Security events
The topic describes security events, custom exclusions, and the security event details. The topic also describes the actions you can perform on those security events.
The Security Events page displays all the instances of identified malicious activity along with the accompanying request and response body and metadata. For example, the severity, the threat actor, the service, and the endpoint related to the security event. When you click on a security event, it provides you more information on why the event was triggered. For example, a threat actor may be trying to access a resource without adequate permissions.
You can choose to exclude events from detection for a specific endpoint by clicking on the icon as shown below. Excluding security events from detection is helpful when Traceable reports a large number of security events for an endpoint. Traceable maintains a Detection Exclusions list of all the security events excluded from being reported. For more information, see the Custom Exclusions list.
You can add or remove the metadata that you want to display for the security events by editing the columns. Security events are categorized as High, Medium, and Low according to severity.

Event filtering

If you have a larger number of events being reported, you can filter events based on the following:
  • Severity
  • Threat actor, and
  • API endpoint
The graph displays the number of events at any point in time along with the severity of events. This can help you to give a high-level view of your system health. A large number of spikes possibly indicates that your system is being probed or attacked.
You can also filter the events based on Security events or Testing events. Testing events are the events that are generated during the testing of Custom Signatures. In the Administration (
) > Policies > Custom tab, you can choose to generate events for Custom Signatures. This is typically used in the testing of Custom Signatures before deploying them to production.

Custom exclusions

You can customize the details about the event that you want to exclude from detection. Once configured, Traceable stops reporting such events until you disable or delete the event rule from the Custom exclusion list. To create a custom rule to exclude events, click on the Exclude button as shown above. Fill in the details in the Exclude from Detection pop-up window. Provide the following details:
Name of the rule
Some details about the rule
What events should this apply to
You have two or three choices based on the type of event:
  • All events - You can exclude all events from being reported. This is global enforcement and no events of any type would be reported for the specified parameter or a broader scope.
  • Many events are grouped into event types, for example, SQL Injection Event Type as shown in the above screenshot. In such a case you can either exclude the entire event type (all SQL Injections) or the specific event, in this case, SQL injection Attack(100).
What assets should this apply to
By default, exclusions apply to the specific parameter where a security event was detected. If you want to configure a broader exclusion, you can select the type of asset that this rule should apply to from the drop-down list. You can choose to apply globally for all the endpoints. You can choose between applying it to the API endpoint for which the event was generated or to all the APIs connected to the service. In the above screenshot, the service is named frontend. If you choose the service, the rule will apply to all the API endpoints connected to this service.
Who should this apply to
You can choose between applying the rule to the threat actor which generated the event or to all the existing and future threat actors.
Once you have created a custom exclusion rule, you can only edit its name and description from the Administration (
) > Policies Exclusions tab. If you want to edit the details of the custom exclusion rule, delete the rule and create a new one.
Choosing All events, All endpoints, and All threat actors option is not supported. When you choose the All option for all three, it is equivalent to disabling detection at the global level. You can globally disable detection from Enable blocking.

Custom exclusions list

The Detection Exclusions list is a list of endpoints for which reporting of security events has been disabled. When you delete the rule from this list, Traceable starts detecting the threat for the endpoint. Navigate to Administration (
) > Policies > Exclusions tab to view the list of exclusion rules. If you have created a rule for a specific endpoint, you can directly navigate to the endpoint by clicking on the URL under the Asset column.

Security events detail

When you click on a security event in the Active events tab, Traceable displays the details of the event. The details page provides you rich information about the event. For example, if the user is an authenticated user or not, the API endpoint and the service. The request, response, and API attributes are also displayed.
The User API flow section shows all the API endpoints through which the user request has traveled. You can hover your mouse over an endpoint to navigate to the corresponding trace. This can be extremely useful to debug the cause of the event.
The security event details page also displays the body of the message.
If the body of the message is displaying sensitive data, then it is recommended to configure Data redaction to redact PII data.

Display event metadata

You can edit the columns to add or remove the type of metadata you want to view for security events. Hover your mouse over any column and click on
to display the Edit Columns option.
Last modified 2mo ago