--- title: ABS deny list reporting description: API Behavioral Security (ABS) provides attacklist REST application programming interface (API) to complete the following two operations: component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_abs_blacklist_reporting canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_abs_blacklist_reporting.html revdate: April 3, 2024 section_ids: reporting-active-and-expired-client-identifiers: Reporting active and expired client identifiers about-this-task: About this task steps: Steps deleting-individual-client-identifiers: Deleting individual client identifiers about-this-task-2: About this task steps-2: Steps example: Example: using-the-bulk-delete-option-for-client-identifiers: Using the bulk delete option for client identifiers about-this-task-3: About this task steps-3: Steps example-2: Example: --- # ABS deny list reporting API Behavioral Security (ABS) provides `attacklist` REST application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* to complete the following two operations: * List the various client identifiers (API Key, OAuth token, Username, Cookie, and Internet Protocol (IP) *(tooltip: \
\

The method by which data is sent across the internet from the source host to the destination host.\

\
)* address) which are related to probable attack * Delete the client identifiers which may be a cause of false positive ## Reporting active and expired client identifiers API Behavioral Security (ABS ) provides an `attacklist` REST API with GET method to list active attacks in the system, expired attacks, and consolidated (active and expired) attacks together. ### About this task The list of detected client identifiers depends on the [TTL set for the client identifiers](pingintelligence_ttl_client_identifiers_in_abs.html). The attack list reports the detected client identifiers (active or expired) for the queried period. The time-period is part of the API query parameter. `URL: /v4/abs/attacklist` ### Steps * To report active detected attacks, use the following REST API URL to report the active client identifiers: `/v4/abs/attacklist?earlier_date=<>&later_date=<>&status=active` The API lists the active client identifiers for a time-period between `earlier_date` and `later_date`. PingIntelligence ASE fetches the active client identifiers list from ABS for blocking the clients. * To report expired detected attacks, use the following REST API URL to report the expired client identifiers: `/v4/abs/attacklist?earlier_date=<>&later_date=<>&status=expired` The API lists the expired client identifiers for a time-period between `earlier_date` and `later_date`. The expiry of detected attacks in the system depends on the configured TTL. * To report consolidated (active and expired) detected attacks, use the following REST API URL to report the consolidated client identifiers attacks: `/v4/abs/attacklist?earlier_date=<>&later_date=<>` The API lists all the client identifiers for a time-period between `earlier_date` and `later_date`. ## Deleting individual client identifiers You can delete active client identifiers. ### About this task The API *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* requires only the message body with a client identifier in their respective sections, to delete active client identifiers. The API checks if the client identifier is present in the blocklist or not before deleting. If you provide a client identifier which is not part of the blocklist, the API ignores such client identifiers. ### Steps * Use the attacklist API with PUT method to delete the client identifiers: * `URL: /v4/abs/attacklist` * `Method: PUT` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can provide only specific section of a client identifier in the message body. For example, if you only want to delete specific usernames, then provide only the username section in the message body. Make sure that the `JavaScript Object Notation (JSON)` file is well-formed. | #### Example: The following is a sample message body for the attacklist API to delete client identifiers: ```json { "ips": [ "192.168.4.10", "10.10.10.73", "10.1.1.4", "10.9.8.7" ], "cookies": { "PHPSESSIONID": [ "Cookie1", "Cookie2" ], "JSESSIONID": [ "Cookie3", "AnyCookie", "Cookie4" }, "oauth_tokens": [ "Token1", "Token2", "Token3" ], "api_keys": [ "type2_api_key", "api_key_1", "api_key_2", ], "usernames": [ "username1", "username2", "username3", ] } ``` The following is a sample message body showing the client identifiers that were deleted: ```json { "message": "Success: The following attacks have been removed:", "date": "Thu Jun 09 03:39:12 UTC 2019", "attacklist": { "ips": [ "192.168.4.10", "10.10.10.73", "10.1.1.4", "10.9.8.7" ], "cookies": { "PHPSESSIONID": [ "Cookie1", "Cookie2" ], "JSESSIONID": [ "Cookie3", "AnyCookie", "Cookie4" ] }, "oauth_tokens": [ "Token1", "Token2", "Token3" ], "api_keys": [ "type2_api_key", "api_key_1", "api_key_2", ], "usernames": [ "username1", "username2", "username3", ] } } ``` ## Using the bulk delete option for client identifiers You can use the bulk delete option to clear large numbers of false positive client identifiers. ### About this task | | | | - | ---------------------------------------------------------------------------------- | | | You can also use the bulk delete option to clear the blocklist in case of a reset. | ### Steps 1. To bulk delete client identifiers, use the ABS attacklist REST API with the DELETE method: * `URL: /v4/abs/attacklist` * `Method: DELETE` 2. To bulk delete all the entries of a client identifier or all client identifiers, configure the body of the attacklist. #### Example: The following is an example of the API *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* request: ```json { delete_all: false, delete_all_ips: true, delete_all_cookies: true, delete_all_oauth_tokens: false, delete_all_api_keys: true, delete_all_usernames: false, } ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In the sample request body, the attacklist API deletes all entries for IP *(tooltip: \
\

The method by which data is sent across the internet from the source host to the destination host.\

\
)*, cookies, and API keys. If, in the next time interval, the AI engine flags the same client identifiers, the blocklist is populated again. | 3. To permanently stop a false positive from being reported, tune the thresholds using the PingIntelligence Web GUI for the specific client identifier. The following table describes the options. | Option | Description | | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `delete_all` | This option overrides all the other configured options in the message body. If it is set to `true`, all the client identifiers are deleted irrespective of what their individual configuration is. Set it to `false`, if you want to exercise other options. | | `delete_all_ips` | Set it true to delete all the IP addresses across all attack types from the blocklist. | | `delete_all_cookies` | Set it true to delete all the cookies across all attack types from the blocklist. | | `delete_all_oauth_tokens` | Set it true to delete all the OAuth token across all attack types from the blocklist. | | `delete_all_api_keys` | Set it true to delete all the API Keys across all attack types from the blocklist. | | `delete_all_usernames` | Set it true to delete all the usernames across all attack types from the blocklist. |