The Baselining ML model in the Cequence Unified API Protection (UAP) platform enables the automatic detection of risks and threats without additional configuration. The model runs continuously, detecting newly discovered hosts and endpoints. The model automatically creates data extractions, auth expressions, and rules used to detect risks and threats without further involvement.

The Baselining ML model uses the OWASP CRAPI application as the reference implementation. The model detects the various risks and threats demonstrated in the CRAPI sample use cases without requiring any additional configuration.

The baselining period for the model takes between one and seven days for newly onboarded applications.

What the Baselining ML model can do

ML baselining in the Cequence UAP platform automates complex security configurations that would otherwise require extensive manual setup and ongoing maintenance.

Problem: Manual User and Session Tracking Setup

What you face today: You need to manually identify which API headers contain usernames and session IDs, then configure data extraction rules for each one. This is time-consuming and error-prone across different APIs.

How baselining solves it: The ML model automatically scans your API traffic and identifies username and session ID parameters in request and response payloads. It then configures the data extraction rules without any manual intervention.

What this means for you: No more guessing which headers matter or spending hours setting up extraction rules. The system learns your API patterns and configures itself.

Problem: Complex Authentication Expression Setup

What you face today: Setting up authentication expressions requires deep technical knowledge and manual configuration for each API endpoint.

How baselining solves it: The system leverages proven functionality from the CQ Prime team to automatically generate authentication expressions based on your actual API traffic patterns.

What this means for you: Authentication monitoring starts working immediately without requiring specialized configuration expertise.

Problem: Advanced Threat Detection Requires Expert Configuration

What you face today: Creating effective data extractions, aggregates, and pivots for threat detection requires security expertise and deep knowledge of your API structure.

How baselining solves it: The ML model identifies important parameter patterns automatically and configures advanced threat detection features including aggregates and programmable pivots.

What this means for you: You get enterprise-grade threat detection without needing a team of security experts to configure it.

Problem: Enumeration Attack Detection Needs Custom Rules

What you face today: Detecting enumeration attacks (like attackers systematically testing user accounts or API endpoints) requires creating custom detection rules for different attack vectors.

How baselining solves it: The system automatically generates custom rules that detect enumeration attempts based on:

• IP address patterns
• Username testing patterns
• Device fingerprint analysis
• Session behavior analysis

What this means for you: Enumeration attacks get caught automatically without you having to anticipate every possible attack pattern.

Problem: Confidence Score Tuning Is Complex and Host-Specific

What you face today: Each API host (like api.host.com) behaves differently, requiring manual tuning of confidence score thresholds to avoid false positives while catching real threats.

How baselining solves it: The ML model learns normal confidence score ranges for each host individually, similar to how fingerprint learning works, and automatically establishes appropriate baselines.

What this means for you: No more manual threshold tuning or dealing with alert fatigue from poorly configured confidence scores. Each host gets optimized settings automatically.

Performing a Baselining ML run

1. Log in to the Cequence UAP platform.
2. Navigate to Threat Protection > Machine Learning Models.
   The list of ML models appears. Models you can manually run are tagged User Executable.
3. Click Baselining.
   A list of former runs of this model appears.
4. In the top right corner, click Run.
   The configuration dialog box appears.
5. Type start and end timestamps in the Time Range field.
   Hover on the chart to see details about the traffic at a given time.
6. Choose whether or not to set the Dry Run toggle.
   Dry runs don't affect production data.
7. Click Run.

The ML model baselines using the time window you specified.

Advanced settings for runs

To use advanced settings for a Baselining ML model run, click Advanced Settings in the run configuration dialog box.

• When the Pivot Data Extractions toggle is active, the run only creates data extractions that qualify as custom pivot variables.
• When the Parameterized Path Extraction toggle is active, the run creates all parameter paths as pivots.
• The Threshold Breach Rule Limit setting affects Threat Entity and Behavior Analysis (TEBA). Raising this limit increases the granularity of the analysis as well as the performance requirements.
• Specify the names of the fields this run extracts data from in Field Names to Extract.
• The Host Include and Host Exclude fields contain comma-separated lists of hosts to include or exclude from baselining analysis.
• The URI Include and URI Exclude fields contain comma-separated lists of hosts to include or exclude from baselining analysis.

The Baselining ML model also has advanced deletion options.

• When you specify fields in Data Extraction Fields to Delete, the run deletes aggregate pivots, unique value counters, rules, and policies associated with the specified fields.
• When you specify aggregate pivots in Aggregate Pivots to Delete, the run deletes those aggregate pivots.
• When you specify unique value counters in Unique Value Counters to Delete, the run deletes those unique value counters.
• When you specify counter keys in Counter Keys to Delete, the run deletes the unique value counters that use those keys.