Threat Activity

Threat Activity is a comprehensive feature in Traceable’s Protection suite designed to help your security teams detect, investigate, and mitigate potential threats in real-time. You can effectively monitor suspicious activities across your systems by providing an intuitive interface with detailed insights into active threats. Threat activity allows you to analyze threats by grouping, drilling down into specific events, and reviewing detailed evidence to understand the nature of attacks and take appropriate actions.

Why Use Threat Activity?

The constant barrage of cyberattacks on systems, networks, and APIs makes it imperative to have a tool that provides actionable insights into what is happening within your infrastructure. Threat Activity helps you:

• Monitor active threats — Stay updated with real-time alerts on ongoing malicious activity.

• Drill down into specific threats — Group and filter data based on criteria that matter most to your investigation.

• Analyze evidence in detail — Review request/response data, attacker sources, and other critical metadata to make informed security decisions.

• Mitigate and respond — Implement fixes or block suspicious actors based on evidence and recommendations provided by the platform.

Overview

The Threat Activity page is a centralized hub for visualizing all detected threats. It provides a comprehensive overview of ongoing attacks, their severity, and key details like the source and target of the threat. This dashboard offers a clear snapshot of your system’s security posture and helps security teams prioritize and investigate threats efficiently. To view the Threat Activity page, navigate to Protection → Threat Activity.

Key Components

The Threat Activity page contains several key components that help you quickly assess and manage detected threats. Below are the main elements of the page and their significance:

• Threat Listings — Each entry in the dashboard represents an individual threat behavior, with each entry providing the following details:

  • Threat Behavior — Describes the type of attack (e.g., Remote File Inclusion, SQL Injection). Understanding the behavior helps security teams quickly assess what kind of attack is being attempted and its potential impact on the system.

  • Status — Displays the current status of how the threat is being handled. This serves as a communication medium to indicate whether a threat has been alerted () or blocked ().

  • Targeted Endpoint — Specifies the API or system endpoint (e.g., POST /get_user) under attack. This helps security teams focus on which parts of the infrastructure are targeted and may require additional hardening or scrutiny.

  • Sources — Displays information about the origin of the threat, including the IP address or actor responsible for the suspicious activity. This helps identify whether the threat comes from a known bad actor or a potential internal source.

  • Total Events — Shows the number of times a particular threat has been triggered. This is helpful as high event counts may indicate repeated attack attempts, suggesting persistent threats that must be addressed immediately.

  • Impact — Indicates the level of disruption or harm the threat could cause based on the type of attack and the system's vulnerability to it.

  • Last Seen Time — Displays the most recent detection time for the threat, helping you track ongoing or recurring threats. This is helpful as monitoring the last seen time ensures that security teams can distinguish between active threats and those that may have been successfully mitigated.

• Grouping and Filtering Options — You have the flexibility to group and filter threats based on several criteria:

  Note

  • By default, Traceable does not group threats on the page.

  • The Severity Indicators, Activity Count, IP Count, API Count, and Actor Count components are visible only when you group the threats using either of the below criteria.

  • Group by Endpoint — Helps identify threat patterns targeting specific parts of your infrastructure.

  • Group by Threat Behavior — Allows you to understand if multiple similar threats (e.g., Remote File Inclusion attacks) are happening across different endpoints, indicating a possible targeted campaign.

  • Group by Actor — This is useful for identifying if the same actor or IP address is responsible for multiple attacks, helping teams take decisive actions like blocking IPs or adding users to watchlists.

  • Group by Domain or Service — This provides insights into the specific services or domains that are under attack, aiding in identifying high-risk assets.

• Severity Indicators — Each threat is accompanied by color-coded labels (e.g., Low, Medium, High, Critical), allowing you to gauge its urgency quickly. This is helpful as it gives teams a way to prioritize threats based on risk, focusing on high-severity threats that may require immediate action, while lower-severity threats can be addressed as part of routine maintenance.

• Activity Count — Displays the total number of threat activities observed for the grouped attribute. This is helpful as it gives teams a way to prioritize threats based on the count, focusing on higher activity counts that may require immediate action.

• IP Count — Displays the total number of IPs Traceable observed for the grouped attribute. This is helpful as it gives teams a way to prioritize threats based on the count, focusing on groups with higher IP counts as they may require immediate action.

• API Count — Displays the total number of APIs under attack as part of the grouped attribute. This is helpful as it gives teams a way to prioritize threats based on the count, focusing on groups with higher API counts as they may require immediate action.

• Actor Count — Displays the total number of threat actors that Traceable discovered as part of the grouped attribute. This is helpful as it gives teams a way to prioritize threats based on the count, focusing on groups with higher actor counts as they may require immediate action.

Navigating the Threat Activity Flow

When you first land on the Threat Activity page, you are presented with a list of detected threats, displaying key information like behavior, endpoint, source, and impact. The grouping and filtering options allow you to narrow your focus, grouping threats by criteria like actor, endpoint, or domain. After applying these groupings, you can drill down into a specific threat to view more detailed information, including an event timeline, an attack description, and suggested mitigation steps.

You can view the evidence for a threat for deeper investigation as it provides critical data such as request/response logs, actor information, IP reputation, and event timestamps. The evidence page is divided into sections that offer raw data and other details to help you understand the attack’s structure and intent.

1. Main Threat Activity Dashboard

When you first land on the Threat Activity page, you are greeted with a comprehensive dashboard that lists all ongoing or recent threats detected within the environment. This dashboard serves as the central hub where you can:

• View listed threats — Each threat is presented with details such as its behavior (e.g., Remote File Inclusion), the targeted endpoint, actor, and severity (e.g., Low, Medium, High), etc.

• Group and filter — You can group the data based on categories such as Threat Behavior, Actor, Endpoint, Service, or Domain. These groupings allow you to zero in on areas of interest, such as threats targeting specific endpoints or actors with suspicious IP reputations.

2. Drilling Down into a Specific Threat

After choosing how to group or filter the threats, you can drill down into a specific threat for a more granular view. Click on the threat for a detailed view. This flow is essential for pinpointing the nature and severity of a particular threat:

• Selecting a threat — Once a threat is identified from the list, you can click on it to access detailed information, including its behavior, sources, endpoint, and time of occurrence.

• Event timeline — The detailed view offers an event timeline that visualizes when the malicious activity occurred, helping you understand whether it is an isolated incident or part of a more significant attack.

• Description and Mitigation — The detailed threat page also clearly describes the attack, such as its specific behavior (e.g., Remote File Inclusion). Accompanying this is a mitigation section outlining steps to reduce the threat's impact, including blocking the involved IPs, adjusting permissions, or securing vulnerable endpoints.

3. Viewing the Evidence

After drilling down into a specific threat, the next step involves examining the evidence associated with the attack. By clicking the Evidence button, you gain access to critical data that allows you to assess the severity of the incident and plan an appropriate response:

• Columns of Interest:

  • Threat Param Key — Highlights the parameter within the request that triggered the threat (e.g., http.url).

  • IP Address — Displays the IP address involved in the attack, which may be cross-referenced for suspicious activity.

  • Status Code — The HTTP response code shows whether the request was successful (200 OK) or rejected (e.g., 404 Not Found).

  • Status — Displays the current status of how the parameter is being handled. This serves as a communication medium to indicate whether that parameter has been alerted () or blocked ().

  • IP Types — Displays the type of IP address involved in the attack.

  • Actor — Provides the identity or user responsible for the threat (e.g., an email address or user ID).

  • Time — Displays the time at which the param key triggered the threat.

  • IP Reputation — Indicates whether the IP address involved has a known history of malicious activity, providing context for assessing risk.

• Detailed Analysis Sections:

  • Request Viewer — This section displays the raw request associated with the threat. You can view all request aspects, including the URL, headers, query parameters, and body. This data is crucial for understanding how the attack was structured.

  • Response Viewer — This section shows the server’s response to the malicious request, including error messages or status codes. If the request was unsuccessful, the response data helps determine how the server reacted.

• Additional Event Information:

  • Event Details — Lists unique identifiers like Event ID and Span ID for tracking purposes.

  • Threat Source — Provides detailed information on the attack's origin, such as IP address, domain, and actor.

  • Attributes & Session — These tabs provide further context by showing metadata and information on related session activity, which helps trace the attacker’s movements across the system.

Apart from the above, you can also do the following for each evidence:

• Modify the time range — You can modify the time range for which you wish to view the evidence. To do so, click the Time Range drop-down in the page’s top right corner and select the desired time range.

• Update Threat Status — You can update a threat’s status according to your requirements, for example, Open to False Threat. To do so, click the Status drop-down in the page’s top right corner and select the desired status.

• Mark an Activity as Internal — You can mark a threat activity as internal so that it does not show up in the Threat Activity dashboard. This is helpful when you are simulating attacks for testing purposes. To do this, click the Ellipse () icon in the page’s top right corner and click Mark as Internal. Further, in the confirmation window, click Mark Internal.

• Create an Exclusion Policy — You can create a detection exclusion policy for a specific threat activity so that it is not detected in the future. To do this, click the Ellipse () icon in the page’s top right corner and click Exclude. Further, in the confirmation window, click Acknowledge, and in the Create Exclusion Policy window, specify the configurations and click Save Policy. For more information on these policies, see Detection Policy.

• View Visualization — You can view the Events Timeline for the evidence visualizing the malicious activities over the selected time range. To view the graph, click the Visualization () icon in the page’s top right corner.

• Download Data — You can download the data shown on the page in the form of a CSV file. To do so, click the Download () icon in the page’s top right corner and specify the number of rows you wish to download.

• Open in Analytics — You can view the Events and their corresponding details based on the threat activity ID, in the Explorer page under Analytics. To view this data, click the Analytics () icon in the page’s top right corner.

Key Features of Threat Activity

Grouping and Filtering Options

One of the most potent aspects of Threat Activity is the ability to group and filter data, enabling you to focus on the most relevant threats based on their security goals. You can:

• Group by categories — Organize threats based on behavior, actor, endpoint, service, or domain to identify patterns or repeated attacks readily.

• Apply filters — Narrow the threats by severity, status code, IP reputation, or environment (e.g., production or development), ensuring that high-priority threats are dealt with first.

The following demo shows how to do this:

Real-Time Alerts

You can monitor threats in real-time, flagging any suspicious activity immediately. The event timeline and severity indicators allow you to prioritize the most critical threats and begin mitigation without delay.

Detailed Evidence and Mitigation

With access to detailed evidence, including raw request/response data, you can fully investigate the attack's origin, method, and intent. This enables security teams to swiftly take action by adjusting firewall rules, blocking IP addresses, or patching vulnerabilities. Additionally, the platform provides clear mitigation steps tailored to each specific threat.