Data collected
tCell collects a variety of runtime information from your application. There are two types of data collected, events and metrics. Events represent discrete events or pieces of information. Metrics represent time based counts of different events.
Sanitization
All data is passed through a sanitization filter before being asynchronously sent to the tCell service. No data leaves the application agent without first passing through this sanitization process. Sanitization steps are designed to prevent private data from leaving your network.
Sanitization steps include:
Session IDs (sid): Session tokens are one-way hashed with an optional private key (hmac_key) to form the transmitted sid. This lets tCell associate multiple events from the same user session without knowing anything about the session itself.
Password IDs (passwordId): For agents that support password behavior tracking, passwords for login events are one-way hashed with an optional private key (password_hmac_key), the tcell app id, and the username, and then a small portion of the hash result is used. The net result is that the tCell service can determine if an ip address is trying a variety of passwords or usernames, or is trying the same one repeatedly. Thus, a misconfigured automated agent which always attempts the same username and password is not flagged as an an account takeover attack. However, because of the limited portion of the hash collected, the data is not useful to try to guess the actual password, especially if the private key is used.
Transaction IDs (tid): Generate UUIDs for transaction IDs using no customer or user identifiable data. URI sanitization: URIs are all sanitized by stripping parameter values. For example, the referrer URL http://localhost:8080/WebGoat/login.mvc?error=SomeErrorHere&test=SomeValue will be sanitized to http://localhost:8080/WebGoat/login.mvc?error=&test=
Violation Payload Data
The Violation Payloads options at Policies > App Firewall in the Monitor tab determine where tCell sends violation payload data.
The Send Payload Data to tCell option directs tCell to send full payloads with the event data to the tCell cloud. The payloads can help you better understand the nature of the attack on the application.
However, the payloads may contain personally identifiable information (PII) which, if displayed, could violate your GDPR or other compliance protocols. If you prefer not to send the payloads to the tCell cloud, disable the option. If disabled, all tCell features will continue to work. This feature will apply to form parameters and query parameters in the request (including header, body, and URL).
The Log Payload Data Locally option logs payload data to local logs (tcell.log). If selected, parameters listed in the Exclude sending payloads for parameters table will still be sanitized. Therefore these values will not be sent to local logs.
These options only apply to the sending of payload data ("payload" is one field of an event). With either option enabled or disabled, all other tCell event data will still be sent to the cloud and local logging.
Events
Events Type | Protection Category | Trigger | Fields | Sample | |
---|---|---|---|---|---|
server_agent_details | Server Details | App server startup | user: User account the server process is running as | user group: Group the server process is running as | json{"event_type":"server_agent_details","group":"1000","user":"userx"} |
server_agent_packages | Server Details | Class loaded/App Initialization | n: Name of package v: Version of package l: License type | ||
json{"event_type":"server_agent_packages","packages": [{"v": "0.0.4", "n": "tcell-agent"}, {"v": "1.0.4", "n": "enum34"} | |||||
appserver_routes | AppSensor | Route registered/App Initialization | uri: uri with :placeholders for variables method: GET, POST, etc or * for any rid: tCell route id. A hash of route&method destination: Description of where a request was routed, i.e. name of controller, function, etc defined on a per-framework basis | json{"event_type":"appserver_routes","uri":"/user/:id/address","method":"*"<br/>"rid":1396482959514716287,"destination":"com.customer123.controllers.UserAddress"} | |
app_config_setting | Application Config Audit | App Initialization | section: "service" or "connector" prefix: service\engine\host\context or service\connector name: field name value: field value package: Server type (Tomcat, etc.) | json{"event_type" : "app_config_setting","section" : "context","prefix" : "Tomcat\nTomcat\nlocalhost\n/WebGoat",<"name" : "timeout","value" : "2880","package" : "Tomcat"} | |
redirect | Open Redirect | Http response with a 3xx response code | remote_addr: remote ip of the user method: GET, POST etc to: target redirect domain that violated policy from_domain: domain user started on (HOST) from: Sanitized uri doing the redirect sid: HMAC of session id rid: tCell route id | json{"event_type":"redirect","method":"get","remote_addr":"10.0.2.2","status_code":303,"to":"domain.com","from_domain":"the current domain","from":"path redirect came from","sid":"cb38d7630b38d7630b38d7630"} | |
as | App Sensor | Suspicious HTTP request or response payload | dp: Name of detection point, i.e. xss, sqli, etc. param: Parameter name with suspicious payload uid: User ID if login enabled and user authenticated loc: Sanitized URI path sess HMAC of session ID data: parameter type (header, query, etc.) rou: tCell route ID m: HTTP method remote_addr: IP Address of client | json{"event_type":"as","dp":"xss","cnt":1,"uid":"james","sid":"sessionhash","loc":"location/url","rou":"32432432","m":"get","data":{"fp":"s\u0026sos"},"remote_addr":"3.3.3.3"} | |
discovery | Data Exposure | First access to any data source (database table, REST api, etc.) | type: database, REST API, etc. db: database name schema: database schema name table: database table name fields: name fields accessd rid: tCell route_id uid: user_id if known q: Query type | json<br/>{"event_type":"discovery","type":"db","rid":"2323224","uid":"bob@bob.com","q":"select","db":"redis:4334","schema":"asfdasf","table":"users","fields":["ssn","first_name"],"field":"field"} | |
login | Login fraud | User login | event_name: login-failure, login-success user_agent: HTTP header referrer: HTTP header remote_addr | ||
header_keys: HTTP header names, in order if possible user_id: user that tried to login password_id: hmac of password for the attempt document_uri: uri that was posted to session: HMAC of sessionid user_valid: null, true, false | json<br/>{"event_type":"login","event_name":"login-success","user_agent":"Mozilla/5.0 ...","referrer":"http://localhost:3085/users/sign_in","remote_addr":"10.0.2.2","header_keys":["VERSION","HOST","CONNECTION","CACHE_CONTROL","COOKIE"],"user_id":"1","password_id":"98ea6e4f","document_uri":"/users/sign_in","session":"e9e80cd52ad521ddb9090ac9ac","user_valid": true}<br/> |
Metrics
Metric Type | Description | Fields | Sample |
---|---|---|---|
rct | Route count table | c: Total requests mx: Maximum Request Time (ms) mn: Minimum Request Time (ms) t: Average Request Time (ms) |
{"event_type":
1"rct": {2"98246921": {3"c": 3,4"mx": 446,5"mn": 68,6"t": 3187},8"?": {9"c": 4,10"mx": 9,11"mn": 5,12"t": 713}14}15``` |16| sessions | Per session metrics for authenticated users | ua: A dictionary of user-agents whose value is the ip's they came from<br>uid: User ID for that session | ```17"event_type": "metrics",18"sessions": {19"hmac_of_session_id_x": [20{21"uid": "user_x",22"track": [23[24"Mozilla/5.0 User Agent V1.03",25[26"1.1.1.1",27"1.1.2.2"28]29]30]31}32],33"hmac_of_session_id_y": [34{35"uid": "user_y",36"track": [37[38"Mozilla/3.0 User Agent V1.03",39[40"1.1.3.1"41],42[43"Chrome 30 User Agent",44[45"1.101.3.4"46]47]48]49]50}51]52}