ABS deny list reporting
API Behavioral Security (ABS) provides attacklist
REST application programming interface (API) to complete the following two operations:
-
List the various client identifiers (API Key, OAuth token, Username, Cookie, and Internet Protocol (IP) address) which are related to probable attack
-
Delete the client identifiers which may be a cause of false positive
Reporting active and expired client identifiers
API Behavioral Security (ABS ) provides an attacklist
REST API with GET method to list active attacks in the system, expired attacks, and consolidated (active and expired) attacks together.
About this task
The list of detected client identifiers depends on the TTL set for the client identifiers. The attack list reports the detected client identifiers (active or expired) for the queried period. The time-period is part of the API query parameter. URL: /v4/abs/attacklist
Steps
-
To report active detected attacks, use the following REST API URL to report the active client identifiers:
/v4/abs/attacklist?earlier_date=<>&later_date=<>&status=active
The API lists the active client identifiers for a time-period between
earlier_date
andlater_date
. PingIntelligence ASE fetches the active client identifiers list from ABS for blocking the clients. -
To report expired detected attacks, use the following REST API URL to report the expired client identifiers:
/v4/abs/attacklist?earlier_date=<>&later_date=<>&status=expired
The API lists the expired client identifiers for a time-period between
earlier_date
andlater_date
. The expiry of detected attacks in the system depends on the configured TTL. -
To report consolidated (active and expired) detected attacks, use the following REST API URL to report the consolidated client identifiers attacks:
/v4/abs/attacklist?earlier_date=<>&later_date=<>
The API lists all the client identifiers for a time-period between
earlier_date
andlater_date
.
Deleting individual client identifiers
You can delete active client identifiers.
About this task
The API requires only the message body with a client identifier in their respective sections, to delete active client identifiers. The API checks if the client identifier is present in the blocklist or not before deleting. If you provide a client identifier which is not part of the blocklist, the API ignores such client identifiers.
Steps
-
Use the attacklist API with PUT method to delete the client identifiers:
-
URL: /v4/abs/attacklist
-
Method: PUT
You can provide only specific section of a client identifier in the message body. For example, if you only want to delete specific usernames, then provide only the username section in the message body. Make sure that the
JavaScript Object Notation (JSON)
file is well-formed.Example:
The following is a sample message body for the attacklist API to delete client identifiers:
{ "ips": [ "192.168.4.10", "10.10.10.73", "10.1.1.4", "10.9.8.7" ], "cookies": { "PHPSESSIONID": [ "Cookie1", "Cookie2" ], "JSESSIONID": [ "Cookie3", "AnyCookie", "Cookie4" }, "oauth_tokens": [ "Token1", "Token2", "Token3" ], "api_keys": [ "type2_api_key", "api_key_1", "api_key_2", ], "usernames": [ "username1", "username2", "username3", ] }
The following is a sample message body showing the client identifiers that were deleted:
{ "message": "Success: The following attacks have been removed:", "date": "Thu Jun 09 03:39:12 UTC 2019", "attacklist": { "ips": [ "192.168.4.10", "10.10.10.73", "10.1.1.4", "10.9.8.7" ], "cookies": { "PHPSESSIONID": [ "Cookie1", "Cookie2" ], "JSESSIONID": [ "Cookie3", "AnyCookie", "Cookie4" ] }, "oauth_tokens": [ "Token1", "Token2", "Token3" ], "api_keys": [ "type2_api_key", "api_key_1", "api_key_2", ], "usernames": [ "username1", "username2", "username3", ] } }
-
Using the bulk delete option for client identifiers
You can use the bulk delete option to clear large numbers of false positive client identifiers.
About this task
You can also use the bulk delete option to clear the blocklist in case of a reset. |
Steps
-
To bulk delete client identifiers, use the ABS attacklist REST API with the DELETE method:
-
URL: /v4/abs/attacklist
-
Method: DELETE
-
-
To bulk delete all the entries of a client identifier or all client identifiers, configure the body of the attacklist.
Example:
The following is an example of the API request:
{ delete_all: false, delete_all_ips: true, delete_all_cookies: true, delete_all_oauth_tokens: false, delete_all_api_keys: true, delete_all_usernames: false, }
In the sample request body, the attacklist API deletes all entries for IP, cookies, and API keys. If, in the next time interval, the AI engine flags the same client identifiers, the blocklist is populated again.
-
To permanently stop a false positive from being reported, tune the thresholds using the PingIntelligence Web GUI for the specific client identifier.
The following table describes the options.
Option Description delete_all
This option overrides all the other configured options in the message body. If it is set to
true
, all the client identifiers are deleted irrespective of what their individual configuration is. Set it tofalse
, if you want to exercise other options.delete_all_ips
Set it true to delete all the IP addresses across all attack types from the blocklist.
delete_all_cookies
Set it true to delete all the cookies across all attack types from the blocklist.
delete_all_oauth_tokens
Set it true to delete all the OAuth token across all attack types from the blocklist.
delete_all_api_keys
Set it true to delete all the API Keys across all attack types from the blocklist.
delete_all_usernames
Set it true to delete all the usernames across all attack types from the blocklist.