Data collected

tCell collects a variety of runtime information from your application. There are two types of data collected, events and metrics. Events represent discrete events or pieces of information. Metrics represent time based counts of different events.

Sanitization

All data is passed through a sanitization filter before being asynchronously sent to the tCell service. No data leaves the application agent without first passing through this sanitization process. Sanitization steps are designed to prevent private data from leaving your network.

Sanitization steps include:

Session IDs (sid): Session tokens are one-way hashed with an optional private key (hmac_key) to form the transmitted sid. This lets tCell associate multiple events from the same user session without knowing anything about the session itself.

Password IDs (passwordId): For agents that support password behavior tracking, passwords for login events are one-way hashed with an optional private key (password_hmac_key), the tcell app id, and the username, and then a small portion of the hash result is used. The net result is that the tCell service can determine if an ip address is trying a variety of passwords or usernames, or is trying the same one repeatedly. Thus, a misconfigured automated agent which always attempts the same username and password is not flagged as an an account takeover attack. However, because of the limited portion of the hash collected, the data is not useful to try to guess the actual password, especially if the private key is used.

Transaction IDs (tid): Generate UUIDs for transaction IDs using no customer or user identifiable data. URI sanitization: URIs are all sanitized by stripping parameter values. For example, the referrer URL http://localhost:8080/WebGoat/login.mvc?error=SomeErrorHere&test=SomeValue will be sanitized to http://localhost:8080/WebGoat/login.mvc?error=&test=

Violation Payload Data

The Violation Payloads options at Policies > App Firewall in the Monitor tab determine where tCell sends violation payload data.

The Send Payload Data to tCell option directs tCell to send full payloads with the event data to the tCell cloud. The payloads can help you better understand the nature of the attack on the application.

However, the payloads may contain personally identifiable information (PII) which, if displayed, could violate your GDPR or other compliance protocols. If you prefer not to send the payloads to the tCell cloud, disable the option. If disabled, all tCell features will continue to work. This feature will apply to form parameters and query parameters in the request (including header, body, and URL).

The Log Payload Data Locally option logs payload data to local logs (tcell.log). If selected, parameters listed in the Exclude sending payloads for parameters table will still be sanitized. Therefore these values will not be sent to local logs.

These options only apply to the sending of payload data ("payload" is one field of an event). With either option enabled or disabled, all other tCell event data will still be sent to the cloud and local logging.

Events

Events TypeProtection CategoryTriggerFieldsSample
server_agent_detailsServer DetailsApp server startupuser: User account the server process is running asuser group: Group the server process is running asjson{"event_type":"server_agent_details","group":"1000","user":"userx"}
server_agent_packagesServer DetailsClass loaded/App Initializationn: Name of package
v: Version of package
l: License type
json{"event_type":"server_agent_packages","packages": [{"v": "0.0.4", "n": "tcell-agent"}, {"v": "1.0.4", "n": "enum34"}
appserver_routesAppSensorRoute registered/App Initializationuri: uri with :placeholders for variables
method: GET, POST, etc or * for any
rid: tCell route id. A hash of route&method
destination: Description of where a request was routed, i.e. name of controller, function, etc defined on a per-framework basis
json{"event_type":"appserver_routes","uri":"/user/:id/address","method":"*"<br/>"rid":1396482959514716287,"destination":"com.customer123.controllers.UserAddress"}
app_config_settingApplication Config AuditApp Initializationsection: "service" or "connector"
prefix: service\engine\host\context or service\connector
name: field name
value: field value
package: Server type (Tomcat, etc.)
json{"event_type" : "app_config_setting","section" : "context","prefix" : "Tomcat\nTomcat\nlocalhost\n/WebGoat",<"name" : "timeout","value" : "2880","package" : "Tomcat"}
redirectOpen RedirectHttp response with a 3xx response coderemote_addr: remote ip of the user method: GET, POST etc
to: target redirect domain that violated policy
from_domain: domain user started on (HOST)
from: Sanitized uri doing the redirect
sid: HMAC of session id
rid: tCell route id
json{"event_type":"redirect","method":"get","remote_addr":"10.0.2.2","status_code":303,"to":"domain.com","from_domain":"the current domain","from":"path redirect came from","sid":"cb38d7630b38d7630b38d7630"}
asApp SensorSuspicious HTTP request or response payloaddp: Name of detection point, i.e. xss, sqli, etc.
param: Parameter name with suspicious payload
uid: User ID if login enabled and user authenticated
loc: Sanitized URI path
sess HMAC of session ID
data: parameter type (header, query, etc.)
rou: tCell route ID
m: HTTP method
remote_addr: IP Address of client
json{"event_type":"as","dp":"xss","cnt":1,"uid":"james","sid":"sessionhash","loc":"location/url","rou":"32432432","m":"get","data":{"fp":"s\u0026sos"},"remote_addr":"3.3.3.3"}
discoveryData ExposureFirst access to any data source (database table, REST api, etc.)type: database, REST API, etc.
db: database name
schema: database schema name
table: database table name
fields: name fields accessd
rid: tCell route_id
uid: user_id if known
q: Query type
json<br/>{"event_type":"discovery","type":"db","rid":"2323224","uid":"bob@bob.com","q":"select","db":"redis:4334","schema":"asfdasf","table":"users","fields":["ssn","first_name"],"field":"field"}
loginLogin fraudUser loginevent_name: login-failure, login-success
user_agent: HTTP header
referrer: HTTP header
remote_addr
header_keys: HTTP header names, in order if possible
user_id: user that tried to login
password_id: hmac of password for the attempt
document_uri: uri that was posted to
session: HMAC of sessionid
user_valid: null, true, false
json<br/>{"event_type":"login","event_name":"login-success","user_agent":"Mozilla/5.0 ...","referrer":"http://localhost:3085/users/sign_in","remote_addr":"10.0.2.2","header_keys":["VERSION","HOST","CONNECTION","CACHE_CONTROL","COOKIE"],"user_id":"1","password_id":"98ea6e4f","document_uri":"/users/sign_in","session":"e9e80cd52ad521ddb9090ac9ac","user_valid": true}<br/>

Metrics

Metric TypeDescriptionFieldsSample
rctRoute count tablec: Total requests
mx: Maximum Request Time (ms)
mn: Minimum Request Time (ms)
t: Average Request Time (ms)
{"event_type":
1
"rct": {
2
"98246921": {
3
"c": 3,
4
"mx": 446,
5
"mn": 68,
6
"t": 318
7
},
8
"?": {
9
"c": 4,
10
"mx": 9,
11
"mn": 5,
12
"t": 7
13
}
14
}
15
``` |
16
| sessions | Per session metrics for authenticated users | ua: A dictionary of user-agents whose value is the ip's they came from<br>uid: User ID for that session | ```
17
"event_type": "metrics",
18
"sessions": {
19
"hmac_of_session_id_x": [
20
{
21
"uid": "user_x",
22
"track": [
23
[
24
"Mozilla/5.0 User Agent V1.03",
25
[
26
"1.1.1.1",
27
"1.1.2.2"
28
]
29
]
30
]
31
}
32
],
33
"hmac_of_session_id_y": [
34
{
35
"uid": "user_y",
36
"track": [
37
[
38
"Mozilla/3.0 User Agent V1.03",
39
[
40
"1.1.3.1"
41
],
42
[
43
"Chrome 30 User Agent",
44
[
45
"1.101.3.4"
46
]
47
]
48
]
49
]
50
}
51
]
52
}