Traceable’s rule testing feature enables you to validate the rules whenever a new threat type is introduced, or a threat rule is added or updated. Rule testing simulates how the rule behaves by generating security events, without changing the threat score of any threat actors. You can use rule testing to identify any potential triggers before enforcing rule(s) in real-time. Each new or updated rule is marked with a corresponding label next to it. Traceable also displays a banner at the top of the page whenever threat rules and types are added and/or updated. This banner provides the following information:
The date on which Traceable published new and/or updated rules.
The number of rules added, updated, and/or removed.
The timeline after which the changes will reflect.
To configure rule testing, log in to your Traceable account, navigate to Protection → Settings → Policies → Web Application Protection, and select the appropriate option to test the new and/or updated rule(s). For more information on the available options, see Rule Testing Options.
Rule Testing for new and updated rules
What will you learn in this topic?
By the end of this topic, you will understand:
The concept of rule testing.
The options available for enabling or disabling rule testing.
The rule behavior in overridden environments.
Understanding Rule Testing
Traceable allows you to choose from a set of actions to perform on threat rules. Any new or updated rule(s) are set to Mark for testing action by default to simulate their real-time behavior. Whenever a new threat type is added or any rule(s) are created or updated under a particular threat type, the rule testing feature provides you with the option to test its behaviour without enforcing those rules in monitoring or blocking mode. After two weeks, Traceable updates the rule action based on the profile you had selected. For more information, see Understanding Profiles.
Note
You can also select the Mark for testing option to test the behaviour of any existing rules.
You can set up a notification rule for the web app rule testing feature to receive a notification whenever new rule(s) are added and/or existing rule(s) are updated. For more information on setting up notifications, see Notifications. Once the notification is set up, you will receive the updates regarding any new and/or updated rule(s) in your specified channel.
Rule Testing Options
The Rule Testing drop-down has the following options to choose from:
Rule Testing Options and Actions drop-down
Enabled for new rules — Select this option to enable testing of only newly added rule(s).
Enabled for updated rules — Select this option to enable testing of only the updated rule(s).
Note
While the default option for rule testing is Enabled for new rules, you can override it according to your requirements. For more information, see Overridden Environments.
Enabled for new and updated rules — Select this option to enable testing of both new and updated rules.
Disabled — Select this option when no new or updated rule(s) are generating events to be tested.
Note
The default action for any of the above options is set to Mark for testing, except for the rules that were previously disabled under rule action.
If you wish to test the updated rule(s) that were previously disabled, you can do so by opting Mark for testing manually.
Overridden Environments
Traceable highlights the overridden environments through its Override (
) icon. It shows a list of environments under which the rule testing is overridden. To enable a particular rule testing option under any specific environment, you can switch to that environment and select the options according to your requirements. The options enabled under a particular environment(s) are overridden under All Environments, which reflects when you hover over the Override () icon. For more information, see Understanding Overrides.
Overridden Environments