Skill

analyzing-api-gateway-access-logs

Parses API Gateway access logs (AWS, Kong, Nginx) to detect BOLA/IDOR, rate limit bypass, credential scanning, and injection attempts using pandas.

AWS

Nginx

Python

security

npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skills

Popularity

Stars

Forks

Invocation

How this skill is triggered — by the user, by Claude, or both

Slash command

/cybersecurity-skills:analyzing-api-gateway-access-logs

User invocable

Model invocable

Inline context

Default effort

Context Preview

The summary Claude sees in its skill listing — used to decide when to auto-load this skill

- When investigating security incidents that require analyzing api gateway access logs

Supporting Files

LICENSEreferences/api-reference.mdscripts/agent.py

SKILL.md

82 lines · ~581 tokens

Similar Skills

healthcare-eval-harness

209.3k

Runs automated patient safety test suites for healthcare deployments, blocking on CRITICAL failures in CDSS accuracy, PHI exposure, and data integrity.

ecc

Stats

LanguagePython

Stars5

Forks3

MaintenanceGood

Last CommitJun 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Stats

Actions

Help us improve

Share bugs, ideas, or general feedback.

Analyzing API Gateway Access Logs

When to Use

When investigating security incidents that require analyzing api gateway access logs

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Parse API gateway access logs to identify attack patterns including broken object level authorization (BOLA), excessive data exposure, and injection attempts.

import pandas as pd df = pd.read_json("api_gateway_logs.json", lines=True) # Detect BOLA: same user accessing many different resource IDs bola = df.groupby(["user_id", "endpoint"]).agg( unique_ids=("resource_id", "nunique")).reset_index() suspicious = bola[bola["unique_ids"] > 50]

Key detection patterns:

BOLA/IDOR: sequential resource ID enumeration

Rate limit bypass via header manipulation

Credential scanning (401 surges from single source)

SQL/NoSQL injection in query parameters

Unusual HTTP methods (DELETE, PATCH) on read-only endpoints

Examples

# Detect 401 surges indicating credential scanning auth_failures = df[df["status_code"] == 401] scanner_ips = auth_failures.groupby("source_ip").size() scanners = scanner_ips[scanner_ips > 100]