Threat Activity

The Threat Activity page under Traceable's API Protection provides detailed information about various threats on your APIs. The summary section provides information based on all the logged and blocked activity and the top detected threats. The summary section is further divided into sections based on:

• Malicious activities

• Malicious sources

• API abuse

The top threat types are further classified into different categories based on the following:

• Traceable identified threat type

• OWASP API 2023

• OWASP 2021

• OWASP API 2019

• OWASP 2017

• CWE

This categorization helps you identify threats based on OWASP's industry standard definitions of API threats.

Detailed threat activity view

The Threat Activity page also displays the list of threats along with the following details:

• Total number of requests in which the threat activity was found

• Threat type

• Total number of API endpoints it affected

• Total number of contributing threat actors

• Impact and Confidence distribution of the threat activity

• CWE and OWASP values of the threat activity, for example, OWASP 2021: A3 and OWASP 2017: A1 in the above screenshot.

• The first and last detected time

You can view in-depth and detailed information about a threat activity by filtering the activities based on the following:

• IPs — Click All IP Address Types and select the IP type for which you want to view the data, such as Show Only Internal IPs.

• Activity — Click All Activity and select the activity type for which you want to view the data, such as Show Only Blocked.

• API attributes—Click Add Filter and select the attribute, such as endpoint name, service name, and threat actor country, based on which you want to filter the data. You can also click the Filter () icon corresponding to the Actions icon to filter data according to certain attributes.

You can add as many filters as you wish to drill down or search for a specific threat activity. You can also do the following:

• Click the Most Recent drop-down that shows options to sort the data visible on the page. You can sort the data in either of the following ways:

  • Most Recent — This option sorts the data based on the detection timestamp, with the latest detected threat activity at the top.

  • By Requests—This option sorts the data based on the number of requests in an activity, with the threat with the maximum number of requests at the top.

• Click the Actions drop-down and download the list of threats as a CSV file. While downloading, you can also select the number of rows you want to download from the list.

Once you have filtered and sorted the threat activity data based on your search criteria, you can view the detailed information by clicking on the specific threat activity.

Detailed information about a threat activity provides data such as when it was first and last detected, the total number of requests, the affected endpoints, the different threat actors involved in that threat activity, and so on. The Request Timeline shows the number of requests received at a specific time during the first and last detected times.

You can further drill down on an individual request for detailed information, including an overview, payload, and session data. Each request consists of three tabs: