Active events
  • 05 Dec 2022
  • 4 Minutes to read
  • PDF

Active events

  • PDF

Article Summary

The topic describes active events, custom exclusions, and the security event details. The topic also describes the actions you can perform on those active events.

The Active Events page displays all the instances of identified malicious activity, along with the accompanying request and response body and metadata. For example, the severity, the threat actor, the service, and the endpoint related to the security event. When you click on a security event, it provides you more information on why the event was triggered. For example, a threat actor may be trying to access a resource without adequate permissions.

You can choose to exclude events from detection for a specific endpoint by clicking on the icon as shown below. Excluding security events from detection is helpful when Traceable reports numerous security events for an endpoint. Traceable maintains a Detection Exclusions list of all the security events excluded from being reported. For more information, see the Custom Exclusions list

You can add or remove the metadata that you want to display for the security events by editing the columns. Security events are categorized as High, Medium, and Low according to severity.

Event filtering

If you have a larger number of events being reported, you can filter events based on the following:

  • Severity
  • Threat actor
  • API Endpoint
  • The type of threat
  • The associated service

The graph displays the number of events at any point in time along with the severity of events. This can help you to give a high-level view of your system health. Numerous spikes possibly indicate that your system is being probed or attacked.

You can also filter the events based on Security events or Testing events. Testing events are the events that are generated during the testing of Custom Signatures. Click on Custom signature in Protection > Custom Policy page to generate events for Custom Signatures. This is typically used in the testing of Custom Signatures before deploying them to production.


Custom exclusions

You can customize the details about the event that you want to exclude from detection. Once configured, Traceable stops reporting such events until you disable or delete the event rule from the Custom exclusion list. To create a custom rule to exclude events, click on the Exclude button as shown above. Fill in the details in the Exclude from Detection pop-up window. Provide the following details:

FieldDescription
Name

Name of the rule

Description

Some details about the rule

What events should this apply to

You have two or three choices based on the type of event:

  • All events - You can exclude all events from being reported. This is global enforcement, and no events of any type would be reported for the specified parameter or a broader scope. 
  • Many events are grouped into event types, for example, SQL Injection Event Type as shown in the above screenshot. In such a case, you can either exclude the entire event type (all SQL Injections) or the specific event.

What assets should this apply to

By default, exclusions apply to the specific parameter where a security event was detected. If you want to configure a broader exclusion, you can select the type of asset that this rule should apply to from the drop-down list. You can choose to apply globally for all the endpoints. You can select between applying it to the API endpoint for which the event was generated or to all the APIs connected to the service. In the above screenshot, the service is named frontend. If you pick the service, the rule will apply to all the API endpoints connected to this service.
Parameter and Apply to source assets
You can apply the exclude rule to the exact parameter, or you can decide to write your own regex to match a parameter pattern. Similarly, you can decide to apply the rule only to the asset where the attack was discovered, or you can write your own regex pattern to identify the assets to which the rule should apply.

Who should this apply to 

You can decide between applying the rule to the threat actor which generated the event or to all the existing and future threat actors.

Once you have created a custom exclusion rule, you can only edit its name and description from the API Protection > Detection Policy > Exclusions tab. If you want to edit the details of the custom exclusion rule, delete the rule and create a new one.

Choosing All events, All endpoints, and All threat actors option is not supported. When you select the “All” option for all three, it is equivalent to disabling detection at the global level. You can globally disable detection from Enable blocking.

Custom exclusions list

The Detection Exclusions list is a list of endpoints for which reporting of security events has been disabled. When you delete the rule from this list, Traceable starts detecting the threat for the endpoint. Navigate to API Protection > Detection Policy > Exclusions tab to view the list of exclusion rules. 


Security events detail

When you click on a security event in the Active events tab, Traceable displays the details of the event. The details page provides you rich information about the event. For example, if the user is an authenticated user or not, the API endpoint and the service. The request, response, and API attributes are also displayed. 

The User API flow section shows all the API endpoints through which the user request has traveled. You can hover your mouse over an endpoint to navigate to the corresponding trace. This can be extremely useful to debug the cause of the event. 

The security event details page also displays the body of the message.

If the body of the message is displaying sensitive data, then it is recommended to configure Data redaction to redact PII data.

Display event metadata

You can edit the columns to add or remove the type of metadata you want to view for security events. Hover your mouse over any column and click on to display the Edit Columns option.


Was this article helpful?

What's Next