request Body:

JSON
[
  {
    "countryCode": "TR",
    "attackCount": 2051,
    "latitude": 39.0,
    "longitude": 35.0
  },
  {
    "countryCode": "DE",
    "attackCount": 413,
    "latitude": 51.0,
    "longitude": 9.0
  }
]

[GET] /api/attack/getDetails

Returns summary and detail information of the Attack record corresponding to the specified attackId value. The return object contains critical fields such as payload, header and status related to the attack request and response. Direct access to the raw request and response data of the attack is also provided.

Authentication: Required (Bearer Token)

Request Parameters:

Parameter Type Description
attackGroupId UUID Attack group ID whose description will be updated
description String New statement/text

[POST] /api/attack/findAll

Lists all Attack records in the system according to the given filter criteria. The results are paginated (Page) and detailed. For each record, fields such as attack summary, request/response contents, headers and status code are provided.

Authentication: Required (Bearer Token)

Request Body Example:

JSON
{
  "methods": ["GET", "POST"],
  "url": "/api/user/login",
  "vulnerabilityCategories": ["Injection", "Auth"],
  "vulnerabilityIds": ["AUTH-001", "INJ-002"],
  "severities": ["HIGH", "MEDIUM"],
  "sourceIp": "192.168.1.15",
  "minHits": 3,
  "maxHits": 100,
  "apiCatalogIds": ["c2b5f7ec-cf6d-4b8e-99f6-67b2c9b7ae9f"],
  "applicationNames": ["petstore-dev"],
  "fingerPrint": "xxx-yyy-zzz",
  "api": true,
  "successful": false,
  "pagingAndSorting": {
    "page": 0,
    "size": 10,
    "sortBy": "created",
    "sortDir": {
      "descending": true
    }
  }}

3. ApiCatalogController

ApiCatalogController is a RESTful controller that handles listing, creating, updating, deleting, and searching API catalogs in the system, with all operations restricted by user permissions.

[GET] /api/catalogs

Retrieves the list of all API catalogs visible to the authorized user.

  • If the user has global application view permission, all catalogs are listed.
  • Otherwise, only the catalogs that the user is authorized for are returned.

Authentication: Required (Bearer Token)

[PUT] /api/catalogs

Creates a new API catalog or updates an existing one.

  • If the id field in the request body matches an existing catalog, it updates that catalog.
  • Otherwise, it creates a new catalog entry.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
  "id": "6c7087aa-f6db-4f6c-b44e-2647c1e2485d",
  "name": "Petstore API",
  "applicationId": "d2b3a4ec-7a3e-441e-8d1d-82ed5f04e1ee",
  "description": "Petstore microservice API catalog",
  "contextPath": "/petstore",
  "autoClassification": false,
  "trafficStatus": true,
  "lastUpDate": "2025-07-21T08:15:00Z"
}

[DELETE] /api/catalogs/{id}

Deletes the API catalog with the specified ID. This operation also removes the catalog from all organization groups. Deletes all associated API traffic records. This action is irreversible.

Authentication: Required (Bearer Token)

Path Parameters

Parameter Type Description
id UUID Unique identifier of the catalog to delete

[GET] /api/catalogs/{applicationId}

Retrieves all API catalogs associated with the specified application ID, visible to the authorized user.

  • If the user has global application view permission, all catalogs for the given application are listed.
  • Otherwise, only the catalogs authorized for the user are returned.
  • Each returned catalog includes the total endpoint count.

Authentication: Required (Bearer Token)

Path Parameters

Parameter Type Description
applicationId UUID The unique ID of the application

[POST] /api/catalogs/applicationIds

Returns all API catalogs for the list of application IDs provided in the request body.

  • Each catalog is only included if the user has the appropriate permissions to view it.
  • For each application ID, all visible catalogs are collected and returned as a single list.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
  "applicationIds": [
    "d2b3a4ec-7a3e-441e-8d1d-82ed5f04e1ee",
    "a8b1e98c-42e5-4b9d-9d14-7d8432ad5abf"
  ]
}

[GET] /api/catalogs/byId/{catalogId}

Retrieves the API catalog object with the specified catalog ID.

  • If no catalog exists with the given ID, null is returned or a 404 response may be sent depending on implementation.

Authentication: Required (Bearer Token)

Path Parameters

Parameter Type Description
catalogId UUID The unique ID of the catalog

[GET] /api/catalogs/search

Performs a paginated search for API catalogs.

  • If a searchKey is provided, only catalogs whose name contains the key (case-insensitive) are returned.
  • Otherwise, all catalogs are listed with pagination.

Authentication: Required (Bearer Token)

Query Parameters

Parameter Type Description
searchKey String Catalog name (or partial) to search for (case-insensitive match)
page Integer Page number (default: 0)
size Integer Number of records per page (default: 20)
sort String Sorting criteria, e.g. name,asc

4. ApplicationController

ApplicationController is a REST controller responsible for listing, creating, updating, deleting, searching, and exporting application records in the system, with all actions restricted by user permissions.

[PUT] /api/application

Creates a new application or updates an existing one.

  • If the id field in the request body is null or not provided, a new application is created.
  • If an id is provided, the corresponding application is updated.

Authentication: Required (Bearer Token)

Sample Request Body:

JSON
{
  "id": "f4b3c4e2-7a3e-411e-8d1d-82ed5f04e1ee",
  "name": "Petstore App",
  "autoClassification": false,
  "urlParsePart": "/api/v1",
  "urlParseFlag": "ENABLE",
  "headerKey": "X-App-Key",
  "trafficCleaner": true,
  "applicationBaseClassification": false,
  "parentId": "e4f3d1a0-8a7e-4c9c-89d2-81e6e7d33456"
}

[GET] /api/application

Lists all applications visible to the authorized user.

  • If the user has global view permission, all applications are listed.
  • Otherwise, only applications linked to the user's authorized API catalogs are returned.
  • The results can be filtered by trafficType.

Authentication: Required (Bearer Token)

Query Parameters

Parameter Type Description
trafficType Integer Filter applications by traffic type (default: 0)

[DELETE] /api/application/{id}

Deletes the application with the specified ID. This operation also removes all related catalogs, organization group links, discovery rules, dashboard statistics, summary attack data, C-level report data, and all masks associated with the application. All in-memory and persistent references to the application are cleaned up. This operation is irreversible.

Authentication: Required (Bearer Token)

Path Parameters

Parameter Type Description
id UUID Unique identifier of the application

[GET] /api/application/search

Performs a paginated search for applications.

  • If a searchKey is provided, only applications whose name contains the search key (case-insensitive) are returned.
  • Otherwise, all applications are listed with pagination.

Authentication: Required (Bearer Token)

Query Parameters

Parameter Type Description
searchKey String Name (or partial name) to search for (case-insensitive match)
page Integer Page number (default: 0)
size Integer Number of records per page (default: 20)
sort String Sorting criteria, e.g. name,asc

[GET] /api/application/export

Exports the list of applications as an Excel file (applications_report.xlsx). The returned file contains all application records the user is authorized to view. The response is a downloadable binary in Excel (XLSX) format.

Authentication: Required (Bearer Token)