Goal

Applications often rely on third-party services paid for per request. Attackers might abuse this and cause operational costs to increase or denial of service due to meeting the service quota. For this reason, it is useful to monitor client interactions or resource consumption.

This rule aims to detect attempts by an attacker to abuse an endpoint that makes use of known third-party API.

Strategy

Monitor APM traces of endpoints that consume the following third-party API and gauge the usual number of requests performed:

• api.openai.com
• api.twilio.com
• api.stripe.com
• api.sendgrid.com
• api.paylocity.com
• api.github.com

If an IP is seen significantly exceeding the normal rate, a Medium signal will be generated.

Triage and response

1. Investigate the expected usage profile of the endpoint under attack.
   • If the endpoint is expecting this kind of traffic or requests are coming from an internal IP, create a suppression query.
2. Consider blocking the attacking IPs temporarily to prevent them from continuing their attack.
3. Consider hardening the feature to make abuse more complicated (password/2FA check, rate limiting, captcha, and so on).