Updates (January 2025 to March 2025)
The topic has been updated with descriptions of the Sources available in all custom policy types.
The Custom Policies enable you to create rules for granular control of API protection strategy. These custom policies effectively build a zero-trust policy to protect your data from misuse. You can configure them to protect your APIs based on the traffic's source, specific traffic patterns, whether it carries sensitive data, or the rate at which the API is accessed.
The Custom Policies are composed of rule types that define specific security conditions. While collectively referred to as Custom Policies, each rule type operates independently to address different security concerns.
Custom Policies
What are the Rule Types under Custom Policies?
The custom policies are separated into the following rule types:
Malicious Source
Custom Signatures
Rate Limiting
Data Loss Prevention (DLP)
Enumeration
What are the Steps to Create a Custom Rule?
The following sections detail each type of custom rule. Navigate to Protection → Settings → Policies → Custom Policies tab and click on a tab to create the required rule. Creating any rule involves the following three steps:
Set the custom rule’s criteria.
Configure the conditions and actions Traceable should take.
Review the rule and save.
What Actions can I Perform on a Rule?
After configuring a rule, you can do the following:
Enable or disable the rule using the toggle corresponding to a row.
View, edit, or delete the rule using the Ellipse (
) icon corresponding to a row.
Blocking or Allowing Priority
Traceable follows a priority for blocking or allowing user requests. It is recommended that this priority list be understood as it helps configure the policies with the correct set of options. In Traceable, a threat actor can be blocked in either of the following ways:
Manually move it to deny or suspend
Rate-limiting rules
DLP rules
Enumeration rules
Malicious source rules
In case of a conflict, the following order of blocking preference is followed in descending order. Allow rules have a higher priority than blocking rules:
Blocking or allowing priority | Description |
|---|---|
IP address(s) allow | Never block traffic from allowed IP address(s). |
Threat actor(s) allow | Never block traffic from any IP address(s) the threat actor uses. |
Email domain allow | Never block traffic for specific email domains. |
Custom signature rule request allow | Never block traffic if it matches a custom rule. |
Custom signature rule request blocking | Block an individual request if it matches a custom rule. |
Signature-based (safe-crs) request blocking | Block individual requests if they match a signature rule. |
All IP blocked except | Block all IP address(s) except the listed IP address(s) range. |
IP blocked | Block specific IP addresses or a range of IP addresses. |
Threat actor blocked | Block IP address(s) ever used by the specific threat actor. |
Email domain blocked | Block specific email domains. |
IP type blocked | Block IP addresses of a specific IP type. IP types could be:
|
Block all email domains except | Block all email domains except the ones listed. |
Region blocked all except | Block all regions except the ones listed. |
Region blocked | Block specific regions. |
Rate-limiting, DLP, and enumeration-based actor blocking | Block threat actors if rule conditions are met. |
IP Address Allowlist
Make a note of the following when you create custom policies. If you are going to create a Malicious source rule of the type IP range with Allow action, then:
If you have other rules with an action to block requests, then the Allow action of the Malicious source rule overrides, and no request is blocked.
If you have configured rate limiting, DLP, or enumeration rules with a block or alert action, then the Allow action of Malicious source rule overrides, and no request is blocked, nor are any alerts sent.
The above-mentioned malicious source rule configuration does not affect custom signature rules. The WAF and API Protection policies enabled from the Protection → Settings → Policies → WAF and API Protection tab, continue to happen. If you wish to allow IP addresses from such detection, navigate the Exclusions page to create an exclusion rule.
Creating Custom Rules
The following tabs discuss the steps to configure a custom rule of your choice. Click the tab according to your requirements and perform the steps accordingly.
You can configure a custom rule to protect your APIs from Traceable-detected malicious sources, such as suspicious users, IP addresses with poor reputations, sanctioned countries, Tor, etc.
Navigate to the Malicious Sources tab and click + Add Rule in the tab’s top right corner to start creating a rule. The following demo shows how you can create a rule while the below steps describe each field during rule creation.
Step 1 — Set the criteria
As part of setting up the criteria, you must complete the following:
Malicious Source Criteria
Rule Name — The name of the malicious source rule. Traceable shows the rule under the Malicious Sources tab using this name.
(Optional) Description — Some basic information about the rule, for example, type of threat it is blocking.
Environment — The environment in which you want Traceable to apply the rule.
Source Criteria — The malicious source to which you want the rule to apply. You can create the rule based on the following:
IP range — One or more IP addresses or a range of IP addresses. For example, 192.168.1.0/24.
Region — Based on a region. For example, Afghanistan.
Emails — One or more of the following criteria types to create a rule based on emails:
Users from disposable email domain
Users with emails in data leaks
Email domains
Email regexes
Note
You must specify the email regex and press the Enter key, or if specifying multiple regexes, add a comma (,) after each regex.
Email fraud score
IP type — One or more of the following IP address types to create a rule based on IP type:
Anonymous VPN
Hosting provider
Public proxy
Tor exit node
Bot
Once you have set the above criteria, click Next. You can also create multiple rules for the same environment, each with a different criterion. For example, you can choose to block the Afghanistan region across all environments or have a rule based on IP types for all environments.
Step 2 — Configure the action
Traceable provides the following options for action regarding the event generated by the custom rule:
Malicious Source Actions
Allow requests — Allows all requests matching the criteria configured in Step 1 above.
Note
This action is available for the IP range source criteria only.
Block request — Blocks all requests matching the criteria configured in Step 1 above.
Block all requests except this — Allows all requests except the ones matching the criteria configured in Step 1 above.
Note
This action is available for the IP range and Region source criteria only.
You can create multiple custom rules with this action; however, they must apply to different environments.
Monitor only, no blocking — Monitors the threat when a request matches the configured criteria. In this case, no requests are blocked.
You can also configure the following:
The severity of the generated event is between low, medium, high, and critical. By default, Traceable assigns Low severity to the event.
The duration for which the rule should apply. By default, the rule applies Indefinitely.
Once you have configured the above, click Next.
The following table lists the different action options available for each criterion.
Action→ | Block requests | Allow requests | Block all requests except this | Alert only, no blocking |
|---|---|---|---|---|
IP Range | Yes | Yes | Yes | Yes |
Region | Yes | No | Yes | Yes |
Yes | No | No | Yes | |
IP type | Yes | No | No | Yes |
Step 3 — Review and Submit
In the final step, review and submit the rule. If you wish to edit any criteria during the review, click the Edit (
) icon corresponding to a section.
Custom Signatures are signature-based attacks that operate on the traffic signature received from your application. You can configure a custom signature rule to help fine-tune your API protection strategy by having granular control over the event types generated and requests blocked. These rules apply globally to all the APIs. You can create custom rules for different components of a request and response, for example, header name and value, body, cookie, etc. You can also create these rules on one or more request components. Traceable provides different preset operations for each part of the request.
Navigate to the Custom Signatures tab and click + Add Rule in the tab’s top right corner to start creating a rule. The following demo shows how you can create a rule while the below steps describe each field during rule creation.
Step 1 — Set the criteria
As part of setting up the criteria, you must complete the following:
Custom Signature Criteria
Rule Name — The name of the custom signature rule. Traceable shows the rule under the Custom Signatures tab using this name.
(Optional) Description — Some basic information about the rule, for example, type of protection strategy it implements.
Environment — The environment in which you want Traceable to apply the rule.
Payload — The type of API component on which you want to apply the rule. You can create the rule based on the following:
Request/Response Criteria —
API interaction — The API interaction type(request or response) on which you want to apply the rule.
Component — One or more API components to create a rule, such as URL.
Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.
Value — The value for the above component, for example, accounts.
Attribute — The metadata the Traceable agent provides after observing the API traffic.
Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.
Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.
Sec Rule — Define security rules to analyze data passing through APIs. These rules are based on the OWASP ModSecurity CRS which helps detect and block malicious patterns in API traffic. By using this feature, you can create rules that match specific patterns or behaviors in the payload, enhancing API security and automatically blocking or alerting any suspicious activity. Traceable validates the Sec Rule during rule submission to ensure that it is valid for successful rule creation.
Note
You can add one Sec Rule per custom signature rule.
A Sec Rule must contain the
idfield.A Sec Rule that includes the
msgfield must also have thelogdatafield. Conversely, if the Sec Rule contains thelogdatafield, themsgfield is optional. If the Sec Rule does not include thelogdatafield, themsgfield should be omitted. This applies to all parent and child Sec Rule chains.
You can add one or more criteria for the same or different payloads. For example, you can set a criteria with one payload as request/response and the other as an attribute. Traceable carries out an AND operation on all the conditions defined in the rule.
Once you have set the above criteria, click Next.
Step 2 — Configure the action
As part of configuring the action, you must complete the following:
Note
The availability of the below options depends on the criteria you configure in Step 1 above.
Custom Signature Actions
Event Handling — Traceable provides the following options on how the event generated by the custom signature rule should be handled. The options let you verify your custom signature rule, observe the generated events, and finally use them to block requests.
Block requests — Blocks all requests matching the criteria configured in Step 1 above.
Allow requests — Allows all requests matching the criteria configured in Step 1 above.
Monitor only, No blocking — Monitors the traffic matching the configured criteria. In this case, no requests are blocked.
Mark for testing — Test your custom signature rule before applying it to production data. All the events generated as part of the configured rule are of low severity, and Traceable does not generate any notifications for such events. You can view the testing events by navigating to the Protection → Threat Activity → Filter pane and applying the Testing filter under Status.
Event Severity — Select the severity that Traceable should assign to the event generated by the Custom Signature rule.
Note
This option is available only when you select the Block requests or Monitor only, No blocking options.
Blocking Applicability — Select the duration for which blocking should apply, Indefinitely or a specific duration.
Note
This option is available only when you select the Block requests or Allow Requests options.
Data Injection — Add the header you wish to include in the request. You can use this data for monitoring where it can highlight an anomaly in the request.
Note
This option is available only when you select the Monitor only, No blocking or Mark for testing options.
Once you have configured the above, click Next.
Step 3 — Review and Submit
In the final step, review and submit the rule. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.
You can configure a custom rate limiting rule to protect your applications from brute-force attacks. Using this rule, you can control the number of incoming requests from a user within a period. Traceable blocks that user as soon as the limit is exhausted.
Note
Traceable recommends that you configure the user attribution according to your requirements before setting up a rate limiting rule. For more information, see User Attribution.
Navigate to the Rate Limiting tab and click + Add Rule in the top right corner to start creating a rule. The following demo shows how you can create a rule while the steps below describe each field during rule creation.
Step 1 — Set the criteria
As part of setting up the criteria, you must complete the following:
Rate Limiting Criteria
Rule Name — The name of the rate limiting rule. Traceable shows the rule under the Rate Limiting tab using this name.
(Optional) Description — Some basic information about the rule, for example, the type of threat it is blocking.
Environment — The environment in which you want Traceable to apply the rule.
Source — The source criteria on which you want to apply the rule. For example, IP Addresses → All External IPs.
Traceable supports the following sources for creating a rate-limiting rule:IP Address — Limit data from specific, internal, or external IPs.
IP Type — Control usage based on IP types, such as Anonymous VPN, Bot, Scanner, etc.
Email Domain — Limit requests from specific or a range of email domains, for example, ones belonging to a specific organization.
User ID — Manage traffic based on unique user IDs or regex for user IDs.
User Agent — Limit requests based on user-agent regex that indicates the type of client, such as a bot, or scripts making requests.
IP Organization — Manage traffic from specific entities known for spiking API request traffic.
IP ASN — Limit traffic from ASNs, which indicates the network provider from where the traffic originates.
Connection Type — Control data incoming from a specific connection type, such as Corporate, or Data Center.
IP Abuse Velocity — Limit requests from IPs showing a high API abuse rate.
IP Reputation — Limit data coming from IPs having a poor reputation, such as the ones identified by threat intelligence.
Region — Enforce limits based on geographic regions, addressing location-based traffic patterns.
Scanner — Manage traffic coming from automated testing tools, such as Traceable’s AST, etc.
Note
All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the policy on all values except the ones you choose.
Payload — The API component on which you want to apply the rule. You can create the rule based on the following:
Request/Response Criteria —
API interaction — The API interaction type (request or response) on which you want to apply the rule.
Component — One or more API components to create a rule, such as URL.
Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.
Value — The value for the above component, for example, accounts.
Attribute — The metadata the Traceable agent provides after observing the API traffic.
Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.
Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.
Target — The API endpoints you want Traceable to monitor as part of the rule. You can select one or more APIs, or labels to which the rules should apply. The rule applies to all the underlying APIs when you select a label.
Once you have set the above criteria, click Next.
Step 2 — Configure the conditions
Traceable provides the following options for configuring policy conditions. These conditions define the numerical limits after which the rule triggers.
Rate Limiting Conditions
Static Condition — The fixed values based on which Traceable should limit the API requests. This condition consists of the following parameters:
Access Exceed — The number of API requests after which Traceable should block the user. For example, 50 requests.
Time Range — The duration for which the limit should apply. For example, a 5-minute time range means the API(s) can receive up to 50 requests within this 5-minute window. Once this limit is reached, Traceable blocks the user.
Compute Condition — A combination of conditions on which the above limits should apply:
Per user and Per selected endpoints — If a user exceeds the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below.
Per user and Across all selected endpoints — If a user exceeds the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below.
By total requests across all users, and Per selected endpoints — If all users collectively exceed the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below for all users. For example, you configure a rule to limit requests to 100 in 1 minute for an API. Then, if there are 5 users, and each user sends 20 or more requests per minute to that API, Traceable implements the action you select below.
By total requests across all users, and Across all selected endpoints — If all users collectively exceed the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below for all users.
Dynamic Condition — Adjust the rate limit intelligently based on the baseline traffic calculated according to the number of days you configure. Traceable calculates the baseline by default according to the traffic received by an API in the past day. This condition consists of the following parameters:
Access rate exceeds mean by — The percentage of requests exceeding the baseline after which Traceable should block the user. For example, 20%.
Time Range — The duration for which the rate limit should apply. For example, a 5-minute time range and 100 baseline value means that the API can receive up to 120 requests within this 5-minute window. Once this limit is reached, Traceable blocks the user.
Time Range (Baseline) — The period over which Traceable should calculate the baseline value. For example, a 5-day time range means that the mean value is derived from the ratio of the total number of calls to an API endpoint to the total number of unique users accessing that API within the 5 days.
You can have one or more static and dynamic conditions working together. For example, you can use the static condition to limit requests to 1000 per hour and use the dynamic condition to prevent sudden traffic spikes, ensuring steady API usage along with attack prevention.
Step 3 — Configure actions
As part of configuring the action, you must complete the following:
Note
The availability of the below options depend on the configurations in the above steps.
Rate Limiting Actions
Event Handling — Traceable provides the following options on how the event generated by the rate limiting rule should be handled. The options let you verify your rule, observe the generated events, and finally use them to block requests, as required.
Block —
Block the user indefinitely — If a user meets the above criteria, Traceable blocks them indefinitely, preventing any further API requests.
Block for a period of time — If a user meets the above criteria, Traceable blocks them from making API requests for the duration you define.
Block user for a duration that matches the conditions — If a user meets the above criteria, Traceable blocks them from making API requests for the time range defined in the Step 2 above.
Do not block, monitor only — If a user meets the above criteria, Traceable does not block them, but monitors it indefinitely.
Mark for Testing — Test your rate limiting rule before applying it to production data. All the events generated as part of the configured rule are of low severity, and Traceable does not generate any notifications for such events. You can view the testing events by navigating to the Protection → Threat Activity → Filter pane and applying the Testing filter under Status.
Event Severity — Select the severity that Traceable should assign to the event generated by the Rate Limiting rule.
Note
This option is available for all options except Mark for Testing above.
Data Injection — Add the header you wish to include in the request. You can use this data for monitoring where it can highlight an anomaly in the request.
Note
This option is available only when you select the Do not block, monitor only or Mark for Testing options above.
Once you have configured the above, click Next.
Step 4 — Review and Submit
In the final step, review and submit the rule. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.
A DLP rule allows you granular control over data access. A DLP rule or a zero trust rule can define who can access data, what kind of data can be accessed, and at what rate the data can be accessed, among many other options. The DLP rule provides many granular options to configure, for example, source of traffic, IP addresses, IP type (bot, VPN, and so on), user ID, region, attributes, and so on.
For the steps to create a DLP rule, see Data Protection.
You can configure an enumeration rule to prevent enumeration attacks and block systematic probing of sensitive data by monitoring the API activity. It helps prevent data leaks and unauthorized access to credentials.
Navigate to the Enumeration tab and click + Add Rule in the tab’s top right corner to start creating a rule. The following demo shows how you can create a rule while the below steps describe each field during rule creation.
Step 1 — Set the criteria
As part of setting up the criteria, you must complete the following:
Rule Name — The name of the enumeration rule. Traceable shows the rule under the Enumeration tab using this name.
(Optional) Description — Some basic information about the rule, for example, the type of threat it is blocking.
Environment — The environment in which you want Traceable to apply the rule.
Source — The source criteria on which you want to apply the rule. For example, Region → Afghanistan.
Traceable supports the following sources for creating an enumeration rule:
IP Address — Limit data from specific, internal, or external IPs.
IP Type — Control usage based on IP types, such as Anonymous VPN, Bot, Scanner, etc.
Email Domain — Limit requests from specific or a range of email domains, for example, ones belonging to a specific organization.
User ID — Manage traffic based on unique user IDs or regex for user IDs.
User Agent — Limit requests based on user-agent regex that indicates the type of client, such as a bot, or scripts making requests.
IP Organization — Manage traffic from specific entities known for spiking API request traffic.
IP ASN — Limit traffic from ASNs, which indicates the network provider from where the traffic originates.
Connection Type — Control data incoming from a specific connection type, such as Corporate, or Data Center.
IP Abuse Velocity — Limit requests from IPs showing a high API abuse rate.
IP Reputation — Limit data coming from IPs having a poor reputation, such as the ones identified by threat intelligence.
Scanner — Manage traffic coming from automated testing tools, such as Traceable’s AST, etc.
Region — Enforce limits based on geographic regions, addressing location-based traffic patterns.
Note
All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the policy on all values except the ones you choose.
Payload — The API component on which you want to apply the rule. You can create the rule based on the following:
Request/Response Criteria —
API interaction — The API interaction type(request or response) on which you want to apply the rule.
Component — One or more API components to create a rule, such as URL.
Operator — The type of comparison to evaluate the component against the specified value, such as Contains string.
Value — The value for the above component, for example, accounts.
Attribute — The metadata the Traceable agent provides after observing the API traffic.
Key — The operator and attribute name based on which Traceable should apply the rule. For example, operator as Matching exactly and key as authorization.
Value — The operator and value (if applicable) corresponding to the above key. By default, Traceable selects Any Values as the operator, however, you can select a different one from the drop-down and specify the value accordingly.
Data Sets/Data Types —
Data Location — The location at which Traceable can find the datatype or dataset.
Datasets/Datatypes — The datasets or datatypes to which the rule should apply. For more information, see Data Classification.
Target — The API endpoints you want Traceable to monitor as part of the rule. You can select one or more APIs, or labels to which the rules should apply. The rule applies to all the underlying APIs when you select a label.
Once you have set the above criteria, click Next.
Step 2 — Configure the condition
Traceable provides the following options for configuring rule conditions. These conditions define the numerical limits after which the rule triggers.
Unique Values Exceed — The maximum number of unique values, such as usernames, email addresses, etc. in an API request after which Traceable should perform the action configured in Step 3 below. For example, 10 unique values.
Time Range — The time window over which Traceable counts the number of unique values. For example, a 5-minute time range means that Traceable monitors the API requests for enumeration attacks within this 5-minute window.
Compute Condition — A combination of conditions on which the above limits should apply:
Per user and Per selected endpoints — If a user exceeds the set limit for an API endpoint, Traceable implements the action you select in Step 3 below.
Per user and Across all selected endpoints — If a user exceeds the set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below.
By total requests across all users, and Per selected endpoints — If all users collectively exceed the above set limit for an API endpoint, Traceable implements the action you select in Step 3 below for all users. For example, you configure a rule to limit unique values to 100 in 1 minute for an API. Then, if there are 5 users, and each user sends 20 or more unique values per minute to that API, Traceable implements the action you select below.
By total requests across all users, and Across all selected endpoints — If all users collectively exceed the above set limit across all selected API endpoints, Traceable implements the action you select in Step 3 below for all users.
You can configure the above conditions to apply on one or more of the following parts of a request:
Request Body
Path Parameters
Sensitive Parameters
Step 3 — Configure the action
As part of configuring the action, you must complete the following:
Event Handling — Traceable provides the following options on how the event generated by the enumeration rule should be handled. The options let you verify your rule, observe the generated events, and finally use them to block requests, as required.
Block —
Block the user indefinitely — If a user meets the above criteria, Traceable blocks them indefinitely, preventing any further API requests.
Block for a period of time — If a user meets the above criteria, Traceable blocks them from making API requests for the duration you define.
Block user for a duration that matches the conditions — If a user meets the above criteria, Traceable blocks them from making API requests for the duration defined in the conditions above.
Do not block, monitor only — If a user meets the above criteria, Traceable does not block them, but monitors it indefinitely.
Mark for Testing — Test your enumeration rule before applying it to production data. All the events generated as part of the configured rule are of low severity, and Traceable does not generate any notifications for such events. You can view the testing events by navigating to the Protection → Threat Activity → Filter pane and applying the Testing filter under Status.
Event Severity — Select the severity that Traceable should assign to the event generated by the Enumeration rule.
Note
This option is available for all options except Mark for Testing above.
Data Injection — Add the header you wish to include in the request. You can use this data for monitoring where it can highlight an anomaly in the request.
Note
This option is available only when you select the Do not block, monitor only or Mark for Testing options above.
Once you have configured the above, click Next.
Step 4 — Review and Submit
In the final step, review and submit the rule. If you wish to edit any criteria during the review, click the Edit () icon corresponding to a section.