Detection policy
  • 14 Aug 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Detection policy

  • Dark
    Light
  • PDF

Article summary

You can block threats using predefined detection rules available in the Detection Policy page or create a Custom Policy to block an IP or a range of IP addresses. When you use automatic blocking using detection rules, the threat actor does not get a window of opportunity to damage your systems. You can also save time manually reviewing threats that have been detected with a high level of confidence.

Traceable uses the anomaly detection engine to find anomalies using machine learning. Traceable then detects requests and responses where the parameters deviate from the established baseline. These deviations are known as anomalies. Traceable analyzes these anomalies and application activity to identify malicious activities in your application and block it. The anomaly detection is refined by leveraging an open-source, continuously updated set of rules called Core Rule Set (CRS). Additionally, specific high-confidence rules are enabled for detection and blocking locally without engaging Traceable's system intelligence. The Traceable agent applies the high-confidence rules without sending your data to the Traceable platform.

You can enable local blocking for a particular set of threat types. Each threat type has several sub-rules you can individually turn on or off for fine-tuning.

Detection

You can turn the predefined global rules on or off by choosing Enable or Disable from the drop-down list, as shown in the screenshot below. By default, all the predefined rule sets are disabled.

Detection

Note

The predefined or the default rules are scoped per environment. That means that a set of rules enabled for one environment does not apply to other environments until enabled in different environments.

Enabling or disabling individual rule-set

When you enable blocking, the rules and sub-rules apply globally (for all the endpoints) by propagating them to Traceable's agents deployed in your environment. The Traceable agent then matches all the user requests against these sub-rules and denies the request if it finds a match.

Without blocking, all the traffic reaches Traceable, which processes the data and generates threats. The decisions are communicated to Traceable modules based on your actions on specific threat actors, such as allow or deny.

Note

When you disable the main rule, for example, cross-site scripting (XSS), all the sub-rules are disabled. However, when you enable the main rule, you can individually enable or disable the sub-rules.


Exclusions

Traceable lets you create detection exclusion policies based on your defined rules. These policies help you exclude specific attacks or threat actors based on your configured rules. This is helpful, for example, if you wish to exclude all testing events or certain types of attacks. In the Detection Policy, click the Exclusions tab to view the events excluded from detection.

To create a detection exclusion policy, complete the following steps:

  1. In the Exclusions tab, click on + Add Policy.

  2. In the Criteria step of the Create Policy page, complete the following:

    Exclusion Policy
    Detection Exclusion Policy

    1. Specify the Policy Name. For example, User-level exclusion.

    2. (Optional) Specify the policy Description.

    3. From the Environment drop-down list, select the environment where you wish to exclude events. For example, All Environments.

    4. In the Source section, select the source from where you wish to exclude incoming data. For example, User ID starting with the value 164...

      Note

      All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the exclusion policy on all values except the ones you choose. For example, in the image above, Traceable excludes attacks or threats from all user IDs except the one selected.

    5. In the Attributes section, select the attributes based on which Traceable should exclude the events. For example, Anomalous Parameter with the key as http.response.body.order.user.email and any value.

    6. In the Threats section, select the threats you wish to exclude the events. For example, Selected Threats with threat type as Authorization Bypass - User Level.

    7. In the Target section, select the endpoint scope where the detection exclusion should apply. For example, the GET /workshop/api/shop/orders/{orders-id} endpoint.

  3. Click on Review Policy.

  4. In the Review/Save step, review the attributes you configured in the Criteria step and click Submit.

The detection exclusion policy should be visible under Exclusions tab of the Detection Policy page. You can perform the steps above to create multiple policies. You can also enable or disable the policies on the page according to your requirements. To do so, click the toggle under the Status column corresponding to the policy you want to enable or disable.

Policy Actions


You can also perform the following actions on the policies by clicking on the Ellipse (traceable_ellipse_icon) icon corresponding to a policy:

  • Edit a policy to add or remove attributes according to your requirements.

  • View a policy to identify the attributes Traceable uses to exclude specific attacks or threat actors.

  • Delete a policy.

    Note

    A deleted policy cannot be restored.


Was this article helpful?

What's Next