Attack Types Detected
Metlo identifies several categories of API attacks and anomalies:BOLA
Broken Object Level Authorization - users accessing objects they shouldn’t
High Error Rate
Unusual spike in 4xx/5xx errors indicating scanning or exploitation attempts
Sensitive Endpoint Abuse
Excessive requests to endpoints handling sensitive data
Unauthenticated Access
Attempts to access protected resources without authentication
How Detection Works
Passive Traffic Analysis
Metlo analyzes API traffic in real-time without requiring inline deployment:- Traffic Collection: Receives mirrored or logged API requests
- Pattern Analysis: Compares against known attack signatures
- Behavioral Modeling: Builds a baseline of normal API usage
- Anomaly Detection: Flags deviations from expected patterns
Metlo’s passive approach means zero latency impact on your production API traffic. Detection happens asynchronously after requests are processed.
Attack Models
Metlo uses multiple detection strategies:Signature-Based Detection
Identifies known malicious patterns:- SQL injection attempts
- XSS payloads
- Path traversal sequences
- Authentication bypass attempts
Behavioral Analysis
Detects anomalies in API usage:- Unusual request rates from a single source
- Access patterns that don’t match legitimate use cases
- Sequential object enumeration (BOLA detection)
- Time-based anomalies (off-hours access)
Statistical Models
Tracks metrics per endpoint:- Error rate baselines
- Typical request volumes
- Common parameter values
- Expected authentication patterns
Attack Context
When an attack is detected, Metlo provides rich context:Attack Details
- Attack Type: Category of the detected attack
- Risk Score: Severity assessment (Low, Medium, High)
- Start Time: When the attack began
- Duration: How long the attack persisted
- Source IP: Originating IP address
- Session Key: Unique identifier for tracking related requests
Affected Resources
- Endpoint: Which API endpoint was targeted
- Host: Affected service or host
- Request Count: Number of malicious requests
- Sample Requests: Example attack payloads
Viewing Attacks in the Dashboard
Attacks List
The main attacks page shows:- Active Attacks: Ongoing attack activity
- Attack Timeline: Chronological view of all detected attacks
- Filter Options: By type, risk score, endpoint, or IP address
- Status Management: Mark attacks as resolved or snoozed
Attack Detail View
Click any attack to see:- Full attack metadata and timeline
- Affected endpoint information
- Sample malicious requests with full context
- Remediation recommendations
- Option to block the attacker
Attack-Specific Detection
BOLA (Broken Object Level Authorization)
Detects when users access resources they shouldn’t: Example scenario:High Error Rate
Triggers when an endpoint experiences abnormal error rates: Detection criteria:- Error rate exceeds baseline by significant margin
- Multiple 4xx errors from same source (scanning)
- Sustained 5xx errors suggesting exploitation attempt
- Automated vulnerability scanning
- Brute force authentication attempts
- Exploitation of a vulnerability causing crashes
High Usage on Sensitive Endpoint
Flags excessive requests to endpoints handling PII: Risk factors:- Endpoint has High risk score (contains sensitive data)
- Request volume from single IP exceeds threshold
- Unusual access patterns for the time of day
- Data exfiltration attempts
- Credential stuffing
- Account takeover campaigns
Unauthenticated Access
Detects access attempts without proper authentication: Triggers when:- Endpoint typically requires auth but receives unauthenticated requests
- Missing or invalid authentication headers
- Expired or revoked tokens being reused
Managing Detected Attacks
Resolution Workflow
Snoozing Attacks
For attacks that require time to investigate:- Snooze for a specified number of hours
- Attack is hidden from active list
- Automatically resurfaces after snooze period
- Can un-snooze at any time
Snoozing is useful for tracking attacks that are actively being investigated or waiting for a deployment window to fix.
Integration with Attack Blocking
Detected attacks can automatically feed into blocking:- Manual Blocking: Review attack and manually add IP to block list
- Automated Blocking (Enterprise): Configure rules to auto-block based on attack patterns
Best Practices
Daily Review
Check for new attacks daily, especially high-risk detections
Tune Thresholds
Adjust detection sensitivity based on your traffic patterns to reduce false positives
Document Patterns
Track common attack patterns targeting your APIs to improve defenses
Correlate with Logs
Cross-reference Metlo attacks with application logs for full context
Ignored Detections
Reduce noise by configuring ignored detection rules: Use cases:- Internal security scanning tools
- Known partner integrations with high request rates
- Testing/staging environments
- Specific endpoints where high error rates are expected
- Define match criteria (IP, endpoint, attack type)
- Set ignore conditions
- Matching attacks won’t create alerts
Webhook Alerts
Get notified immediately when attacks are detected:- Configure webhook endpoints for attack alerts
- Receive real-time notifications in Slack, PagerDuty, or custom systems
- Filter which attack types trigger webhooks
- Include full attack context in webhook payloads