Blocked events

The topic explains how to view all the requests blocked by Traceable. The requests are blocked by Traceable based on the signature based rules or the custom rules, for example, a rate limiting rule.

Traceable provides you multiple ways to detect and block requests. You can enable signature rule-based blocking, or you can create custom rules, for example, a rate-limiting rule. For more information on blocking rules, see Protection settings. Traceable blocks a request when it matches any of the criteria defined in any of the rules. These blocked requests are listed on Security Events > Blocked tab. 

You can filter the blocked request events based on:

• Category - The reason for blocking, signature-based, rate limiting, IP range blocking, or manually blocked threats (displayed as Threat Actor).
• Sub-category - The sub-category lists the filter options based on the main category. However, you can directly select a filter from the sub-category. Based on the sub-category filter selection, the category filters are updated. For signature-based rules, the sub-category is the sub-rules that are displayed when you click on the Blocking settings on the Settings > Security. For example, Scanner Detection has sub-rules as Found User-Agent associated with security scanner, Found request header associated with security scanner, and so on. If the main category is Threat Actor, then the sub-category is the user ID or the IP address of the user.
• Actor - You can filter based on the user ID or IP address of the threat actor.
• Endpoints - You can filter blocked requests based on a specific API endpoint.

Blocked event details

When you click on a blocked request as shown in the screenshot above, Traceable displays the details of the blocked request. For example, the reason for blocking the request, the API endpoint, the IP address of the threat actor, the spans of the request, and so on.

The blocked request details window also displays the current status of the user. For example, in the above screenshot, Traceable displays the user's current status as ACTIVE. Although the window displays the blocked request details, the current status of the user can be ACTIVE. It is possible in a scenario when Traceable blocked a user request, however, the security administrator moved the user from denylist to allowlist. 

When you click on the filter icon next to the current status (ACTIVE in the above screenshot), it navigates to the Explorer window to show you the details about the trace. Clicking on the Top Sources displays the details about the threat actor. When you click on the Top Endpoint, the details of that API Endpoint are displayed.

Grouping of blocked requests

You can choose to group the blocked events in different time blocks by selecting the value from the drop-down list as shown below. The time blocks change based on the time range that you choose from the top menu. If you select a smaller time range from the top menu, the drop-down provides smaller time blocks. If the time range is broader, the grouping values are larger. The timestamp column shows the time interval changes based on a value selected from the drop-down. 

The above screenshot shows that from 11:30 PM to 12:00 PM (based on 30-minute grouping) there are three blocked requests based on Scanner Detection signature-based rule. The Actor, Services, and Endpoints columns show the unique number of counts for them in the selected time block. In the above screenshot, for the 30-minute time block starting from 11:30 PM, there are two unique threat actors, one service and two endpoints are affected.