Custom policy

Custom policy allows you to create policies for granular control of API protection strategy. These custom policies effectively build a zero-trust policy to protect your data from misuse. You can configure them to protect your APIs based on the traffic's source, specific traffic patterns, whether it carries sensitive data or the rate at which the API is accessed.

• Malicious Source — Create policies to protect your APIs from known malicious sources such as suspicious users, IPs with poor reputations, sanctioned countries, Tor, etc.

• Custom Signatures — Create policies with custom rules based on patterns you would like Traceable to use in blocking. This feature is especially useful if you are migrating to Traceable from a legacy WAF and have created custom rules you wish to continue using. The rules can be configured for detection and blocking (optional).

• Rate Limiting — The rate-limiting policy enables you to control the incoming traffic to an API by limiting the number of requests coming from an IP address within a given period. After reaching the limit, the policy blocks the violating IP address.

• Data Loss Prevention (DLP) — The DLP policy lets you control access patterns for sensitive data to an API within a given period. Sensitive data access is tracked per source type for sensitive data sets and types for specified APIs. After the data access limit is reached, the policy rejects all requests from that user, thereby avoiding any exfiltrating attempts of sensitive data.

• Enumeration — The Enumeration policy enables you to look for specific data in request parameters, path parameters, or sensitive data being enumerated within a given period. By selecting relevant APIs, you can use this policy to prevent credential stuffing attempts, gift card fraud, etc. After reaching the limit, the policy rejects all requests, protecting the API from enumeration-based attacks.

The following sections detail each type of custom policy. Navigate to Protection → Settings → Custom Policy and click on a tab to create the required policy. Creating any policy involves the following three steps:

1. Set the custom policy's criteria.

2. Configure the conditions and actions Traceable should take.

3. Review the policy and save.

After configuring a policy, you can do the following:

• Enable or disable the policy using the toggle corresponding to a row.

• View, edit, or delete the policy using the Ellipse () icon corresponding to a row.

Blocking or allowing priority

Traceable follows a priority for blocking or allowing user requests. It is recommended to understand this priority list as it helps in configuring the policies with the correct set of options. In Traceable, a threat actor can be blocked in either of the following ways:

• Manually moving it to deny or the suspend list.

• Rate-limiting policies

• DLP policies

• Enumeration policies

• Malicious source policies

• Auto-blocking

In case of a conflict, the following order of blocking preference is followed in descending order. Allow rules have a higher priority than blocking rules:

IP address allowlist

Make a note of the following when you create custom policies. If you are going to create a Malicious source policy of the type IP range with Allow action, then:

• If you have other policies with an action to block requests, then the Allow action of Malicious source policy overrides, and no request is blocked.

• If you have configured rate limiting, DLP, or enumeration policies with a block or alert action, then the Allow action of Malicious source policy overrides, and no request is blocked, nor are any alerts sent.

The above-mentioned malicious source policy configuration does not affect custom signature policies. The detections enabled from the Protection → Settings → Detection policy, continue to happen. If you wish to allow IP addresses from such detection, click the Exclusions tab to create anexclusionsrule.

Malicious Sources

You can configure a custom policy to protect your APIs from Traceable-detected malicious sources, such as suspicious users, IP addresses with poor reputations, sanctioned countries, Tor, etc.

Navigate to the Malicious Sources tab and click + Add Policy in the tab’s top right corner to start creating a policy. The following demo shows how you can create a policy while the below steps provide a description of each field during policy creation.

Step 1 — Set the criteria

As part of setting up the criteria, you must complete the following:

• Policy Name —  The name of the exclusion policy. Traceable shows the policy under the Malicious Sources tab using this name.

• (Optional) Description — Some basic information about the policy, for example, type of threat it is blocking.

• Environment — The environment in which you want Traceable to apply the policy.

• Source Criteria — The malicious source to which you want the policy to apply. You can create the policy based on the following:

  • IP range — One or more IP addresses or a range of IP addresses. For example, 192.168.1.0/24.

  • Region — Based on a region. For example, Afghanistan.

  • Emails — One or more of the following criteria types to create a policy based on emails:

    • Users from disposable email domain

    • Users with emails in data leaks

    • Email domains

    • Email regexes

      Note

      You must specify the email regex and press the Enter key, or if specifying multiple regexes, add a comma (,) after each regex.

    • Email fraud score

  • IP type — One or more of the following IP address types to create a policy based on IP type:

    • Anonymous VPN

    • Hosting provider

    • Public proxy

    • Tor exit node

    • Bot

Once you have set the above criteria, click Next. You can also create multiple policies for the same environment, each with a different criterion. For example, you can choose to block the Afghanistan region across all environments or have a policy based on IP types for all environments.

Step 2 — Configure the action

Traceable provides the following options for action regarding the event generated by the custom policy:

• Allow requests — Allows all requests matching the criteria configured in Step 1 above.

  Note

  This action is available for the IP range source criteria only.

• Block request — Blocks all requests matching the criteria configured in Step 1 above.

• Block all requests except this — Allows all requests except the ones matching the criteria configured in Step 1 above.

  Note

  • This action is available for the IP range and Region source criteria only.

  • You can create multiple custom policies with this action; however, they must apply to different environments.

• Alert only, no blocking — Alerts you when a request matches the configured criteria. In this case, no requests are blocked.

You can also configure the following:

• The severity of the generated event is between low, medium, high, and critical. By default, Traceable assigns Low severity to the event.

• The duration for which the rule should apply. By default, the rule applies Indefinitely.

Once you have configured the above, click Next.

The following table lists the different action options available for each criterion.

Step 3 — Review and Submit

In the final step, review and submit the policy. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.

Custom signatures

Custom Signatures are signature-based attacks that operate on the traffic signature received from your application. You can configure a custom signature policy to help fine-tune your API protection strategy by having granular control over the event types generated and requests blocked. These rules apply globally to all the APIs. You can create custom rules for different components of a request and response, for example, header name and value, body, Cookie, etc. You can also create these rules on one or more request components. Traceable provides different preset operations for each part of the request.

Navigate to the Custom Signatures tab and click + Add Policy in the tab’s top right corner to start creating a policy. The following demo shows how you can create a policy while the below steps provide a description of each field during policy creation.

Step 1 — Set the criteria

As part of setting up the criteria, you must complete the following:

• Policy Name —  The name of the custom signature policy. Traceable shows the policy under the Custom Signatures tab using this name.

• (Optional) Description — Some basic information about the policy, for example, type of protection strategy it implements.

• Environment — The environment in which you want Traceable to apply the policy.

• Payload — The type of API component on which you want to apply the policy. You can create the policy based on the following:

  • Request/Response Criteria —

    • API interaction — The API interaction type(request or response) on which you want to apply the rule.

    • Component — One or more API components to create a policy, such as URL.

    • Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.

    • Value — The value for the above component, for example, accounts.

  • Attribute — The metadata the Traceable agent provides after observing the API traffic.

    • Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.

    • Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.

  • Sec Rule — Define security rules to analyze data passing through APIs. These rules are based on the OWASP ModSecurity CRS which helps detect and block malicious patterns in API traffic. By using this feature, you can create rules that match specific patterns or behaviors in the payload, enhancing API security and automatically blocking or alerting any suspicious activity. Traceable validates the Sec Rule during policy submission, so ensure the rule is valid for successful policy creation.

    Note

    • You can add one Sec Rule per policy.

    • A Sec Rule must contain the id field.

    • A Sec Rule that includes the msg field must also have the logdata field. Conversely, if the Sec Rule contains the logdata field, the msg field is optional. If the Sec Rule does not include the logdata field, the msg field should be omitted. This applies to all parent and child Sec Rule chains.

You can add one or more criteria for the same or different payloads. For example, you can set a criteria with one payload as request/response and the other as an attribute. Traceable carries out an AND operation on all the conditions defined in the rule.

Once you have set the above criteria, click Next.

Step 2 — Configure the action

Traceable provides the following options for the action you can take for the event generated by the custom signature rule. The options let you verify your custom signature rule, observe the generated events, and finally use them to block requests.

• Block requests — Blocks all requests matching the criteria configured in Step 1 above.

• Allow requests — Allows all requests matching the criteria configured in Step 1 above.

• Alert only, no blocking — Alerts you when a request matches the configured criteria. In this case, no requests are blocked.

• Mark for testing — Test your custom signature rule before applying it to production data. All the events generated as part of the configured rule are of low severity, and Traceable does not generate any notifications for such events. You can view the testing events by navigating to the Protection → Threat Activity → Filter pane and applying the Testing filter under Status.

Once you have configured the above, click Next.

Step 3 - Review and Submit

In the final step, review and submit the policy. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.

Rate limiting

You can configure a custom policy to protect your APIs from brute-force attacks. Using this policy, you can control the number of incoming requests from an IP address within a period. Traceable blocks that IP address as soon as the limit is exhausted.

Navigate to the Rate Limiting tab and click + Add Policy in the top right corner to start creating a policy. The following demo shows how you can create a policy while the steps below describe each field during policy creation.

Step 1 — Set the criteria

As part of setting up the criteria, you must complete the following:

• Policy Name —  The name of the exclusion policy. Traceable shows the policy under the Rate Limiting tab using this name.

• (Optional) Description — Some basic information about the policy, for example, type of threat it is blocking.

• Environment — The environment in which you want Traceable to apply the policy.

• Source — The source criteria on which you want to apply the policy. For example, IP Addresses → All External IPs.

  Note

  All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the policy on all values except the ones you choose.

• Payload — The API component on which you want to apply the policy. You can create the policy based on the following:

  • Request/Response Criteria —

    • API interaction — The API interaction type (request or response) on which you want to apply the rule.

    • Component — One or more API components to create a policy, such as URL.

    • Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.

    • Value — The value for the above component, for example, accounts.

  • Attribute — The metadata the Traceable agent provides after observing the API traffic.

    • Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.

    • Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.

• Target — The API endpoints you want Traceable to monitor as part of the policy. You can select one or more APIs, or labels to which the rules should apply. The rule applies to all the underlying APIs when you select a label.

Once you have set the above criteria, click Next.

Step 2 — Configure the conditions

Traceable provides the following options for configuring policy conditions. These conditions define the numerical limits after which the rule triggers.

• Static Condition — The fixed values based on which Traceable should limit the API requests. This condition consists of the following parameters:

  • Access Exceed — The number of API requests after which Traceable should block the IP. For example, 50 requests.

  • Time Range — The duration for which the limit should apply. For example, a 5-minute time range means the API(s) can receive up to 50 requests within this 5-minute window. Once this limit is reached, Traceable blocks the IP address.

  • Compute Condition — A combination of conditions on which the above limits should apply:

    • Per user and Per selected endpoints — If an IP address exceeds the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below.

    • Per user and Across all selected endpoints — If an IP address exceeds the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below.

    • By total requests across all users and Per selected endpoints — If all IP addresses collectively exceed the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below for all users. For example, you configure a rule to limit requests to 100 in 1 minute for an API. Then, if there are 5 IP addresses, and each IP sends 20 or more requests per minute to that API, Traceable implements the action you select below.

    • By total requests across all users and Across all selected endpoints — If all IP addresses collectively exceed the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below for all users.

• Dynamic Condition — Adjust the rate limit intelligently based on the baseline traffic calculated according to the number of days you configure. Traceable calculates the baseline by default according to the traffic received by an API in the past day. This condition consists of the following parameters:

  • Access rate exceeds mean by — The percentage of requests exceeding the baseline after which Traceable should block the IP address. For example, 20%.

  • Time Range — The duration for which the rate limit should apply. For example, a 5-minute time range and 100 baseline value means that the API can receive up to 120 requests within this 5-minute window. Once this limit is reached, Traceable blocks the IP address.

  • Time Range (Baseline) — The period over which Traceable should calculate the baseline value. For example, a 5-day time range means that the mean value is derived from the ratio of the total number of calls to an API endpoint to the total number of unique IP addresses accessing that API within the 5-day period.

You can have one or more static and dynamic conditions working together. For example, you can use the static condition to limit requests to 1000 per hour and use the dynamic condition to prevent sudden traffic spikes, ensuring steady API usage along with attack prevention.

Step 3 — Configure actions

Traceable provides the following options regarding the events generated by the custom policy:

• Severity — The severity of the generated event between low, medium, high, and critical. By default, Traceable assigns Low severity to the event.

• Action — The action you wish to perform:

  • Block the user indefinitely — If an IP address meets the above criteria, Traceable blocks them indefinitely, preventing any further API requests.

  • Block for a period of time — If an IP address meets the above set criteria, Traceable blocks them from making API requests for the duration you define.

  • Do not block, alert only — If an IP address meets the above criteria, Traceable does not block them, but alerts you for monitoring purposes.

Step 4 — Review and Submit

In the final step, review and submit the policy. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.

Data Loss Prevention (DLP)

A DLP policy allows you granular control over data access. A DLP policy or a zero trust policy can define who can access data, what kind of data can be accessed, and at what rate the data can be accessed, among many other options. The DLP policy provides many granular options to configure, for example, source of traffic, IP addresses, IP type (bot, VPN, and so on), user ID, region, attributes, and so on.

For the steps to create a DLP policy, see Data Protection.

Enumeration

You can configure a policy to prevent Enumeration Attacks and block Systematic Probing of sensitive data by monitoring the API activity. It helps prevent data leaks and unauthorized access of credentials.

Navigate to the Enumeration tab and click + Add Policy in the tab’s top right corner to start creating a policy. The following demo shows how you can create a policy while the below steps provide a description of each field during policy creation.

Step 1 — Set the criteria

As part of setting up the criteria, you must complete the following:

• Policy Name —  The name of the exclusion policy. Traceable shows the policy under the Enumeration tab using this name.

• (Optional) Description — Some basic information about the policy, for example, the type of threat it is blocking.

• Environment — The environment in which you want Traceable to apply the policy.

• Source — The source criteria on which you want to apply the policy. For example, Region → Afghanistan.

  Note

  All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the policy on all values except the ones you choose.

• Payload — The API component on which you want to apply the policy. You can create the policy based on the following:

  • Request/Response Criteria —

    • API interaction — The API interaction type(request or response) on which you want to apply the rule.

    • Component — One or more API components to create a policy, such as URL.

    • Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.

    • Value — The value for the above component, for example, accounts.

  • Attribute — The metadata the Traceable agent provides after observing the API traffic.

    • Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.

    • Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.

  • Data Sets/Data Types —

    • Data Location — The location at which Traceable can find the dataype or dataset.

    • Datasets/Datatypes — The datasets or datatypes to which the policy should apply. For more information, see Data Classification.

• Target — The API endpoints you want Traceable to monitor as part of the policy. You can select one or more APIs, or labels to which the rules should apply. The rule applies to all the underlying APIs when you select a label.

Once you have set the above criteria, click Next.

Step 2 — Configure the condition

Traceable provides the following options for configuring policy conditions. These conditions define the numerical limits after which the rule triggers.

• Unique Values Exceed — The maximum number of unique values, such as usernames, email addresses, etc. in an API request after which Traceable should perform the action configured in Step 3 below. For example, 10 unique values.

• Time Range — The time window over which Traceable counts the number of unique values. For example, a 5-minute time range means that Traceable monitors the API requests for enumeration attacks within this 5-minute window.

• Compute Condition — A combination of conditions on which the above limits should apply:

  • Per user and Per selected endpoints — If a user exceeds the set limit for an API endpoint, Traceable implements the action you select in Step 3 below.

  • Per user and Across all selected endpoints — If a user exceeds the set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below.

  • By total requests across all users and Per selected endpoints — If all users collectively exceed the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below for all users. For example, you configure a rule to limit unique values to 100 in 1 minute for an API. Then, if there are 5 users, and each user sends 20 or more unique values per minute to that API, Traceable implements the action you select below.

  • By total requests across all users and Across all selected endpoints — If all users collectively exceed the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below for all users.

You can configure the above conditions to apply on one or more of the following parts of a request:

• Request Body

• Path Parameters

• Sensitive Parameters

Step 3 — Configure the action

Traceable provides the following options regarding the event that the custom policy generates:

• Severity — The severity of the generated event between low, medium, high, and critical. By default, Traceable assigns Low severity to the event.

• Action — The action you wish to perform:

  • Block the user indefinitely — If a user meets the above criteria, Traceable blocks them indefinitely, preventing any further API requests.

  • Block for a period of time — If a user meets the above criteria, Traceable blocks them from making API requests for the duration you define.

  • Do not block, alert only — If a user meets the above criteria, Traceable does not block them, but alerts you for monitoring purposes.

Step 4 — Review and Submit

In the final step, review and submit the policy. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.