Skill

analyzing-api-gateway-access-logs

From asi

Parses AWS API Gateway, Kong, and Nginx access logs using pandas to detect BOLA/IDOR attacks, rate limit bypasses, credential scanning, and injection attempts. Useful for investigating API abuse and building threat detection rules.

Python

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require analyzing api gateway access logs

SKILL.md

Similar Skills

analyzing-api-gateway-access-logs

5.9k

Parses AWS API Gateway, Kong, and Nginx access logs using pandas to detect BOLA/IDOR attacks, rate limit bypass, credential scanning, and injection attempts.

3 files

cybersecurity-skills

analyzing-api-gateway-access-logs

Parses AWS API Gateway, Kong, and Nginx access logs using pandas to detect BOLA/IDOR attacks, rate limit bypasses, credential scanning, and injection attempts. Useful for investigating API abuse.

3 files

cybersecurity-skills-zh

analyzing-web-server-logs-for-intrusion

Parses Apache and Nginx access logs to detect SQL injection, LFI, directory traversal, web scanners, and brute-force attacks using regex on OWASP signatures, GeoIP enrichment, and request anomaly detection.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing API Gateway Access Logs

When to Use

When investigating security incidents that require analyzing api gateway access logs

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Parse API gateway access logs to identify attack patterns including broken object level authorization (BOLA), excessive data exposure, and injection attempts.

import pandas as pd df = pd.read_json("api_gateway_logs.json", lines=True) # Detect BOLA: same user accessing many different resource IDs bola = df.groupby(["user_id", "endpoint"]).agg( unique_ids=("resource_id", "nunique")).reset_index() suspicious = bola[bola["unique_ids"] > 50]

Key detection patterns:

BOLA/IDOR: sequential resource ID enumeration

Rate limit bypass via header manipulation

Credential scanning (401 surges from single source)

SQL/NoSQL injection in query parameters

Unusual HTTP methods (DELETE, PATCH) on read-only endpoints

Examples

# Detect 401 surges indicating credential scanning auth_failures = df[df["status_code"] == 401] scanner_ips = auth_failures.groupby("source_ip").size() scanners = scanner_ips[scanner_ips > 100]