Security Events

The Security Events page in Traceable acts as a single place to observe, understand, and investigate security-relevant API activity detected at runtime. It brings together requests that contain threats and those that trigger protection rules, allowing you to view high-level details as well as the fine-grained details of how malicious or suspicious activity interacts with your applications. It connects threat detections with real API behavior and execution context, helping you move confidently from detection to investigation to response.

What will you learn in this topic?

By the end of this topic, you will be able to understand:

How security events differ from explorer.
How to navigate and analyze threat requests effectively.
How to interpret the security events page and its key components.

Security Events vs Explorer

Traceable provides both Explorer and Security Events to serve different investigation needs. While they share underlying runtime data, each view is optimized for a distinct purpose.

Dimension	Explorer	Security Events
Product Area	Overall Traceable Events	Protection module
Data Scope	All API runtime data (traces, spans, events)	Security-relevant API requests only
Key Views	Endpoint Traces, Spans, Events	Rule Triggers, Threat Requests
Analysis Focus	API execution flow, performance, errors	Threat detection, rule activity, and policy outcomes
Typical Use Cases	Debugging, troubleshooting, and exploratory analysis	Threat triage, rule validation, and incident response

Explorer helps you understand how your APIs behave. Security events enable you to understand when that behavior becomes risky.

Navigating Security Events

You can access the Security Events page after navigating to Protection in either of the following ways:

Navigate to Protection → Security Events.
Navigate to Protection → Threat Activities.

The following interactive demo guides you on how to navigate to the security events page via threat activities:

Filtering Security Events

While the Security Events page provides a centralized view of API requests that trigger threats or protection rules, it also provides you with the option to narrow your analysis by filtering events using the following:

The Environment drop-down to view information for a specific environment.
The Time Range ( ) drop-down to view information for a specific time range.
The filter () icon to filter out specific events and drill down.

This reduces noise and helps you focus on relevant activity, enabling more effective analysis of your traffic and security events. Once you have filtered the events, you can navigate to the Rule Triggers or Threat Requests tab to view the relevant data.

Understanding Security Events

The security events page contains the following two tabs, Rule Triggers and Threat Requests, each answering a different investigative question:

Rule Triggers

Threat Requests

The Rule Triggers view organizes security events based on the protection rules that detect them. Each entry represents a rule execution and aggregates all API requests that trigger that rule within the selected time range. This view allows you to identify which rules actively detect threats, measure how often each rule triggers, correlate rule executions with impacted services, endpoints, and threat actors, and validate detection logic to ensure rules operate as intended. You use Rule Triggers primarily to review detection coverage, tune security policies, and assess the operational impact of your rules.

Visualization

The visualization section of the rule triggers tab displays a chart for analysis and data visualization. You can also customize this chart according to your requirements by doing either of the following:

Add or remove Metrics and Aggregations.
Note
You must add at least one metric for the visualization to appear.
Modify the Type of visualization.
Select the Interval for which you wish to view the data.
Select the parameter you wish to use to group the data using the Group By drop-down option.
Select the parameter you wish to use to Order the visualization.

After customizing the visualization, simply hover over it to view detailed insights. You can create multiple visualizations to compare different parameters and better understand patterns. Use these views to identify which endpoints, users, or IP addresses are driving the highest threat activity, then navigate to the Results section to investigate the exact requests behind those trends.

Results

It displays detailed request and response data captured from spans and events, including headers, body, and cookies. When you select a security event, it opens a detailed view that includes:

Summary — It contains the high-level information such as threat type, rule name, endpoint, actor, severity, confidence, and enforcement status.
Span Details — It contains the execution context showing where the threat was detected within the request lifecycle.
Source Details — It contains metadata about actors, including IP addresses, user identifiers, and geographic information.
Sensitive Data — It contains the identified sensitive data elements associated with the request or response, if applicable.

The following table describes the security event details of each component listed under each tab:

Summary	Span Details	Source Details	Sensitive Data
Event ID — It is the unique identifier for this security event. Threat Activity ID — It tracks the specific threat instance linked to this event. Threat Type — It indicates the category or classification of the detected threat. Description — It explains why the threat was triggered or detected. Threat Param — It shows the specific parameters involved in the threat, if any. Threat Labels — It lists tags or policy classifications assigned to the threat. Status Code — It is the HTTP response code associated with the request. Endpoint — The API or URL endpoint targeted by the request. Status — It reflects the current monitoring or mitigation status of the threat. Threat Actor — It specifies the IP address or entity responsible for the activity. Severity — It denotes the level of potential impact of the threat. Confidence — It measures how specific the system is that this is a real threat.	Span ID — It is the unique identifier for the trace span. Trace ID — It is the identifier that links all spans within a single trace. Session ID — It is the identifier for the user session, if available. Service — It is the name of the service handling the request. URI — It is the full URL of the endpoint being accessed. Environment — It is the deployment environment where the service is running.	Source IP — It is the IP address from which the request originated. IP Reputation — It is an assessment of the IP address based on its past behavior and observed risk signals. IP Types — It is the category of the IP address based on how it is commonly used, such as proxy or residential. IP Connection Type — It is the type of network used by the IP address to connect, for example, corporate or residential. IP ASN — It is the Autonomous System Number that identifies the network operator owning the IP address. IP Organization — It is the organization or service provider associated with the IP address. Scanner — It indicates whether the IP address is identified as an automated scanning source.	Request Datatypes — It is the type of data elements included in the API request payload or parameters. Request Datasets — It is the logical groups or collections of data referenced or sent within the API request. Response Datatypes — It is the types of data elements returned in the API response. Response Datasets — It is the logical groups or collections of data included in the API response.

Summary

Span Details

Source Details

Sensitive Data

Event ID — It is the unique identifier for this security event.

Threat Activity ID — It tracks the specific threat instance linked to this event.

Threat Type — It indicates the category or classification of the detected threat.

Description — It explains why the threat was triggered or detected.

Threat Param — It shows the specific parameters involved in the threat, if any.

Threat Labels — It lists tags or policy classifications assigned to the threat.

Status Code — It is the HTTP response code associated with the request.

Endpoint — The API or URL endpoint targeted by the request.

Status — It reflects the current monitoring or mitigation status of the threat.

Threat Actor — It specifies the IP address or entity responsible for the activity.

Severity — It denotes the level of potential impact of the threat.

Confidence — It measures how specific the system is that this is a real threat.

Span ID — It is the unique identifier for the trace span.

Trace ID — It is the identifier that links all spans within a single trace.

Session ID — It is the identifier for the user session, if available.

Service — It is the name of the service handling the request.

URI — It is the full URL of the endpoint being accessed.

Environment — It is the deployment environment where the service is running.

Source IP — It is the IP address from which the request originated.

IP Reputation — It is an assessment of the IP address based on its past behavior and observed risk signals.

IP Types — It is the category of the IP address based on how it is commonly used, such as proxy or residential.

IP Connection Type — It is the type of network used by the IP address to connect, for example, corporate or residential.

IP ASN — It is the Autonomous System Number that identifies the network operator owning the IP address.

IP Organization — It is the organization or service provider associated with the IP address.

Scanner — It indicates whether the IP address is identified as an automated scanning source.

Request Datatypes — It is the type of data elements included in the API request payload or parameters.

Request Datasets — It is the logical groups or collections of data referenced or sent within the API request.

Response Datatypes — It is the types of data elements returned in the API response.

Response Datasets — It is the logical groups or collections of data included in the API response.

The Threat Requests view organizes security events by individual API requests. Each entry represents a single request classified as malicious or suspicious and includes all associated rule detections and execution context. This view enables you to inspect the exact request and response that trigger detections, analyze attacker behavior at the request level, correlate request attributes with triggered rules and enforcement outcomes, and conduct detailed investigations for incident response. You use Threat Requests primarily for request-level analysis, forensic investigations, and response actions that require precise contextual information.

Visualization

The visualization section of the Threat Requests tab is similar to the Rule Triggers tab. It displays a chart for analysis and data visualization. You can also customize this chart according to your requirements by doing either of the following:

Add or remove Metrics and Aggregations.
Note
You must add at least one metric for the visualization to appear.
Modify the Type of visualization.
Select the Interval for which you wish to view the data.
Select the parameter you wish to use to group the data using the Group By drop-down option.
Select the parameter you wish to use to Order the visualization.

Results

The results section of the threat requests tab displays detailed request and response data captured from events in a tabular format, as shown below. When you select a security event, it opens a detailed view that includes:

Summary — It contains the high-level details such as Event ID, Threat Activity ID, threat type, description, affected parameter, labels, status code, endpoint, threat actor, severity, and confidence.
Rule Triggers — It contains details about the matched threat parameter, assigned severity level, and the configured rule action triggered upon meeting defined conditions.
Source Details — It contains the origin metadata such as IP address, ASN, organization, and reputation.
Sensitive Data — It contains the sensitive data types or datasets in the request or response, if applicable.

The following table describes the security event details of each component listed under each tab:

Summary	Rule Triggers	Source Details	Sensitive Data
Span ID — It uniquely identifies the request span where the event was observed. Trace ID — It links the request to related operations across services. Session ID — It identifies the user session associated with the request, when available. Status Code — It indicates the HTTP response status returned by the endpoint. Event Status — It shows how the system handled the detected event. Endpoint — It specifies the API endpoint and HTTP method involved in the event. Service — It indicates the service that processed the request. URL — It displays the complete request URL accessed during the event. Environment — It identifies the environment in which the request occurred.	Rule Name — It identifies the protection rule that detected the request. Policy Type — It specifies the type of policy responsible for detection. Trigger Reason — It describes the condition that caused the rule to trigger. Threat Activity ID — It uniquely identifies the detected threat activity. Threat Parameter — It indicates the request parameter involved in detection, if applicable. Threat Actor — It identifies the source responsible for triggering the rule. Severity — It indicates the assessed risk level of the detected activity. Rule Action — It shows the action applied when the rule condition was met.	Source IP — It identifies the IP address from which the request originated. IP ASN — It indicates the autonomous system number associated with the source IP, if available. IP Organization — It identifies the organization that owns or operates the source IP, when known.	Request Datasets — It indicates datasets identified within the API request, if any. Request Datatypes — It indicates the types of data detected in the API request. Response Datasets — It indicates datasets identified within the API response, if any. Response Datatypes — It shows the types of data detected in the API response.

Summary

Rule Triggers

Source Details

Sensitive Data

Span ID — It uniquely identifies the request span where the event was observed.

Trace ID — It links the request to related operations across services.

Session ID — It identifies the user session associated with the request, when available.

Status Code — It indicates the HTTP response status returned by the endpoint.

Event Status — It shows how the system handled the detected event.

Endpoint — It specifies the API endpoint and HTTP method involved in the event.

Service — It indicates the service that processed the request.

URL — It displays the complete request URL accessed during the event.

Environment — It identifies the environment in which the request occurred.

Rule Name — It identifies the protection rule that detected the request.

Policy Type — It specifies the type of policy responsible for detection.

Trigger Reason — It describes the condition that caused the rule to trigger.

Threat Activity ID — It uniquely identifies the detected threat activity.

Threat Parameter — It indicates the request parameter involved in detection, if applicable.

Threat Actor — It identifies the source responsible for triggering the rule.

Severity — It indicates the assessed risk level of the detected activity.

Rule Action — It shows the action applied when the rule condition was met.

Source IP — It identifies the IP address from which the request originated.

IP ASN — It indicates the autonomous system number associated with the source IP, if available.

IP Organization — It identifies the organization that owns or operates the source IP, when known.

Request Datasets — It indicates datasets identified within the API request, if any.

Request Datatypes — It indicates the types of data detected in the API request.

Response Datasets — It indicates datasets identified within the API response, if any.

Response Datatypes — It shows the types of data detected in the API response.