Attack reporting - PingIntelligence for APIs

Attack reporting - PingIntelligence for APIs - 4.4

PingIntelligence

bundle

pingintelligence-44

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 4.4

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-44

pingintelligence

private

ContentType_ce

Page created: 6 Nov 2020 |

Page updated: 12 May 2021

| 2 min read

4.4 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

Attack reports provide information about the suspected attacks on each API. The ABS Attack API provides reports by specifying the type_id (see descriptions in Attack Types ) and receiving attack details including time frame, client identifier, and an attack code (see Changing Attack Thresholds for an explanation of attack codes). The format of the ABS attack API is:

https://<hostname>:<port>/v4/abs/later_date<>&earlier_date<>&api=<api_name>type=type_id

The hostname and port correspond to the host ABS machine.

Understanding the API report parameters

Here is a brief description of the information available in the attack reports. Not all items are included in each of the reports. Please refer to ABS external REST APIs for detailed information in each report.

attack_type:Name of the attack type (for example, data exfiltration, stolen cookie)
description:Description of the attack.
earlier_date:A date which is past in time. For example, if the query range is between March 12 and March 14, then the earlier date would be March 12.
later_date:A date which is more recent in time. For example, if the query range is between March 12 and March 14, then the later date would be March 14.
api_name:The name of the API for which report is displayed.
access_time:The time that the hacker accessed the API
attack_code:Code for the variables and thresholds used to detect attacks. For example, attack_code": "varA(Tx, 25) signifies that the attack was triggered because variable A with a value of 25 exceeded the Tx threshold. Current threshold values can be checked using the Threshold API .
ddos_info:The ddos_info field provides a pointer to detailed information in the MongoDB system – for example, a list of IPs that were active during a DDoS attack (note: only included in DDoS reports). The data is accessible in the login_dos collection in abs_data database. To access the data, enter the following in your MongoDB command line:

>use abs_data
>db.login_dos.find({end_time:'Tue Mar 21 22:25:36:144 2017'},{'ips':1}).pretty()

Use the end_time in the query to see the participating IPs.

The following pages provide examples of API JSON attack reports for Data Exfiltration, Stolen Cookie, and Multi-Client Login Attack.

Note: You can use the Admin user or the restricted user to access the API reports. For the Admin user, the cookie, token or the API key is not obfuscated.