Page created: 23 Mar 2021
|
Page updated: 12 May 2021
The Attack management provides a consolidated view of Indicators of Attack(IoAs) and enables efficient management of attacks on a per client basis. This feature is available in PingIntelligence for APIs 4.4.1.
To access the feature click on the Attack Management tab on the left
pane and then click Attack List. You need Admin user privileges
to access Attack Lists feature.
By default the Attack List retrieves the Indicators of Attack(IoAs) for all client identifier
types - IP address, Cookie, Token, API Key, and Username. However, you can specify
individual client identifier types in CLIENT IDS to get details
on specific client IDs.
Note: You can configure
the number of client identifiers for which, the IoA details can be fetched using the
pi.webgui.ioclisting.fetchsize parameter in
<pi_install_dir>/webgui/config/webgui.properties
file. For more information, see Configure WebGUI properties - webgui.properties.
You can get
the information for desired time periods by selecting the time ranges from
the QUICK DATES list. You can use quick time ranges like last
one, seven, or 30 days, or you can specify a custom time period. Note: When the Attack
List loads for the first time, the QUICK DATE
list defaults to Last 1 Day.
Search and sort
Multiple search and sort options are available. You can apply the following filters on the
search results:
- REVIEWED- Specify the IoA review status for a client identifier.
- APIs- Enter the APIs for which the IoA details are to be retrieved.
- IoA TYPE- Specify the IoA type.
- Detected Time- The most recent Indicator of Attack for each client identifier.
- IoA Count- The count of Indicators of Attack for each client identifier.
Attack details
To get more information on the Indicators of Attack for a client identifier, click the
Expand
icon as shown in the following scrreenshot.
You can see details like the attack detection time, the number of IOAs for the client identifier, the impacted APIs, and whether the client identifier is on the active blacklist.
You can see details like the attack detection time, the number of IOAs for the client identifier, the impacted APIs, and whether the client identifier is on the active blacklist.
You can click the icon to remove the client
identifier from blacklists and unblock it. The operation deletes the client
identifier from the PingIntelligence API Security Enforcer (ASE) and ABS (API
Behavioral Security) AI engine blacklists.
Note: If ASE is not configured to
synchronize its blacklist with ABS's blacklist, then the following warning
message appears while unblocking the client identifier.
You can click the icon to open the
client activity report, and to change the review status of an Indicator of Attack,
click the Reviewed/Not Reviewed toggle. ASE
warning :- <client identifier> <client identifier value> does not exist in blacklist
For example:
warning :- ip 100.100.13.6 does not exist in blacklist
You can
modify the enable_abs_attack parameter in
ase.conf file to synchronize ASE and ABS blacklists.
For more information, see ASE configuration - ase.conf and Attack management in ASE. You can alterrnatively use the CLI commands to
set the parameters. For more information, see CLI for ASE. When you click the number of IoAs, you get the list of Indicators of Attack detected for the
client. Click Expand
icon to find more insights on the IoAs. For the client identifiers incorrectly
flagged for IoAs, you can click Tune IoA Detection to adjust
the IoA threshold limits in the ABS AI engine for the particular client and all the
future clients exhibiting similar access behavior.
Note: For more information, see
Tune thresholds for false positives.