You can enable or disable one or more than one attack type using ABS
attackstatus
REST API with the PUT method. The AI engine keeps
updating the thresholds in the background, even when you disable an attack ID.
Calculating the thresholds in the background allows ABS to report attacks if you enable
an attack ID in the future.
If you have disabled an attack while the AI engine is processing the log data, ABS may still report attacks for a few minutes. The attack IDs would be disabled when the next batch of access log files are processed. When you enable an attack from the disabled state, ABS takes a few minutes to report the API attacks.
URL: /v4/abs/attackstatus
Method: PUT
- Attack ID 13: API DDoS Attack Type 2
- Attack ID 100: Decoy Attack. This attack ID can be disabled from ASE.
- Attack ID 101: Invalid API Activity. This attack ID can be disabled from ASE.
- Use the
attackstatus
REST API with GET method to fetch the current status of an attack ID - Use the
attackstatus
REST API with PUT method to enable or disable the attack IDs.
attackstatus
REST API with the GET
method to fetch the current state of all the attack IDs. The output is divided into two
sections, enabled and disabled, along with the time when an attack ID was enabled or
disabled. Following is a snippet of response:
“attack_status”: {
“enabled” : [
{
"attack_id" : 1,
"attack_name" : "Data Exfiltration Attack Type 1",
"enabled_time" : "Thu Aug 22 12:56:39:158 2019"
},
{
"attack_id" : 2,
"attack_name" : "Single Client Login Attack Type 1",
"enabled_time" : "Thu Aug 22 12:56:39:158 2019"
},
{
"attack_id" : 4,
"attack_name" : "Stolen Token Attack Type 1",
"enabled_time" : "Thu Aug 22 12:56:39:158 2019"
}
],
“disabled” : [
{
"attack_id" : 3,
"attack_name" : "Data Exfiltration Attack Type 1",
"disabled_time" : "Thu Aug 22 12:56:39:158 2019"
},
{
"attack_id" : 5,
"attack_name" : "Single Client Login Attack Type 1",
"disabled_time" : "Thu Aug 22 12:56:39:158 2019"
}
]
}
attackstatus
REST API. To disable or enable an attack ID, provide
the attack_id
and action
. The action can be
enable
or disable
. Following is sample
body
of the PUT request:
{
“attacks”:[
{
"attack_id": “1”,
"action": “disable”
},
{
"attack_id": “2”,
"action": “enable”
},
{
"attack_id": “13”,
"action": “disable”
},
{
"attack_id": “100”,
"action": “disable”
},
{
"attack_id": “101”,
"action": “disable”
}
]
}
Following is a sample response:
{
"attack_status": [
{
"attack_id": "1",
"attack_name": "Data Exfiltration Attack Type 1",
"status": "Attack ID disabled successfully"
},
{
"attack_id": "2",
"attack_name": "Single Client Login Attack Type 1",
"status": "Attack ID is already enabled"
},
{
"attack_id": "13",
"attack_name": "API DDoS Attack Type 2",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
},
{
"attack_id": "100",
"attack_name": "Decoy Attack",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
},
{
"attack_id": "101",
"attack_name": "Invalid API Activity",
"status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
}
]
}