Suspicious activity

API access from suspicious source IP was detected

Risk Level

Informational (4)

Compliance Frameworks
  • GDPR
  • ,
  • ,
  • NIST 800-53

About APIs

An application programming interface (API) is a standard interface that enables two or more computers or applications to communicate. APIs enable companies to share their internal data with trusted third parties or partners. The premise of an API is to mask how the system works internally. This simplifies the way other users or applications interact with a system and secures system internals.

APIs establish a contract that must be followed by all users. Contract violation results in denial of access. For example, an API contract identifies input parameters a client must provide for data retrieval and how the output is to be formatted.

APIs are a staple of cloud architectures. They enable applications to seamlessly communicate with other applications and cloud services; e.g., you can create an AWS Lambda function using the CreateFunction API.

Since APIs can often be publicly invoked, it’s important to track who is invoking them. An API call detected from a suspicious IP address should be rejected and an alert immediately raised. Most cloud platforms provide ways to do this; Azure has its Activity Log, AWS provides CloudTrail, while Google Cloud provides Cloud Audit Logs.

Cloud Risk Description

API access from suspicious source IP addresses is a serious concern. Suspicion can be aroused based on (among other things): location/country of origin, high volume of login attempts from a particular IP, or a high volume of error responses to requests from the same IP.

Suspicious access should be flagged and prevented going forward. If a cybercriminal manages to gain unauthorized API access, they can retrieve sensitive data and potentially cause downtime.

How Orca Can Help

With Orca’s cloud detection and response capabilities, organizations can detect, investigate, and respond to malicious activity. Orca alerts on possible malicious intent versus normal behavior, automatically prioritizing events that endanger the company’s most critical assets. 

In this example, Orca has detected 12 GCP API calls from a malicious IP address, as seen in the screenshot above.


Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.