--- title: API forensics reporting description: ABS AI Engine provides in-depth information on the activities performed by a client including accessed URLs, methods, attacks, etc. The forensic report provides detailed information on the activity from an individual Token, IP address, Cookie, API key, or Username. component: pingintelligence version: 5.1 page_id: pingintelligence:abs_ai_engine:pingintelligence_api_forensics_reporting canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/abs_ai_engine/pingintelligence_api_forensics_reporting.html revdate: March 25, 2024 section_ids: forensics-on-oauth2-token: Forensics on OAuth2 token forensics-on-an-ip-address: Forensics on an IP address forensics-on-a-cookie: Forensics on a cookie forensics-on-api-key: Forensics on API Key username-forensics: Username Forensics --- # API forensics reporting ABS AI Engine provides in-depth information on the activities performed by a client including accessed URLs, methods, attacks, etc. The forensic report provides detailed information on the activity from an individual Token, IP address, Cookie, API key, or Username. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If ASE is deployed in sideband mode, then server field in the output shows the IP address as `0.0.0.0`. For ASE deployed in inline mode, the server field shows the IP address of the backend API server. For more information on ASE sideband mode, see the ASE Admin Guide. | ## **Forensics on OAuth2 token** The OAuth2 token forensics report shows all activity associated with the specified token over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks. ```json { "company": "ping identity", "name": "api_abs_token", "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified token across all APIs.", "earlier_date": "Tue Feb 13 18:00:00:000 2018", "later_date": "Sun Feb 18 18:00:00:000 2018", "summary": { "total_requests": 6556, "total_attacks": 2, "total_anomalies": 0 }, "details": { "metrics": { "token": "token1", "total_requests": 6556, "ip_list": [ { "ip": "127.0.0.1", "total_requests": 6556, "devices": { "UNKNOWN": 6556 }, "methods": { "DELETE": 472, "POST": 140, "GET": 1944, "PUT": 4000 }, "urls": { "/atm_app_oauth/delete200": 218, "/atm_app_oauth/get200": 850, "/atm_app_oauth/post400": 8, "/atm_app_oauth/post200": 62, "/atm_app_oauth/put400": 62, "/atm_app_oauth/get400": 122, "/atm_app_oauth/put200": 1938, "/atm_app_oauth/delete400": 18, "/2_atm_app_oauth/put200": 1938, "/2_atm_app_oauth/post200": 62, "/2_atm_app_oauth/delete200": 218, "/2_atm_app_oauth/delete400": 18, "/2_atm_app_oauth/put400": 62, "/2_atm_app_oauth/post400": 8, "/2_atm_app_oauth/get400": 122, "/2_atm_app_oauth/get200": 850 }, "apis": { "atm_app_oauth": 3278, "2_atm_app_oauth": 3278 } } ] }, "attack_types": { "API Memory Attack Type 1": [ "atm_app_oauth", "2_atm_app_oauth" ], "Data Poisoning Attack": [ "atm_app_oauth", "2_atm_app_oauth" ] }, "anomaly_types": {} } } ``` ## **Forensics on an IP address** The IP Forensics report shows all activity associated with the specified IP address over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks. ```json { "company": "ping identity", "name": "api_abs_ip", "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified ip across all APIs.", "earlier_date": "Tue Feb 13 18:00:00:000 2018", "later_date": "Sun Feb 18 18:00:00:000 2018", "summary": { "total_requests": 8192, "total_attacks": 2, "total_anomalies": 1 }, "details": { "metrics": { "no_session": [ { "start_time": "Thu Feb 15 14:04:17:959 2018", "end_time": "Thu Feb 15 14:05:59:263 2018", "total_requests": 4096, "source_ip": "4.1.1.1", "path": "/atm_app_private/get200", "methods": [ "GET" ] }, { "start_time": "Thu Feb 15 14:14:00:724 2018", "end_time": "Thu Feb 15 14:14:47:999 2018", "total_requests": 4096, "source_ip": "4.1.1.1", "path": "/2_atm_app_private/get200", "methods": [ "GET" ] } ], "session": [] }, "attack_types": { "Data Exfiltration Attack": [ "2_atm_app_private", "atm_app_private" ], "Extreme App Activity Attack": [ "2_atm_app_private", "atm_app_private" ] }, "anomaly_types": { "Extreme Client Activity Anomaly": [ "2_atm_app_private" ] } } } ``` ## **Forensics on a cookie** The Cookie Forensics reports includes all activity associated with the specified Cookie over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks. ```json { "company": "ping identity", "name": "api_abs_cookie", "description": "This report contains a summary and detailed information on all attacks, metrics, and anomalies for the specified cookie on the defined API.", "earlier_date": "Thu Jan 25 18:00:00:000 2018", "later_date": "Fri Dec 28 18:00:00:000 2018", "api_name": "atm_app_public", "summary": { "total_anomalies": 0, "total_requests": 1, "total_ioc": 2 }, "details": { "ioc_types": [ "data_poisoning_attack", "api_memory_attack_type_1" ], "metrics": [ { "session_id": "session_datapoisoining", "start_time": "Mon Jan 29 15:51:23:408 2018", "end_time": "Mon Jan 29 15:51:23:408 2018", "total_requests": 1, "source_ip": [ { "ip": "127.0.0.1", "count": 1, "method": [ "PUT" ] } ], "user_agent": [ { "user_agent": "DOWNLOAD", "count": 1 } ], "path_info": [ { "path": "/atm_app_public/put200", "count": 1 } ], "device": [ { "device": "UNKNOWN", "count": 1 } ], "server": [ { "server": "127.0.0.1:3000", "count": 1 } ] } ], "anomalies": [] } } ``` ## Forensics on API Key The API Key Forensics reports includes all activity associated with the specified API Key over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks. ```json { "company": "ping identity", "name": "api_abs_api_key", "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified api key across all APIs.", "earlier_date": "Sat Jan 12 13:30:00:000 2019", "later_date": "Tue Dec 31 18:00:00:000 2019", "summary": { "total_requests": 2621, "total_attacks": 1, "total_anomalies": 1 }, "details": { "metrics": { "api_key": "finite_api_key", "total_requests": 2621, "ip_list": [ { "ip": "192.168.2.2", "total_requests": 457, "devices": { "UNKNOWN": 457 }, "methods": { "GET": 457 }, "urls": { "/atm_app/getzipcode": 457 }, "apis": { "atm_app": 457 } }, "attack_types": { "Stolen API Key Attack- Per API Key": [ "all" ] }, "anomaly_types": { "Stolen API Key Attack- Per API Key": [ "all" ] } } } ``` ## Username Forensics The username Forensics reports includes all activity associated with the specified username over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks. ```json { "company": "ping identity", "name": "api_abs_username", "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified user name across all APIs.", "earlier_date": "Sat Jan 12 13:30:00:000 2019", "later_date": "Tue Dec 31 18:00:00:000 2019", "summary": { "total_requests": 109965, "total_attacks": 0, "total_anomalies": 0 }, "details": { "metrics": { "username": "t4", "tokens": [ "t4MFBkEe", "t4GpEkUS", "t4ZxUOjb", "t4QEvJKT" ], "total_requests": 109965, "ip_list": [ { "ip": "127.0.0.28", "total_requests": 54983, "devices": { "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36": 54983 }, "methods": { "POST": 54983 }, "urls": { "/atm_app_oauth": 54983 }, "apis": { "atm_app_oauth": 54983 } } ] }, "attack_types": {}, "anomaly_types": {} } } ```