Threat actors
  • 17 Oct 2023
  • 4 Minutes to read
  • PDF

Threat actors

  • PDF

Article Summary

Threats are a prominent actionable category within Traceable. Threats typically mean an ongoing attack that needs attention and resolution. Traceable analyzes malicious activity by authenticated or anonymous users to identify threats. This threat activity information is combined with the previous activity report into an attack timeline. 

In the Threats section of the platform, Traceable displays both the active threats and threats that have not been resolved or mitigated. Traceable assigns a threat severity of High, Medium, or Low to each threat based on the volume and other information about malicious activity. The Threats view is independent of the time window that you choose in the top menu bar. 

Traceable identifies the threats by the threat actor. A threat actor is identified by a user ID, for example, an email ID. If the user ID is not available, the IP address of the threat actor is displayed. Threat actors are also associated with the reputation of the IP address that they are using, along with the type of IP address. For example, IP type could be anonymous VPN, public proxy, bot, and so on.

Traceable does not display individual normal-users (a user who has not carried out any suspicious activity). Clusters of common user activities can be viewed in the User Behavior section of the UI. Users who have conducted at least one malicious activity are identified as a threat actor and displayed in the Threats section.

Threat detection

Traceable starts security event detection by observing the traffic flow through the APIs Endpoints to build the API Specification and insights for each of the parameters. These insights about the traffic flow are a combination of the baseline for a parameter type, value and usage, such as patterns of request and response. Traceable, for example, observes the parameters within API endpoints, the traffic flow in authorized user sessions, the sequence of API calls, and so on. 

To identify threats, Traceable establishes a baseline. Traceable then detects any requests and responses where the parameters deviate from the established baseline. These deviations are identified as anomalies. These anomalies are further analyzed to identify if the anomalous activity is malicious. If it is an anomalous activity, a security event is raised. When Traceable detects anomalous behavior, it starts observing the user who triggered it. This user is now called a monitored user. Traceable closely monitors all further communication from this user.

Anomalies and security events have different severity levels based on multiple factors. Once the monitored user crosses a certain anomaly threshold level and displays some malicious behavior (security events are identified in their requests), they become a threat-actor. 

Navigate to the Protection → Threat Actor section of the platform to view all the identified threats. By default, the platform displays the Active threats, the most recent active threat actors being at the top. You can also sort the threat list based on threat creation time or score by clicking on the Most Recent drop-down list. 

Threat actor mitigation

You can mitigate the threats by changing their state from the threat PROFILE page. The state that you select for the threat applies to it immediately. When you mitigate the threat by assigning it a specific status, the threat moves from the Active list or category to its new state. You can re-categorize the threat to a different state based on the new inputs that Traceable provides. If the threat is put into a Suspend or Deny state, any further activity by these actors will be blocked once the blocking policy propagates into Traceable modules (~15 seconds). 

Following is a short demo to show how to act on a specific threat actor:

The following table defines each state.

Threat stateDescription

The default state of the threat when it is reported by Traceable.

A user who has not attacked the system, however, is being monitored for suspicious activities.

Move the threat to this state when want to allow access to the system irrespective of whether the activities by the actor are malicious or not.


Move the threat to this state if you are confident that it is no longer a threat. This action resets Threat severity to 0. Traceable reports the threat actor again if it finds any malicious activity from it. In such a case, the threat is listed on the Active list.


Move the threat to this state if you want to allow the threat actor temporarily. You can choose snooze duration from a pre-defined time range, starting from 1-hour up to a week.


Move the threat to this state if you want to temporarily deny access to the threat actor. You can select the suspension duration from a pre-defined time range, starting from 1-hour up to a week.


Move the threat to this state if you want to completely block access for a threat actor. 

If the users on the suspend or deny list use additional IP addresses, those IP addresses are also blocked. Traceable internally maintains a list of such IP addresses as ACL (access control list) policy. All such users are blocked from future access until their suspension is revoked, or they are removed from the deny list.

Was this article helpful?