The Attack management provides a consolidated view of Indicators of Attack(IoAs) and enables efficient management of attacks on a per client basis. This feature is available in PingIntelligence for APIs 4.4.1.

To access the feature click on the Attack Management tab on the left pane and then click Attack List. You need Admin user privileges to access Attack Lists feature.
Snapshot of the Attacklist main screen

By default the Attack List retrieves the Indicators of Attack(IoAs) for all client identifier types - IP address, Cookie, Token, API Key, and Username. However, you can specify individual client identifier types in CLIENT IDS to get details on specific client IDs.
Note: You can configure the number of client identifiers for which, the IoA details can be fetched using the pi.webgui.ioclisting.fetchsize parameter in <pi_install_dir>/webgui/config/webgui.properties file. For more information, see Configure WebGUI properties - webgui.properties.
You can get the information for desired time periods by selecting the time ranges from the QUICK DATES list. You can use quick time ranges like last one, seven, or 30 days, or you can specify a custom time period.
screenshot for quick dates dropdown in attacklist dashboard

Note: When the Attack List loads for the first time, the QUICK DATE list defaults to Last 1 Day.

Search and sort

Multiple search and sort options are available. You can apply the following filters on the search results:
  • REVIEWED- Specify the IoA review status for a client identifier.
  • APIs- Enter the APIs for which the IoA details are to be retrieved.
  • IoA TYPE- Specify the IoA type.
You can sort the results based on the following:
  • Detected Time- The most recent Indicator of Attack for each client identifier.
  • IoA Count- The count of Indicators of Attack for each client identifier.

Screenshot for search and sort capabilities in Attacklist dashboard

Attack details

To get more information on the Indicators of Attack for a client identifier, click the Expand icon as shown in the following scrreenshot.

You can see details like the attack detection time, the number of IOAs for the client identifier, the impacted APIs, and whether the client identifier is on the active blacklist.
You can click the icon to remove the client identifier from blacklists and unblock it. The operation deletes the client identifier from the PingIntelligence API Security Enforcer (ASE) and ABS (API Behavioral Security) AI engine blacklists.
Note: If ASE is not configured to synchronize its blacklist with ABS's blacklist, then the following warning message appears while unblocking the client identifier.
ASE 
warning :- <client identifier> <client identifier value> does not exist in blacklist
For example:
  warning :- ip 100.100.13.6 does not exist in blacklist
You can modify the enable_abs_attack parameter in ase.conf file to synchronize ASE and ABS blacklists. For more information, see ASE configuration - ase.conf and Attack management in ASE. You can alterrnatively use the CLI commands to set the parameters. For more information, see CLI for ASE.
You can click the icon to open the client activity report, and to change the review status of an Indicator of Attack, click the Reviewed/Not Reviewed toggle.
When you click the number of IoAs, you get the list of Indicators of Attack detected for the client. Click Expand icon to find more insights on the IoAs. For the client identifiers incorrectly flagged for IoAs, you can click Tune IoA Detection to adjust the IoA threshold limits in the ABS AI engine for the particular client and all the future clients exhibiting similar access behavior.

Note: For more information, see Tune thresholds for false positives.