The attack management feature of PingIntelligence for APIs Dashboard supports unblocking of clients and tuning thresholds values for attacks. Click on the Attack Management tab on the left pane and click Tune/Unblock to access it.
Interactive blacklists
The PingIntelligence for APIs Dashboard provides the capability of unblocking or tuning a blacklist directly from the Dashboard. The user can select the client identifier and the Attack management action from the Dashboard. For more information, see Interactive blacklists. The following screen shot shows the client identifier blacklists across APIs in the Dashboard.
Unblock a client identifier
- Select the type of client identifier from the Client Identifier Type list.
- Enter the value of the client identifier. Note: For API Key and Cookie, enter the name and the value.
- Select the Unblock Client check box.
- Click Run.
The unblock operation deletes the client identifier from the PingIntelligence ASE and ABS AI
engine blacklist. To verify that the client identifier has been deleted from ASE, run
the view_blacklist CLI command or blacklist REST API in ASE. To
verify that the client identifier has been deleted from ABS, use the
attacklist
REST API. For more information on ABS blacklist, see
ABS blacklist reporting.
Tune threshold
- It fetches all the attacks flagged for the client identifier from ABS AI Engine.
- After it has identified all the attacks, it increases the threshold values for those
attacks. At this point, the threshold has moved from
system
defined touser
defined. For more information on thresholds, see Tune thresholds for false positives.
- Select the type of client identifier from the Client Identifier Type list.
- Enter the value of the client identifier.
- Select the Tune Threshold check box.
- Provide the approximate number of days since the client was blocked. The maximum value is
30-days.Note: The value for How many days ago client was blocked? gets auto-populated when Attack Management is initiated from the Dashboard interactive blacklist. The value is calculated as follows,
When auto-populating, if the calculated value is more than 30 days, it is trimmed down to 30.You can use the same formula when populating the value manually. The Attack detection date for a client identifier is available in the interactive blacklists.How many days ago client was blocked? = Current date - Attack detection date + 1
- Click Run.