--- title: Real-time Detected attacks for inline ASE description: API Security Enforcer (ASE) supports real time attack detection and blocking for: component: pingintelligence version: 5.2 page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_detected_attacks_inline_ase canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_detected_attacks_inline_ase.html revdate: April 3, 2024 section_ids: enabling-ase-detected-attacks: Enabling ASE detected attacks steps: Steps disabling-ase-detected-attacks: Disabling ASE detected attacks steps-2: Steps --- # Real-time Detected attacks for inline ASE API Security Enforcer (ASE) supports real time attack detection and blocking for: * API Pattern Enforcement – validate traffic to ensure it is consistent with the application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)* definition * API Deception – blocks hackers probing a Decoy API In real-time, ASE blocks hackers which violate pattern enforcement or probe decoy APIs. Hacker information is reported to API Behavioral Security (ABS) which generates ASE detected attack reports (type ID 101). Use the following ABS REST API to view the report: Real-time ASE detected attack based on OAuth2 token activity ```json { "company": "ping identity", "attack_type": "Invalid API Activity", "name": "api_attack_type", "description": "Clients using invalid method/protocol/content-type", "earlier_date": "Thu Jan 25 18:00:00:000 2018", "later_date": "Fri Dec 28 18:00:00:000 2018", "api_name": "atm_app_oauth", "ips": [], "cookies": [], "access_tokens": [ { "access_token": "token_protocol", "details": [ { "access_time": "Fri Jan 26 20:58:04:770 2018", "attack_code": "protocol" }, { "access_time": "Fri Jan 26 21:16:17:851 2018", "attack_code": "protocol" } ] }, { "access_token": "token_method", "details": [ { "access_time": "Fri Jan 26 20:58:04:819 2018", "attack_code": "method" }, { "access_time": "Fri Jan 26 21:16:17:903 2018", "attack_code": "method" } ] }, { "access_token": "token_contenttype", "details": [ { "access_time": "Fri Jan 26 20:58:04:819 2018", "attack_code": "content_type" }, { "access_time": "Fri Jan 26 21:16:17:903 2018", "attack_code": "content_type" } ] } ] } ``` Real-time ASE detected attack based on pattern enforcement violation ```json { "company": "ping identity", "attack_type": "Invalid API Activity", "cookie": "JSESSIONID", "name": "api_attack_type", "description": "Clients using invalid method/protocol/content-type", "earlier_date": "Thu Jan 25 18:00:00:000 2018", "later_date": "Fri Dec 28 18:00:00:000 2018", "api_name": "atm_app_public", "ips": [], "cookies": [ { "cookie": "session_contenttype1", "details": [ { "access_time": "Fri Jan 26 21:17:10:662 2018", "attack_code": "content_type" } ] }, { "cookie": "session_method", "details": [ { "access_time": "Fri Jan 26 20:58:06:656 2018", "attack_code": "method" }, { "access_time": "Fri Jan 26 21:17:10:662 2018", "attack_code": "method" } ] }, { "cookie": "session_contenttype", "details": [ { "access_time": "Fri Jan 26 20:58:06:656 2018", "attack_code": "content_type" }, { "access_time": "Fri Jan 26 21:17:10:662 2018", "attack_code": "content_type" } ] }, { "cookie": "session_protocol", "details": [ { "access_time": "Fri Jan 26 20:58:04:873 2018", "attack_code": "protocol" }, { "access_time": "Fri Jan 26 21:16:47:314 2018", "attack_code": "protocol" } ] }, { "cookie": "session_method1", "details": [ { "access_time": "Fri Jan 26 21:17:10:662 2018", "attack_code": "method" } ] }, { "cookie": "session_protocol1", "details": [ { "access_time": "Fri Jan 26 21:16:47:314 2018", "attack_code": "protocol" } ] } ], "access_tokens": [] } ``` ## Enabling ASE detected attacks ### Steps * To enable real-time ASE detected attacks, run the following command on the ASE command line: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin enable_ase_detected_attack ASE Detected Attack is now enabled ``` ## Disabling ASE detected attacks ### Steps * To disable real-time ASE detected attacks, run the following command on the ASE command line: ``` /opt/pingidentity/ase/bin/cli.sh -u admin -p admin disable_ase_detected_attack ASE Detected Attack is now disabled ``` | | | | - | ---------------------------------------------------------------------------------- | | | When you disable ASE detected attacks, the attacks are deleted from the deny list. |