Enable or disable attack IDs
You can enable or disable one or more than one attack type using ABS attackstatus
REST API with the PUT method. The AI engine keeps updating the thresholds in the background, even when you disable an attack ID. Calculating the thresholds in the background allows ABS to report attacks if you enable an attack ID in the future.
If you have disabled an attack while the AI engine is processing the log data, ABS may still report attacks for a few minutes. The attack IDs would be disabled when the next batch of access log files are processed. When you enable an attack from the disabled state, ABS takes a few minutes to report the API attacks.
URL: /v4/abs/attackstatus
Method: PUT
The following attack IDs cannot be disabled from ABS as these are real-time attacks reported by ASE:
-
Attack ID 13: API DDoS Attack Type 2
-
Attack ID 100: Decoy Attack. This attack ID can be disabled from ASE.
-
Attack ID 101: Invalid API Activity. This attack ID can be disabled from ASE.
To enable or disable an attack ID, you should:
-
Use the
attackstatus
REST API with GET method to fetch the current status of an attack ID -
Use the
attackstatus
REST API with PUT method to enable or disable the attack IDs.
Fetch the attack ID status: Run the attackstatus
REST API with the GET method to fetch the current state of all the attack IDs. The output is divided into two sections, enabled and disabled, along with the time when an attack ID was enabled or disabled. Following is a snippet of response:
“attack_status”: { “enabled” : [ { "attack_id" : 1, "attack_name" : "Data Exfiltration Attack Type 1", "enabled_time" : "Thu Aug 22 12:56:39:158 2019" }, { "attack_id" : 2, "attack_name" : "Single Client Login Attack Type 1", "enabled_time" : "Thu Aug 22 12:56:39:158 2019" }, { "attack_id" : 4, "attack_name" : "Stolen Token Attack Type 1", "enabled_time" : "Thu Aug 22 12:56:39:158 2019" } ], “disabled” : [ { "attack_id" : 3, "attack_name" : "Data Exfiltration Attack Type 1", "disabled_time" : "Thu Aug 22 12:56:39:158 2019" }, { "attack_id" : 5, "attack_name" : "Single Client Login Attack Type 1", "disabled_time" : "Thu Aug 22 12:56:39:158 2019" } ] }
Attack IDs 13, 100, and 101 are always displayed as enabled in the response. |
Disable or enable attack IDs: To disable or enable an attack ID, use the PUT method with the attackstatus
REST API. To disable or enable an attack ID, provide the attack_id
and action
. The action can be enable
or disable
. Following is sample body
of the PUT request:
{
“attacks”:[
{
"attack_id": “1”,
"action": “disable”
},
{
"attack_id": “2”,
"action": “enable”
},
{
"attack_id": “13”,
"action": “disable”
},
{
"attack_id": “100”,
"action": “disable”
},
{
"attack_id": “101”,
"action": “disable”
}
]
}
Following is a sample response:
{
"attack_status": [
{
"attack_id": "1",
"attack_name": "Data Exfiltration Attack Type 1",
"status": "Attack ID disabled successfully"
},
{
"attack_id": "2",
"attack_name": "Single Client Login Attack Type 1",
"status": "Attack ID is already enabled"
},
{
"attack_id": "13",
"attack_name": "API DDoS Attack Type 2",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
},
{
"attack_id": "100",
"attack_name": "Decoy Attack",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
},
{
"attack_id": "101",
"attack_name": "Invalid API Activity",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
}
]
}