- 30 Nov 2021
- 3 Minutes to read
- Updated on 30 Nov 2021
- 3 Minutes to read
The topic describes threat, threat-actors, viewing identified threats and the various threat-actor tags applied to the threats.
Threats are a prominent actionable category within Traceable DefenseAI. Threats typically mean an ongoing attack that needs attention and resolution. Traceable analyzes malicious activity by authenticated or anonymous users to identify threats. This threat activity information is combined with the previous activity report into an attack timeline.
In the Threats section of the platform, Traceable displays both the active threats and threats that have not been resolved or mitigated. Traceable assigns a threat severity of High, Medium, or Low to each threat based on the volume and other information about malicious activity. The Threats view is independent of the time window that you choose in the top menu bar. For more information on threat mitigation actions, see Threat mitigation.
DefenseAI identifies the threats by the threat actor. A threat actor is identified by a user ID, for example, an email ID. If the user ID is not available, the IP address of the threat actor is displayed.
The topic covers the following:
Traceable starts security event detection by observing the traffic flow through the APIs Endpoints to builds the API Specification and insights for each of the parameters. These insights about the traffic flow are a combination of the baseline for a parameter type, value and usage, such as patterns of request and response. Traceable, for example, observes the parameters within API endpoints, the traffic flow in authorized user sessions, the sequence of API calls, and so on.
To identify threats, Traceable establishes a baseline. Traceable then detects any requests and responses where the parameters deviate from the established baseline. These deviations are identified as anomalies. These anomalies are further analyzed to identify if the anomalous activity is malicious. If it is an anomalous activity, a security event is raised.
When Traceable detects anomalous behavior, it starts observing the user that triggered it. This user is now called a monitored user. Traceable closely monitors all further communication from this user.
Anomalies and security events have different severity levels based on multiple factors. Once the monitored user crosses a certain anomaly threshold level and displays some malicious behavior (security events are identified in their requests), they become a threat-actor.
Navigate to the Threats section of the platform to view all the threats identified by DefenseAI. By default, the platform displays the Active threats, the most recent active threat actors being at the top. You can also sort the threat list based on threat creation time by clicking on the Sort By drop-down shown in the screenshot below.
Threat severity is color-coded by the dots on the left of each threat card.
You can click on the threat as shown in the above screenshot to display all the security events detected from a specific threat actor. The threat severity categories are Low, Medium, and High or All. Traceable categorizes the threats in these categories based on a score that it calculates internally based on intensity and number of detected security events and anomalies.
Click on the icon in the above screen to view more details of a specific security event. Within threat actor details, information on the IP addresses used by this user, the clients that were used to connect to the system, and stats on detected anomalies and security events are presented.
Individual threat detail
Traceable displays the API or Endpoint, the URI, the service which is under threat for a specific security event.