Data collected

tCell collects a variety of runtime information from your application. There are two types of data collected, events and metrics. Events represent discrete events or pieces of information. Metrics represent time based counts of different events.

Sanitization

All data is passed through a sanitization filter before being asynchronously sent to the tCell service. No data leaves the application agent without first passing through this sanitization process. Sanitization steps are designed to prevent private data from leaving your network.

Sanitization steps include:

Session IDs (sid): Session tokens are one-way hashed with an optional private key (hmac_key) to form the transmitted sid. This lets tCell associate multiple events from the same user session without knowing anything about the session itself.

Password IDs (passwordId): For agents that support password behavior tracking, passwords for login events are one-way hashed with an optional private key (password_hmac_key), the tcell app id, and the username, and then a small portion of the hash result is used. The net result is that the tCell service can determine if an ip address is trying a variety of passwords or usernames, or is trying the same one repeatedly. Thus, a misconfigured automated agent which always attempts the same username and password is not flagged as an an account takeover attack. However, because of the limited portion of the hash collected, the data is not useful to try to guess the actual password, especially if the private key is used.

Transaction IDs (tid): Generate UUIDs for transaction IDs using no customer or user identifiable data. URI sanitization: URIs are all sanitized by stripping parameter values. For example, the referrer URL http://localhost:8080/WebGoat/login.mvc?error=SomeErrorHere&test=SomeValue will be sanitized to http://localhost:8080/WebGoat/login.mvc?error=&test=

Violation Payload Data

The Violation Payloads options at Policies > App Firewall in the Monitor tab determine where tCell sends violation payload data.

The Send Payload Data to tCell option directs tCell to send full payloads with the event data to the tCell cloud. The payloads can help you better understand the nature of the attack on the application.

However, the payloads may contain personally identifiable information (PII) which, if displayed, could violate your GDPR or other compliance protocols. If you prefer not to send the payloads to the tCell cloud, disable the option. If disabled, all tCell features will continue to work. This feature will apply to form parameters and query parameters in the request (including header, body, and URL).

The Log Payload Data Locally option logs payload data to local logs (tcell.log). If selected, parameters listed in the Exclude sending payloads for parameters table will still be sanitized. Therefore these values will not be sent to local logs.

These options only apply to the sending of payload data ("payload" is one field of an event). With either option enabled or disabled, all other tCell event data will still be sent to the cloud and local logging.

Events

Events Type	Protection Category	Trigger	Fields	Sample
server_agent_details	Server Details	App server startup	user: User account the server process is running as	user group: Group the server process is running as	`json{"event_type":"server_agent_details","group":"1000","user":"userx"}`
server_agent_packages	Server Details	Class loaded/App Initialization	n: Name of package v: Version of package l: License type
`json{"event_type":"server_agent_packages","packages": [{"v": "0.0.4", "n": "tcell-agent"}, {"v": "1.0.4", "n": "enum34"}`
appserver_routes	AppSensor	Route registered/App Initialization	uri: uri with :placeholders for variables method: GET, POST, etc or * for any rid: tCell route id. A hash of route&method destination: Description of where a request was routed, i.e. name of controller, function, etc defined on a per-framework basis	`json{"event_type":"appserver_routes","uri":"/user/:id/address","method":"*"<br/>"rid":1396482959514716287,"destination":"com.customer123.controllers.UserAddress"}`
app_config_setting	Application Config Audit	App Initialization	section: "service" or "connector" prefix: service\engine\host\context or service\connector name: field name value: field value package: Server type (Tomcat, etc.)	`json{"event_type" : "app_config_setting","section" : "context","prefix" : "Tomcat\nTomcat\nlocalhost\n/WebGoat",<"name" : "timeout","value" : "2880","package" : "Tomcat"}`
redirect	Open Redirect	Http response with a 3xx response code	remote_addr: remote ip of the user method: GET, POST etc to: target redirect domain that violated policy from_domain: domain user started on (HOST) from: Sanitized uri doing the redirect sid: HMAC of session id rid: tCell route id	`json{"event_type":"redirect","method":"get","remote_addr":"10.0.2.2","status_code":303,"to":"domain.com","from_domain":"the current domain","from":"path redirect came from","sid":"cb38d7630b38d7630b38d7630"}`
as	App Sensor	Suspicious HTTP request or response payload	dp: Name of detection point, i.e. xss, sqli, etc. param: Parameter name with suspicious payload uid: User ID if login enabled and user authenticated loc: Sanitized URI path sess HMAC of session ID data: parameter type (header, query, etc.) rou: tCell route ID m: HTTP method remote_addr: IP Address of client	`json{"event_type":"as","dp":"xss","cnt":1,"uid":"james","sid":"sessionhash","loc":"location/url","rou":"32432432","m":"get","data":{"fp":"s\u0026sos"},"remote_addr":"3.3.3.3"}`
discovery	Data Exposure	First access to any data source (database table, REST api, etc.)	type: database, REST API, etc. db: database name schema: database schema name table: database table name fields: name fields accessd rid: tCell route_id uid: user_id if known q: Query type	`json<br/>{"event_type":"discovery","type":"db","rid":"2323224","uid":"bob@bob.com","q":"select","db":"redis:4334","schema":"asfdasf","table":"users","fields":["ssn","first_name"],"field":"field"}`
login	Login fraud	User login	event_name: login-failure, login-success user_agent: HTTP header referrer: HTTP header remote_addr
header_keys: HTTP header names, in order if possible user_id: user that tried to login password_id: hmac of password for the attempt document_uri: uri that was posted to session: HMAC of sessionid user_valid: null, true, false	`json<br/>{"event_type":"login","event_name":"login-success","user_agent":"Mozilla/5.0 ...","referrer":"http://localhost:3085/users/sign_in","remote_addr":"10.0.2.2","header_keys":["VERSION","HOST","CONNECTION","CACHE_CONTROL","COOKIE"],"user_id":"1","password_id":"98ea6e4f","document_uri":"/users/sign_in","session":"e9e80cd52ad521ddb9090ac9ac","user_valid": true}<br/>`

Metrics

Metric Type	Description	Fields	Sample
rct	Route count table	c: Total requests mx: Maximum Request Time (ms) mn: Minimum Request Time (ms) t: Average Request Time (ms)

{"event_type":
1
  "rct": {
2
    "98246921": {
3
      "c": 3,
4
      "mx": 446,
5
      "mn": 68,
6
      "t": 318
7
    },
8
    "?": {
9
      "c": 4,
10
      "mx": 9,
11
      "mn": 5,
12
      "t": 7
13
    }
14
  }
15
  ``` |
16
| sessions | Per session metrics for authenticated users | ua: A dictionary of user-agents whose value is the ip's they came from<br>uid: User ID for that session | ```
17
"event_type": "metrics",
18
  "sessions": {
19
    "hmac_of_session_id_x": [
20
      {
21
        "uid": "user_x",
22
        "track": [
23
          [
24
            "Mozilla/5.0 User Agent V1.03",
25
            [
26
              "1.1.1.1",
27
              "1.1.2.2"
28
            ]
29
          ]
30
        ]
31
      }
32
    ],
33
    "hmac_of_session_id_y": [
34
      {
35
        "uid": "user_y",
36
        "track": [
37
          [
38
            "Mozilla/3.0 User Agent V1.03",
39
            [
40
              "1.1.3.1"
41
            ],
42
            [
43
              "Chrome 30 User Agent",
44
              [
45
                "1.101.3.4"
46
              ]
47
            ]
48
          ]
49
        ]
50
      }
51
    ]
52
  }