Viewing and managing Indicators of Attack - PingIntelligence for APIs

Page created: 12 May 2021 |

Page updated: 1 Nov 2021

| 3 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

Attack management provides a consolidated view of Indicators of Attack(IoAs) and enables efficient management of attacks on a per client basis.

Make sure you have admin user privileges to view the Attack Management dashboard.

Click on the Attack Management tab on the left pane. By default the Attack Management page retrieves the Indicators of Attack(IoAs) for all client identifier types - IP address, Cookie, Token, API Key, and Username. However, you can also specify individual client identifier types in CLIENT IDS to get details on specific client IDs.

Note: For on-premise Dashboard deployments, you can configure the number of IoAs that can be fetched for a client identifier using the pi.webgui.ioclisting.fetchsize parameter in <pi_install_dir>/webgui/config/webgui.properties file. For more information, see Configure WebGUI properties - webgui.properties.
Get the information for desired time periods by selecting the time ranges from the QUICK DATES list. In addition to quick time ranges like last one, seven, or 30 days, you can also specify a custom time period.

Note: When the Attack Management loads for the first time, the QUICK DATE list defaults to Last 1 Day.
Apply the following filters on the search results:
- REVIEWED- Specify the IoA review status for a client identifier.
- APIs- Enter the APIs for which the IoA details are to be retrieved.
- IoA TYPE- Specify the IoA type.
Sort the results based on the following:
- Detected Time- The most recent IoA for each client identifier.
- IoA Count- The count of IoA for each client identifier.
To get more information on the Indicators of Attack for a client identifier, click the Expand icon. You can see details like the attack detection time, the number of IOAs for the client identifier, the impacted APIs, and whether the client identifier is on the active blacklist.
Click the icon to remove the client identifier from blacklists and unblock it. The operation deletes the client identifier from the PingIntelligence API Security Enforcer (ASE) and ABS (API Behavioral Security) AI engine blacklists.
Note: If ASE is not configured to synchronize its blacklist with ABS's blacklist, then the following warning message appears while unblocking the client identifier.
```
ASE 
warning :- <client identifier> <client identifier value> does not exist in blacklist
For example:
  warning :- ip 100.100.13.6 does not exist in blacklist
```
You can modify the enable_abs_attack parameter in ase.conf file to synchronize ASE and AI engine blacklists. For more information, see Sideband ASE configuration - ase.conf and Attack management in ASE. You can alterrnatively use the CLI commands to set the parameters. For more information, see CLI for ASE.
Click the icon to open the client activity report, and to change the review status of an Indicator of Attack, click the Reviewed/Not Reviewed toggle.
When you click the number of IoAs, you get the list of Indicators of Attack detected for the client. Click Expand icon to find more insights on the IoAs. For the client identifiers incorrectly flagged for IoAs, you can click Tune IoA Detection to adjust the IoA threshold limits in the ABS AI engine for the particular client and all the future clients exhibiting similar access behavior.

Note: For more information, see Tune thresholds for false positives.