PingIntelligence

Attack reporting

Attack reports provide information about the suspected attacks on each application programming interface (API).

The API Behavioral Security (ABS) Attack API provides reports by specifying the type_id (see descriptions in Attack Types REST and WebSocket APIs) and receiving attack details including time frame, client identifier, and an attack code (seeChanging Attack Thresholds for an explanation of attack codes). The format of the ABS attack API is:

https://<hostname>:<port>/v4/abs/later_date<>&earlier_date<>&api=<api_name>type=type_id

The hostname and port correspond to the host ABS machine.

Understanding the API report parameters

Here is a brief description of the information available in the attack reports. Not all items are included in each of the reports. Please refer toABS external REST APIs for detailed information in each report.

  • attack_type:Name of the attack type (for example, data exfiltration, stolen cookie)

  • description:Description of the attack.

  • earlier_date:A date which is past in time. For example, if the query range is between March 12 and March 14, then the earlier date would be March 12.

  • later_date:A date which is more recent in time. For example, if the query range is between March 12 and March 14, then the later date would be March 14.

  • api_name:The name of the API for which report is displayed.

  • access_time:The time that the hacker accessed the API

  • attack_code:Code for the variables and thresholds used to detect attacks. For example, attack_code": "varA(Tx, 25) signifies that the attack was triggered because variable A with a value of 25 exceeded the Tx threshold. Current threshold values can be checked using the Threshold API.

  • ddos_info:The ddos_info field provides a pointer to detailed information in the MongoDB system – for example, a list of IPs that were active during a DDoS attack (note: only included in DDoS reports). The data is accessible in the login_dos collection in abs_data database. To access the data, enter the following in your MongoDB command line:

>use abs_data
>db.login_dos.find({end_time:'Tue Mar 21 22:25:36:144 2017'},{'ips':1}).pretty()

Use the end_time in the query to see the participating IPs.

The following pages provide examples of API JavaScript Object Notation (JSON) attack reports for Data Exfiltration, Stolen Cookie, and Multi-Client Login Attack.

You can use the Admin user or the restricted user to access the API reports. For the Admin user, the cookie, token or the API key is not obfuscated.