Enable or disable attack IDs - PingIntelligence for APIs

Enable or disable attack IDs - PingIntelligence for APIs - 5.0

PingIntelligence

bundle

pingintelligence-50

ft:publication_title

PingIntelligence

Product_Version_ce

PingIntelligence for APIs 5.0

category

APISecurity

AdvancedAPICybersecurity

Capability

Environment

Product

apisecurity

capability

linux

pi-50

pingintelligence

private

ContentType_ce

Page created: 12 May 2021 |

Page updated: 1 Nov 2021

| 3 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product Administration User task

You can enable or disable one or more than one attack type using ABS attackstatus REST API with the PUT method. The AI engine keeps updating the thresholds in the background, even when you disable an attack ID. Calculating the thresholds in the background allows ABS to report attacks if you enable an attack ID in the future.

If you have disabled an attack while the AI engine is processing the log data, ABS may still report attacks for a few minutes. The attack IDs would be disabled when the next batch of access log files are processed. When you enable an attack from the disabled state, ABS takes a few minutes to report the API attacks.

URL: /v4/abs/attackstatus

Method: PUT

The following attack IDs cannot be disabled from ABS as these are real-time attacks reported by ASE:

Attack ID 13: API DDoS Attack Type 2
Attack ID 100: Decoy Attack. This attack ID can be disabled from ASE.
Attack ID 101: Invalid API Activity. This attack ID can be disabled from ASE.

To enable or disable an attack ID, you should:

Use the attackstatus REST API with GET method to fetch the current status of an attack ID
Use the attackstatus REST API with PUT method to enable or disable the attack IDs.

Fetch the attack ID status: Run the attackstatus REST API with the GET method to fetch the current state of all the attack IDs. The output is divided into two sections, enabled and disabled, along with the time when an attack ID was enabled or disabled. Following is a snippet of response:

“attack_status”: {
  “enabled” : [    
         {
            "attack_id" : 1,
            "attack_name" : "Data Exfiltration Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
         }, 
         {
            "attack_id" : 2,
            "attack_name" : "Single Client Login Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
         }, 
        {
            "attack_id" : 4,
            "attack_name" : "Stolen Token Attack Type 1",
            "enabled_time" : "Thu Aug 22 12:56:39:158 2019"
        }
             ],
“disabled” : [    
         {
            "attack_id" : 3,
            "attack_name" : "Data Exfiltration Attack Type 1",
            "disabled_time" : "Thu Aug 22 12:56:39:158 2019"
         }, 
         {
            "attack_id" : 5,
            "attack_name" : "Single Client Login Attack Type 1",
            "disabled_time" : "Thu Aug 22 12:56:39:158 2019"
         }
		]
}

Note: Attack IDs 13, 100, and 101 are always displayed as enabled in the response.

Disable or enable attack IDs: To disable or enable an attack ID, use the PUT method with the attackstatus REST API. To disable or enable an attack ID, provide the attack_id and action. The action can be enable or disable. Following is sample body of the PUT request:

{
    “attacks”:[
  {
    "attack_id": “1”,
    "action": “disable”
  },
  {
    "attack_id": “2”,
    "action": “enable”
  },
  {
    "attack_id": “13”,
    "action": “disable”
  },
{
    "attack_id": “100”,
    "action": “disable”
  },
 {
    "attack_id": “101”,
    "action": “disable”
  }
]
}

Following is a sample response:

{
   "attack_status": [
       {
           "attack_id": "1",
           "attack_name": "Data Exfiltration Attack Type 1",
           "status": "Attack ID disabled successfully"
       },
       {
           "attack_id": "2",
           "attack_name": "Single Client Login Attack Type 1",
           "status": "Attack ID is already enabled"
       },
       {
           "attack_id": "13",
           "attack_name": "API DDoS Attack Type 2",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       },
       {
           "attack_id": "100",
           "attack_name": "Decoy Attack",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       },
       {
           "attack_id": "101",
           "attack_name": "Invalid API Activity",
           "status": "Attack ID cannot be disabled. For more information, refer to PingIntelligence documentation."
       }
       
   ]
}