--- title: Attack reporting description: Attack reports provide information about the suspected attacks on each application programming interface (API). component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_attack_reporting canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_attack_reporting.html revdate: April 3, 2024 section_ids: understanding-the-api-report-parameters: Understanding the API report parameters --- # Attack reporting Attack reports provide information about the suspected attacks on each application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*. The API Behavioral Security (ABS) Attack API provides reports by specifying the `type_id` (see descriptions in [Attack Types REST and WebSocket APIs](pingintelligence_attack_types_rest_websocket_apis.html)) and receiving attack details including time frame, client identifier, and an attack code (see[Changing Attack Thresholds](../managing_pingintelligence_for_apis/pingintelligence_tune_thresholds_false_positives.html) for an explanation of attack codes). The format of the ABS `attack` API is: https\://*\*:*\*/v4/abs/later\_date<>\&earlier\_date<>\&api=*\*type=type\_id The hostname and port correspond to the host ABS machine. ## Understanding the API report parameters Here is a brief description of the information available in the attack reports. Not all items are included in each of the reports. Please refer to[ABS external REST APIs](pingintelligence_abs_external_rest_api.html) for detailed information in each report. * `attack_type:`Name of the attack type (for example, data exfiltration, stolen cookie) * `description:`Description of the attack. * `earlier_date:`A date which is past in time. For example, if the query range is between March 12 and March 14, then the earlier date would be March 12. * `later_date:`A date which is more recent in time. For example, if the query range is between March 12 and March 14, then the later date would be March 14. * `api_name:`The name of the API for which report is displayed. * `access_time:`The time that the hacker accessed the API * `attack_code:`Code for the variables and thresholds used to detect attacks. For example, attack\_code": "varA(Tx, 25) signifies that the attack was triggered because variable A with a value of 25 exceeded the Tx threshold. Current threshold values can be checked using the [Threshold API](pingintelligence_get_threshold.html). * `ddos_info:`The `ddos_info` field provides a pointer to detailed information in the MongoDB system – for example, a list of IPs that were active during a DDoS attack (note: only included in DDoS reports). The data is accessible in the `login_dos` collection in `abs_data` database. To access the data, enter the following in your MongoDB command line: ``` >use abs_data >db.login_dos.find({end_time:'Tue Mar 21 22:25:36:144 2017'},{'ips':1}).pretty() ``` Use the `end_time` in the query to see the participating IPs. The following pages provide examples of API JavaScript Object Notation (JSON) *(tooltip: \
\

An open, lightweight data-interchange format that uses human-readable text to store and transmit data.\

\
)* attack reports for Data Exfiltration, Stolen Cookie, and Multi-Client Login Attack. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can use the [Admin user or the restricted user](pingintelligence_abs_users_api_reports.html) to access the API reports. For the Admin user, the cookie, token or the API key is not obfuscated. |