PingIntelligence

API forensics reporting

API Behavioral Security (ABS) AI Engine provides in-depth information on the activities performed by a client including accessed Uniform Resource Locator (URL) , methods, attacks, etc.

The forensic report provides detailed information on the activity from an individual Token, Internet Protocol (IP) address, Cookie, API key, or Username.

If API Security Enforcer (ASE) is deployed in sideband mode, then server field in the output shows the IP address as 0.0.0.0. For ASE deployed in inline mode, the server field shows the IP address of the backend API server. For more information on ASE sideband mode, see the ASE Admin Guide.

Forensics on OAuth2 token

The OAuth2 token forensics report shows all activity associated with the specified token over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks.

{
 "company": "ping identity",
 "name": "api_abs_token",
 "description": "This report contains a summary and detailed information on metrics,
  attacks and anomalies for the specified token across all APIs.",
 "earlier_date": "Tue Feb 13 18:00:00:000 2018",
 "later_date": "Sun Feb 18 18:00:00:000 2018",
 "summary": {
 "total_requests": 6556,
 "total_attacks": 2,
 "total_anomalies": 0
 },
 "details": {
 "metrics": {
 "token": "token1",
 "total_requests": 6556,
 "ip_list": [
 {
 "ip": "127.0.0.1",
 "total_requests": 6556,
 "devices": {
 "UNKNOWN": 6556
 },
 "methods": {
 "DELETE": 472,
 "POST": 140,
 "GET": 1944,
 "PUT": 4000
 },
 "urls": {
 "/atm_app_oauth/delete200": 218,
 "/atm_app_oauth/get200": 850,
 "/atm_app_oauth/post400": 8,
 "/atm_app_oauth/post200": 62,
 "/atm_app_oauth/put400": 62,
 "/atm_app_oauth/get400": 122,
 "/atm_app_oauth/put200": 1938,
 "/atm_app_oauth/delete400": 18,
 "/2_atm_app_oauth/put200": 1938,
 "/2_atm_app_oauth/post200": 62,
 "/2_atm_app_oauth/delete200": 218,
 "/2_atm_app_oauth/delete400": 18,
 "/2_atm_app_oauth/put400": 62,
 "/2_atm_app_oauth/post400": 8,
 "/2_atm_app_oauth/get400": 122,
 "/2_atm_app_oauth/get200": 850
 },
 "apis": {
 "atm_app_oauth": 3278,
 "2_atm_app_oauth": 3278
 }
 }
 ]
 },
 "attack_types": {
 "API Memory Attack Type 1": [
 "atm_app_oauth",
 "2_atm_app_oauth"
 ],
 "Data Poisoning Attack": [
 "atm_app_oauth",
 "2_atm_app_oauth"
 ]
 },
 "anomaly_types": {}
 }
}

Forensics on an IP address

The IP forensics report shows all activity associated with the specified IP address over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks.

{
 "company": "ping identity",
 "name": "api_abs_ip",
 "description": "This report contains a summary and detailed information on
  metrics, attacks and anomalies for the specified ip across all APIs.",
 "earlier_date": "Tue Feb 13 18:00:00:000 2018",
 "later_date": "Sun Feb 18 18:00:00:000 2018",
 "summary": {
 "total_requests": 8192,
 "total_attacks": 2,
 "total_anomalies": 1
 },
 "details": {
 "metrics": {
 "no_session": [
 {
 "start_time": "Thu Feb 15 14:04:17:959 2018",
 "end_time": "Thu Feb 15 14:05:59:263 2018",
 "total_requests": 4096,
 "source_ip": "4.1.1.1",
 "path": "/atm_app_private/get200",
 "methods": [
 "GET"
 ]
 },
 {
 "start_time": "Thu Feb 15 14:14:00:724 2018",
 "end_time": "Thu Feb 15 14:14:47:999 2018",
 "total_requests": 4096,
 "source_ip": "4.1.1.1",
 "path": "/2_atm_app_private/get200",
 "methods": [
 "GET"
 ]
 }
 ],
 "session": []
 },
 "attack_types": {
 "Data Exfiltration Attack": [
 "2_atm_app_private",
 "atm_app_private"
 ],
 "Extreme App Activity Attack": [
 "2_atm_app_private",
 "atm_app_private"
 ]
 },
 "anomaly_types": {
 "Extreme Client Activity Anomaly": [
 "2_atm_app_private"
 ]
 }
 }
}

The Cookie forensics report includes all activity associated with the specified cookie over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks.

{
 "company": "ping identity",
 "name": "api_abs_cookie",
 "description": "This report contains a summary and detailed information on all
  attacks, metrics, and anomalies for the specified cookie on the defined API.",
 "earlier_date": "Thu Jan 25 18:00:00:000 2018",
 "later_date": "Fri Dec 28 18:00:00:000 2018",
 "api_name": "atm_app_public",
 "summary": {
 "total_anomalies": 0,
 "total_requests": 1,
 "total_ioc": 2
 },
 "details": {
 "ioc_types": [
 "data_poisoning_attack",
 "api_memory_attack_type_1"
 ],
 "metrics": [
 {
 "session_id": "session_datapoisoining",
 "start_time": "Mon Jan 29 15:51:23:408 2018",
 "end_time": "Mon Jan 29 15:51:23:408 2018",
 "total_requests": 1,
 "source_ip": [
 {
 "ip": "127.0.0.1",
 "count": 1,
 "method": [
 "PUT"
 ]
 }
 ],
 "user_agent": [
 {
 "user_agent": "DOWNLOAD",
 "count": 1
 }
 ],
 "path_info": [
 {
 "path": "/atm_app_public/put200",
 "count": 1
 }
 ],
 "device": [
 {
 "device": "UNKNOWN",
 "count": 1
 }
 ],
 "server": [
 {
 "server": "127.0.0.1:3000",
 "count": 1
 }
 ]
 }
 ],
 "anomalies": []
 }
}

Forensics on API Key

The API Key forensics report includes all activity associated with the specified API Key over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks.

{
    "company": "ping identity",
    "name": "api_abs_api_key",
    "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified api key across all APIs.",
    "earlier_date": "Sat Jan 12 13:30:00:000 2019",
    "later_date": "Tue Dec 31 18:00:00:000 2019",
    "summary": {
        "total_requests": 2621,
        "total_attacks": 1,
        "total_anomalies": 1
    },
    "details": {
        "metrics": {
            "api_key": "finite_api_key",
            "total_requests": 2621,
            "ip_list": [
                {
                    "ip": "192.168.2.2",
                    "total_requests": 457,
                    "devices": {
                        "UNKNOWN": 457
                    },
                    "methods": {
                        "GET": 457
                    },
                    "urls": {
                        "/atm_app/getzipcode": 457
                    },
                    "apis": {
                        "atm_app": 457
                    }
                },
       "attack_types": {
            "Stolen API Key Attack- Per API Key": [
                "all"
            ]
        },
        "anomaly_types": {
            "Stolen API Key Attack- Per API Key": [
                "all"
            ]
        }
    }
}

Username Forensics

The Username forensics report includes all activity associated with the specified username over a time period. Report information includes a detailed activity trail of accessed URLs, methods, and attacks.

{
    "company": "ping identity",
    "name": "api_abs_username",
    "description": "This report contains a summary and detailed information on metrics, attacks and anomalies for the specified user name across all APIs.",
    "earlier_date": "Sat Jan 12 13:30:00:000 2019",
    "later_date": "Tue Dec 31 18:00:00:000 2019",
    "summary": {
        "total_requests": 109965,
        "total_attacks": 0,
        "total_anomalies": 0
    },
    "details": {
        "metrics": {
            "username": "t4",
            "tokens": [
                "t4MFBkEe",
                "t4GpEkUS",
                "t4ZxUOjb",
                "t4QEvJKT"
            ],
            "total_requests": 109965,
            "ip_list": [
                {
                    "ip": "127.0.0.28",
                    "total_requests": 54983,
                    "devices": {
                        "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36": 54983
                    },
                    "methods": {
                        "POST": 54983
                    },
                    "urls": {
                        "/atm_app_oauth": 54983
                    },
                    "apis": {
                        "atm_app_oauth": 54983
                    }
                }
            ]
        },
        "attack_types": {},
        "anomaly_types": {}
    }
}