Detection policy
- 24 Nov 2023
- 2 Minutes to read
- PDF
Detection policy
- Updated on 24 Nov 2023
- 2 Minutes to read
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
You can block threats using predefined rules or create a Custom Policy to block an IP or a range of IP addresses. When you use automatic blocking using detection rules, the threat actor does not get a window of opportunity to damage your systems. You also save time manually reviewing threats that have been detected with a high level of confidence.
Traceable proactively protects applications by blocking malicious traffic. The decision to block a user may follow different paths. For example, the Traceable platform can block a user based on previous behavior patterns. Alternatively, an individual request may originate from a suspicious IP or contain a well-known vulnerability attack pattern. Traceable considers all such scenarios when blocking a user.
Traceable analyzes application activity for anomalies using machine learning. This anomaly detection is refined by leveraging an open-source, continuously updated set of rules called Core Rule Set (CRS). Additionally, specific high-confidence rules are enabled for detection and blocking locally without engaging Traceable's system intelligence. The Traceable agent applies the high-confidence rules without sending your data to the Traceable platform.
You can enable local blocking for a particular set of threat types. Each threat type has several sub-rules you can individually turn on or off for fine-tuning.
Detection
You can turn the predefined global rule on or off by choosing Enabled or Disabled from the drop-down list, as shown in the screenshot above. By default, all the predefined rule sets are disabled.
Note
The predefined or the default are scoped per environment. That means that a set of rules enabled for one environment does not apply to other environments until enabled in different environments.
Enabling disabling individual rule-set
When you enable blocking, these rules and sub-rules apply globally (for all the endpoints) by propagating them to Traceable's agents deployed in your environment. The Traceable agent then matches all the user requests against these sub-rules and denies the request if there is a match.
Without blocking, all the traffic reaches Traceable, which processes the data and generates threats. Based on your actions on specific threat actors, such as allowing or denying, the decisions are communicated to Traceable modules.
Note
When you turn off the main rule, for example, cross-site scripting (XSS), all the sub-rules are disabled. However, when you enable the main rule, you can individually turn the sub-rules on or off.
Exclusions
Traceable lets you create detection exclusion policies based on your defined rules. These policies help you exclude specific attacks or threat actors based on your configured rules. This is helpful, for example, if you want to exclude all testing events or certain types of attacks. Navigate to Protection → Settings → Detection Policy. Click on the Exclusions tab.
Was this article helpful?
