Page created: 12 May 2021 |
Page updated: 1 Nov 2021
Attack management provides a consolidated view of Indicators of Attack(IoAs) and enables efficient management of attacks on a per client basis.
- Make sure you have admin user privileges to view the Attack Management dashboard.
Click on the Attack Management tab on the left pane. By
default the Attack Management page retrieves the Indicators of Attack(IoAs) for
all client identifier types - IP address, Cookie, Token, API Key, and Username.
However, you can also specify individual client identifier types in
CLIENT IDS to get details on specific client IDs.
Note: For on-premise Dashboard deployments, you can configure the number of IoAs that can be fetched for a client identifier using the pi.webgui.ioclisting.fetchsize parameter in <pi_install_dir>/webgui/config/webgui.properties file. For more information, see Configure WebGUI properties - webgui.properties.
Get the information for desired time periods by selecting the time ranges from
the QUICK DATES list. In addition to quick time
ranges like last one, seven, or 30 days, you can also specify a custom time
Note: When the Attack Management loads for the first time, the QUICK DATE list defaults to Last 1 Day.
Apply the following filters on the search results:
- REVIEWED- Specify the IoA review status for a client identifier.
- APIs- Enter the APIs for which the IoA details are to be retrieved.
- IoA TYPE- Specify the IoA type.
Sort the results based on the following:
- Detected Time- The most recent IoA for each client identifier.
- IoA Count- The count of IoA for each client
To get more information on the Indicators of Attack for a client identifier,
click the Expand
icon. You can see details like the attack detection time, the number of IOAs for
the client identifier, the impacted APIs, and whether the client identifier is
on the active blacklist.
Click the icon to remove the
client identifier from blacklists and unblock it. The operation deletes the
client identifier from the PingIntelligence API Security Enforcer (ASE) and ABS
(API Behavioral Security) AI engine blacklists.
Note: If ASE is not configured to synchronize its blacklist with ABS's blacklist, then the following warning message appears while unblocking the client identifier.
You can modify the enable_abs_attack parameter in ase.conf file to synchronize ASE and AI engine blacklists. For more information, see Sideband ASE configuration - ase.conf and Attack management in ASE. You can alterrnatively use the CLI commands to set the parameters. For more information, see CLI for ASE.
ASE warning :- <client identifier> <client identifier value> does not exist in blacklist For example: warning :- ip 100.100.13.6 does not exist in blacklist
- Click the icon to open the client activity report, and to change the review status of an Indicator of Attack, click the Reviewed/Not Reviewed toggle.
When you click the number of IoAs, you get the list of Indicators of Attack
detected for the client. Click Expand
icon to find more insights on the IoAs. For the client identifiers incorrectly
flagged for IoAs, you can click Tune IoA Detection to
adjust the IoA threshold limits in the ABS AI engine for the particular client
and all the future clients exhibiting similar access behavior.
Note: For more information, see Tune thresholds for false positives.