Skip to main content
ClaudeWave
Skill15.5k repo starsupdated 11d ago

analyzing-api-gateway-access-logs

This skill provides procedures and Python code to parse API Gateway access logs from AWS, Kong, and Nginx platforms to identify security threats including broken object-level authorization (BOLA), injection attacks, credential scanning, and rate limit bypass attempts. Use it during security incident investigations when analyzing gateway logs or when building threat detection rules for API security monitoring.

View sourceRepository: Anthropic-Cybersecurity-Skills
Install in Claude Code
Copy
git clone --depth 1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills /tmp/analyzing-api-gateway-access-logs && cp -r /tmp/analyzing-api-gateway-access-logs/skills/analyzing-api-gateway-access-logs ~/.claude/skills/analyzing-api-gateway-access-logs
Then start a new Claude Code session; the skill loads automatically.
Definition

SKILL.md

# Analyzing API Gateway Access Logs


## When to Use

- When investigating security incidents that require analyzing api gateway access logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

Parse API gateway access logs to identify attack patterns including broken object
level authorization (BOLA), excessive data exposure, and injection attempts.

```python
import pandas as pd

df = pd.read_json("api_gateway_logs.json", lines=True)
# Detect BOLA: same user accessing many different resource IDs
bola = df.groupby(["user_id", "endpoint"]).agg(
    unique_ids=("resource_id", "nunique")).reset_index()
suspicious = bola[bola["unique_ids"] > 50]
```

Key detection patterns:
1. BOLA/IDOR: sequential resource ID enumeration
2. Rate limit bypass via header manipulation
3. Credential scanning (401 surges from single source)
4. SQL/NoSQL injection in query parameters
5. Unusual HTTP methods (DELETE, PATCH) on read-only endpoints

## Examples

```python
# Detect 401 surges indicating credential scanning
auth_failures = df[df["status_code"] == 401]
scanner_ips = auth_failures.groupby("source_ip").size()
scanners = scanner_ips[scanner_ips > 100]
```
More from this repository
Improve existing skillSkill
Add new skillSkill
acquiring-disk-image-with-dd-and-dcflddSkill

Create forensically sound bit-for-bit disk images using dd and dcfldd

analyzing-active-directory-acl-abuseSkill

Detect dangerous ACL misconfigurations in Active Directory using ldap3

analyzing-android-malware-with-apktoolSkill

Perform static analysis of Android APK malware samples using apktool

analyzing-apt-group-with-mitre-navigatorSkill

Analyze advanced persistent threat (APT) group techniques using MITRE

analyzing-azure-activity-logs-for-threatsSkill

Queries Azure Monitor activity logs and sign-in logs via azure-monitor-query

analyzing-bootkit-and-rootkit-samplesSkill

Analyzes bootkit and advanced rootkit malware that infects the Master