Skip to main content

Traceable

This Integration is part of the Traceable Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Traceable AI API Security Platform Integration#

Overview#

Traceable platform monitors application APIs and detects Threat Events. These Threat Events consist of the details about the Threat Activity, the Actor performing the threat activity and the request/response payloads.

With this integration, an Incident can be raised in Cortex Xsoar when an event is detected by Traceable platform. This enables the security teams to orchestrate actions through Cortex Xsoar with meaningful information about the detected Threat Activities.

Setup#

To use the integration the following mandatory parameters need to be set:

Parameter NameDefault ValueDescription
Traceable Platform API Endpoint URLhttps://api.traceable.aiBase URL of the Traceable platform API endpoint.
API Token-API token used for authenticating against the Traceable platform.
Trust any certificate (not secure)falseTrust any SSL certificate while connecting to the Traceable platform API endpoint.
Use system proxy settingsfalseUse the system proxy using the environment variables http_proxy/https_proxy.

The API token can be generated as described in the Traceable Documentation

Customize Event/Activity Collection#

The following parameters can be used to select the events that should be imported from the Traceable platform into Cortex Xsoar as security incidents.

Parameter nameTypeRequired (Yes/No)Default ValueDescription
First fetch timestampShort textNo1 daysDuration in the past to query the events, when querying for the first time.
Max number of records to fetch per API call to Traceable API EndpointShort textNo100Number of records to return from Traceable platform per query.
Number of span queries to run in parallelShort textNo5Number of threads to use for querying spans in parallel.
Max spans per threadShort textNo50Number of spans to query per span thread. Value can be an integer between 1 to 1000.
Comma Separated Environment List To ProcessLong textNo-Comma separated list of environments to query.
Security Score CategoryMulti selectNoCRITICAL,
HIGH,
MEDIUM
Security Score Category of the events to be queried.
Threat CategoryMulti selectNoMalicious Activities,
API Abuse,
Malicious Sources
Threat Category of the events to be queried.
IP Reputation LevelMulti selectNoCRITICAL,
HIGH,
MEDIUM
IP Reputation Level of the events to be queried.
IP Abuse VelocityMulti selectNoCRITICAL,
HIGH,
MEDIUM
IP Abuse Velocity of the events to queried.
IP Location TypeMulti selectNo-IP Location type of the events to be queried.
Traceable Platform Endpoint URLLong textNohttps://app.traceable.aiBase URL of the Traceable platform UI endpoint.
Ignore Status CodesLong textNo400-499Ignore incidents for which the HTTP status codes fall in the range of the given comma-separated list of HTTP status codes and/or status code ranges. eg. 301, 400-499.
Incident optional field listMulti selectNoactorDevice,
actorEntityId,
actorId,
actorScoreCategory,
actorSession,
apiName,
apiUri,
category,
ipAbuseVelocity,
ipReputationLevel,
securityEventType,
securityScore,
serviceId,
actorScore,
threatCategory,
type
Optional fields to pull from the Traceable event.
Additional API AttributesMulti selectNoisExternal,
isAuthenticated,
riskScore,
riskScoreCategory,
isLearnt
Additional API attributes to query for the affected API in the incident.
Fetch unique incidentsBooleanNotrueSelect if the integration should only fetch unique occurrences of a given incident from Traceable Platform.

Incident Types#

The integration generates Exploit type of incidents.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

list_incident_cache#


List the entries present in the Traceable instance cache.

Base Command#

list_incident_cache

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Traceable.Instancecache.idstringCache entry ID.
Traceable.Instancecache.expirydateCache entry expiration date.

purge_incident_cache#


Delete all entries in the incident cache.

Base Command#

purge_incident_cache

Input#

Argument NameDescriptionRequired

Context Output#

PathTypeDescription
Traceable.Instancecache.idstringCache entry ID.
Traceable.Instancecache.expirydateCache entry expiration date.
Traceable.Instancecache.deletion_statusstringCache entry deletion status.

Official Traceable Documentation#

https://docs.traceable.ai/

Issues?#

Reach out to support@traceable.ai