Exclusions

Exclusions allow you to create rules that exclude specific requests from monitoring, blocking, or allowing based on defined criteria. You can apply these exclusions to certain environments, sources, or threat types, ensuring more precise control over detection and response. You can create multiple rules and manage them according to your security needs.

What are the Supported Exclusion Types?

Traceable lets you create exclusion rules based on your defined rules. These rules help you configure the following exclusion types:

• Exclude from Monitoring — This is useful when you do not wish to monitor specific requests matching your configured criteria. For example, excluding monitoring from all emails with testing.com as the domain. As a result, Traceable does not show the request in the Traceable platform.

• Exclude from Blocking — This is useful when you do not wish to block specific data from requests matching your configured criteria. For example, you can exclude data from being blocked (allow) when it comes from Hosting Provider IP types.

• Exclude from Allow—This is useful when you do not wish to allow specific data from requests matching your configured criteria. For example, data from the Afghanistan region can be excluded from being allowed (blocked).

How are Exclusions Helpful?

Exclusions help you reduce unnecessary monitoring, blocking, and allowing, and focus on genuine threats. Using these exclusions, you can allow trusted traffic, enforce targeted blocking tailored according to your requirements. You can also minimize false positives and ensure that your security policies align with your organizational needs.

Creating an Exclusion

Navigate the Exclusions page under Protection → Settings, click + Add Rule and complete the following steps to create an exclusion rule:

Step 1 — Criteria

In the Criteria step of the Create Rule page, complete the following:

1. Specify the Rule Name. For example, Domain-level exclusion.

2. (Optional) Specify the rule Description.

3. From the Exclusion Type drop-down list, select the type of exclusion you want to configure. For example, Exclude from Monitoring.

   Note

   • You can select one or more exclusion types according to your requirements. However, some attributes below may vary depending on your choice.

   • The Exclusion from Blocking option is only available for TPA version 1.49.0 and above.

4. From the Environment drop-down list, select the environment where you wish to exclude events. For example, All Environments.

5. In the Source section, select the source from where you wish to exclude incoming data. For example, an Email Domain ending with @traceable.ai.
   Traceable supports the following sources for creating an exclusion rule:

   • IP Address — Limit data from specific, internal, or external IPs.

   • IP Type — Control usage based on IP types, such as Anonymous VPN, Bot, Scanner, etc.

   • Email Domain — Limit requests from specific or a range of email domains, for example, ones belonging to a specific organization.

   • User ID — Manage traffic based on unique user IDs or regex for user IDs.

   • User Agent — Limit requests based on user-agent regex that indicates the type of client, such as a bot, or scripts making requests.

   • IP Organization — Manage traffic from specific entities known for spiking API request traffic.

   • IP ASN — Limit traffic from ASNs, which indicates the network provider from where the traffic originates.

   • Connection Type —  Control data incoming from a specific connection type, such as Corporate, or Data Center.

   • IP Abuse Velocity — Limit requests from IPs showing a high API abuse rate.

   • IP Reputation — Limit data coming from IPs having a poor reputation, such as the ones identified by threat intelligence.

   • Region — Enforce limits based on geographic regions, addressing location-based traffic patterns.

   • Scanner — Manage traffic coming from automated testing tools, such as Traceable’s AST, etc.

   Note

   • The availability of the above sources may vary depending on the Exclusion Type you select.

   • All Sources except IP Abuse Velocity and IP Reputation have an Exclude check-box corresponding to their value field. When you select that check-box, Traceable applies the exclusion rule on all values except the ones you choose. For example, in the image above, Traceable excludes attacks or threats from all user IDs except the one selected.

6. In the Payload section, select the API component based on which Traceable should exclude the events. For example, Attribute with the key as http.response.body.order.user.email and any value.

7. In the Threats section, select the threats you wish to exclude from the events. For example, Selected Threats with threat type as Authorization Bypass - User Level.

8. In the Target section, select the endpoint scope where the exclusion should apply. For example, All Endpoints.

9. Click Review Rule.

Step 2 — Review and Save

In the Review/Save step, review the attributes you configured in the Criteria step and click Submit.

Exclusions View

The exclusion rule should be visible on the Exclusions page. You can perform the steps above to create multiple rules. You can also enable or disable the rules on the page according to your requirements. To do so, click the toggle under the Status column corresponding to the rule you want to enable or disable.

Actions on Exclusions

You can also perform the following actions on the policies by clicking on the Ellipse () icon corresponding to a rule:

• Edit a rule to add or remove attributes according to your requirements.

• View a rule to identify the attributes Traceable uses to exclude specific attacks or threat actors.

• Delete a rule.

  Note

  A deleted rule cannot be restored.