Tune thresholds and unblock clients - PingIntelligence for APIs

Tune thresholds and unblock clients - PingIntelligence for APIs - 4.4

PingIntelligence

bundle

pingintelligence-44

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 4.4

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-44

pingintelligence

private

ContentType_ce

Page created: 6 Nov 2020 |

Page updated: 12 May 2021

| 3 min read

4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product Monitoring and Management User task Administration

The attack management feature of PingIntelligence for APIs Dashboard supports unblocking of clients and tuning thresholds values for attacks. Click on the Attack Management tab on the left pane and click Tune/Unblock to access it.

Note: You need to have Admin user privileges to perform Unblock and Tune operations on a client identifier.

The following screenshot illustrates the Attack Management UI.

Interactive blacklists

The PingIntelligence for APIs Dashboard provides the capability of unblocking or tuning a blacklist directly from the Dashboard. The user can select the client identifier and the Attack management action from the Dashboard. For more information, see Interactive blacklists. The following screen shot shows the client identifier blacklists across APIs in the Dashboard.

Note: When the user initiates Attack management from the Dashboard, the values for the client identifiers are auto-populated except the API key key-name.

Unblock a client identifier

Complete the following steps to unblock a client identifier:

Select the type of client identifier from the Client Identifier Type list.
Enter the value of the client identifier.
Note: For API Key and Cookie, enter the name and the value.
Select the Unblock Client check box.
Click Run.

The following screenshot shows the unblock client operation.

The unblock operation deletes the client identifier from the PingIntelligence ASE and ABS AI engine blacklist. To verify that the client identifier has been deleted from ASE, run the view_blacklist CLI command or blacklist REST API in ASE. To verify that the client identifier has been deleted from ABS, use the attacklist REST API. For more information on ABS blacklist, see ABS blacklist reporting.

Note: The API keys will not be deleted from the blacklist immediately in ASE if the API Key key-name is not entered. The deletion is delayed until ASE retrieves the blacklist data from ABS.

Tune threshold

To address false positives, the Attack Management feature supports automatic threshold tuning. When tuning thresholds for a specific client identifier, the Attack management functionality does the following:

It fetches all the attacks flagged for the client identifier from ABS AI Engine.
After it has identified all the attacks, it increases the threshold values for those attacks. At this point, the threshold has moved from system defined to user defined. For more information on thresholds, see Tune thresholds for false positives.

Complete the following steps to tune thresholds:

Select the type of client identifier from the Client Identifier Type list.
Enter the value of the client identifier.
Select the Tune Threshold check box.
Provide the approximate number of days since the client was blocked. The maximum value is 30-days.
Note: The value for How many days ago client was blocked? gets auto-populated when Attack Management is initiated from the Dashboard interactive blacklist. The value is calculated as follows,
```
How many days ago client was blocked? = Current date - Attack detection date + 1 
```
When auto-populating, if the calculated value is more than 30 days, it is trimmed down to 30.You can use the same formula when populating the value manually. The Attack detection date for a client identifier is available in the interactive blacklists.
Click Run.

The following screenshot shows tuning threshold for a client identifier.