PingIntelligence

Enabling or disabling attack IDs

You can enable or disable one or more than one attack type using API Behavioral Security (ABS) attackstatus REST application programming interface (API) with the PUT method.

About this task

The AI engine keeps updating the thresholds in the background, even when you disable an attack ID. Calculating the thresholds in the background allows ABS to report attacks if you enable an attack ID in the future.

If you have disabled an attack while the AI engine is processing the log data, ABS may still report attacks for a few minutes. The attack IDs would be disabled when the next batch of access log files are processed. When you enable an attack from the disabled state, ABS takes a few minutes to report the API attacks.

URL: /v4/abs/attackstatus

Method: PUT

The following attack IDs cannot be disabled from ABS as these are real-time attacks reported by ASE:

  1. Attack ID 13: API DDoS Attack Type 2

  2. Attack ID 100: Decoy Attack. This attack ID can be disabled from ASE.

  3. Attack ID 101: Invalid API Activity. This attack ID can be disabled from ASE.

To enable or disable an attack ID:

Steps

  1. Run the attackstatus REST API with the GET method to fetch the current status of an attack ID.

    The output is divided into two sections, enabled and disabled, along with the time when an attack ID was enabled or disabled.

    Result:

    The following is a snippet of the response:

    “attack_status”: {
  “enabled” : [
         {
            "attack_id" : 1,
            "attack_name" : "Data Exfiltration Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
         },
         {
            "attack_id" : 2,
            "attack_name" : "Single Client Login Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
         },
        {
            "attack_id" : 4,
            "attack_name" : "Stolen Token Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
        }
             ],
“disabled” : [
         {
            "attack_id" : 3,
            "attack_name" : "Data Exfiltration Attack Type 1",
            "disabled_time" : "Thu Aug 22 12:56:39:158 2019"
         },
         {
            "attack_id" : 5,
            "attack_name" : "Single Client Login Attack Type 1",
            "disabled_time" : "Thu Aug 22 12:56:39:158 2019"
         }
		]
}

    Attack IDs 13, 100, and 101 are always displayed as enabled in the response.

  2. Use the attackstatus REST API with PUT method to enable or disable the attack IDs.

    1. Enter the attack_id and action.

      Result:

      The following is a sample body of the PUT request:

      {
    “attacks”:[
  {
    "attack_id": “1”,
    "action": “disable”
  },
  {
    "attack_id": “2”,
    "action": “enable”
  },
  {
    "attack_id": “13”,
    "action": “disable”
  },
{
    "attack_id": “100”,
    "action": “disable”
  },
 {
    "attack_id": “101”,
    "action": “disable”
  }
]
}

    The following is a sample response:

    +

    {
   "attack_status": [
       {
           "attack_id": "1",
           "attack_name": "Data Exfiltration Attack Type 1",
           "status": "Attack ID disabled successfully"
       },
       {
           "attack_id": "2",
           "attack_name": "Single Client Login Attack Type 1",
           "status": "Attack ID is already enabled"
       },
       {
           "attack_id": "13",
           "attack_name": "API DDoS Attack Type 2",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       },
       {
           "attack_id": "100",
           "attack_name": "Decoy Attack",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       },
       {
           "attack_id": "101",
           "attack_name": "Invalid API Activity",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       }

   ]
}