Goal

When working normally, your application may be returning personally identifiable information (PII) to users.
Although this could be intended, that feature may be abused by an attacker to leak that PII.

This rule aims to detect when an attacker is trying to leak PII from your application based on the volume of requests coming from a single IP.

Strategy

Correlate traces from routes known to return PII and gauge the usual number of requests performed by public IPs.

If an IP is seen significantly exceeding the normal rate, a Low signal will be generated.

Triage and response

1. Investigate the activity and validate that it is legitimate. You can review the PII identified by ASM in the trace field @api.security.fields.pii.res.
2. Consider blocking the IP if the activity is suspicious.
3. Consider hardening the feature to make abuse more complicated (password/2FA check, rate limiting, captcha, and so on).
4. Depending on the severity of the leak, you may have to report the leak to the authorities or to the impacted users.