Glossary

Here are the terms we use in our product and documentation:

Agent API Key

Credentials used by an agent, either server agent or JS Agent, to authenticate the agent with tCell cloud.

Agent Cache

A local copy of the Application Policy stored on the agent server's file system; This allows the agent to process requests even if there are network connectivity problems with the Agent Management Service.

Agent Management Service (AMS)

tCell cloud service that provides agents access to the Application Policy.

Alert

For all of the new Newsfeed event categories, tCell can communicate proactively by sending notifications via Email, Slack™, Microsoft Teams™, or webhooks.

For more on alerts, see: Newsfeed and Alerts.

App Firewall Blocking Event

App Firewall blocking event is a specialized app firewall event sent when an incoming client request is blocked due to violating the application's app firewall policy settings.

App Firewall Event

App Firewall event is a specialized event sent when an incoming client request violates the application's app firewall policy settings.

Application

A web service that has 1 or more identical instances running and protected by tCell.

Application ID

A unique key used to identify applications by tCell. tCell auto-generates this for each new application.

Application Policy

This is the customer defined configuration for any tCell application. This controls how individual tCell features operate for a given client request. For example, policies control what Application Firewall Events are emitted.

Application Scope

The set of applications a given key can send data for and retrieve policies for.

CIDR Notation

CIDR (Classless Inter-Domain Routing) notation is an alternative to subnetting that allows more control over addressing continuous blocks of IP addresses. CIDR notation starts with an IP address, and appends a forward slash (/) with a digital number specifying the number of significant bits in the network block. For example, the class C netmask 255.255.255.0 specifies that the first three octets (or 24 significant bits) of an IP address define the network block. In CIDR notation, the equivalent is an IP address followed by /24, indicating the number of significant bits in the network block. However, a value less than 24 reduces the network block length and thus allows a match with more blocks because of the reduced number of significant bits. For example, the CIDR notation 192.0.0.0/24 contains the 256 IP addresses between 192.0.0.0 and 192.0.0.255.

In the context of tCell, you can use CIDR notation with Application Firewall blocking and filtering rules to either block or filter out all requests coming from a CIDR block.

Classic IIS Mode

Introduced in IIS 7.0, Classic IIS mode is one of two primary ways that dictate how IIS processes incoming HTTP/S requests. Classic IIS mode supports older applications on IIS 7.0 or later that don't fulfill the requirements at https://docs.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/aspnet-20-breaking-changes-on-iis and cannot be meet the integrated mode requirements. In classic mode, events are processed through ISAPI.

Code Instrumentation

The practice of compiling diagnostic code with application source files for runtime monitoring and analysis.

Domain

The Domain Name System (DNS) has a tree structure or hierarchy, which includes nodes on the tree being a domain name.

A domain name identifies a network domain or represents an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, a server computer hosting a website, or the web site itself or any other service communicated via the Internet

Wildcards are not supported in the domain suffix.

Event

In the context of a tCell application, an event is an application update an agent sends to the tCell cloud, either reflecting a policy violation or an overall state change of the application.

Field

tCell uses this term to reference any type of named element in an HTTP request, such as an HTTP request header, a parameter either a query parameter or one in the body also known as a Post parameter, or a cookie.

Full Control

A permissions set in Windows that allows user(s) or group(s) to have full read, write, append, and modify access to a particular file or directory. Not all Windows versions support full control.

For versions that do not support full control, when installing agents, one should use read/write control. Read/write control is not always the same as full control, but should allow IIS agents to operate correctly.

Integrated IIS Mode

Introduced in IIS 7.0, Integrated IIS mode is one of two primary mechanisms for how IIS processes incoming HTTP/S requests. In integrated mode, the ASP.NET runtime is deeply integrated with the IIS server. For more details, see https://docs.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline.

Master Key

An Agent API Key that can send data and retrieve policies for all applications within the customer.

Newsfeed

The tCell console has a Newsfeed feature, which identifies significant events associated with a tCell app. You can view the Newsfeed for a specific app or a combined Newsfeed of significant events from all your tCell apps in the overview.

For more on the Newsfeed, see: Newsfeed and Alerts.

NGINX Build Provenance

NGINX server can be built and deployed many ways. NGINX Build Provenance includes the detailed mechanism a specific NGINX server was built and deployed onto a specific server. For example, it can be built from source using the configure script and makefiles. It also can be installed on many Linux flavors using the standard apt-get tool. Openresty also has numerous binary distributions, which are specific NGINX builds bundled with other openresty components.

OS Command Event

OS Command event is a specialized event sent when an incoming client request violates the application's os commandl policy settings.

Packages

Packages are software modules, normally written and maintained by third parties, designed to perform common operations that are reused by applications. This allows applications to be written faster since developers don't need to rewrite or learn highly specialized operations.

Parameter

Shorthand for an HTTP Parameter. This includes both query, or GET, parameters and body, or POST, parameters

Path

The portion of the URL expressed in the request between the host and port information and the query string.

Payload

The specific text or bytes recognized by attack sensors as malicious patterns of input.

POST Parameter

Refers to a standard form-encoded HTTP parameters in the request body.

Query Parameter

A parameter expressed part of the last component of the HTTP URL requested as part of the query string (Ref: https://en.wikipedia.org/wiki/Query_string).

Route

tCell uses the concept of Routes to denote logical endpoints in the application. A Route is an abstraction for an application to express an http endpoint. It is usually made up of two parts - the HTTP method, such as POST, and a path-like pattern with some notation to allow for parameters being part of the path. Consider the endpoint /foo/{user}/update, where URL paths /foo/alice/update and /foo/bob/update would map to the same route. The Route for both these endpoints would be "GET /foo/:user:/update". Therefore, there are many paths (and by extension, URLs) that map to a route.

A RouteId is the unique combination of the route method and patten as a string. To keep the RouteId simple and short it is usually a hash of those unique elements together. For example hash(GET /admin/:admin_id/profile) would produce a hash of "49889364". Depending upon the agent type and the level of support for the framework in use, the exact information can vary.

Sensor

The tCell App Firewall has many specific patterns of content and behavior it scans for in requests. Each specific classification it can identify is called a sensor.

Standard Output (stdout)

Every Unix-based operating system has a concept of a default place for output to go called, "Standard Output" or as it's often called, "stdout". More specifically, stdout is the default file descriptor where a process can write output. In a shell or terminal, standard output defaults to the user's screen.

Start Mode

Start mode is a configuration option in IIS for IIS web applications. Start Mode determines when a web application will start. When set to AlwaysRunning, the IIS web application will start right after its configuration is read. When set to OnDemand, the web application will not start until after the application receives its first HTTP/S request.

Subdomain

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain.

Widely recognized subdomains, such as WWW and FTP, allow for a hierarchy where the domain contains administrative directories and files including the FTP directories and webpages. The FTP subdomain could contain logs and web page directories, and the WWW subdomain could contain the directories for the webpages.

Independent authentication for each domain provides access control over the various levels of the domain.

Wildcards are supported as a subdomain prefix.

Unusual request size (reqsz)

Unusual request size (reqsz) sensor is a specific App Firewall sensor which signifies a large HTTP request. The threshold for determining large size is configured in the App Firewall policy page.

Unusual response size (rspsz)

Unusual response size (rspsz) sensor is a specific App Firewall sensor which signifies a large HTTP response. The threshold for determining large size is configured in the App Firewall policy page.