Newsfeed and Alerts

The tCell console has a Newsfeed feature, which identifies significant events associated with a tCell app. You can view the Newsfeed for a specific app or a combined Newsfeed of significant events from all your tCell apps in the overview.

Following are the event types roughly ordered from high priority to lower priority.

Newsfeed

Inline Script suspected XSS Attack detected

The tCell javascript agent (jsagent) running in a client browser has reported a script that is believed to be part of an XSS attack. This usually represents a successful exploit against the web application, whether a browser-local reflection, or a reflection via your appserver.

Suspected command injection detected

A tCell agent has identified external commands being executed in the appServer that are not configured as intended in the policy.

In a new install, this can simply represent the intended app behavior. Once the intended commands are added to your policy, these events will occur if a new unintended command is attempted. Depending on your configuration mode, this may be blocked and then reported, or simply reported.

Suspected password attack

tCell has identified a series of login attempts being made in a sustained fashion from a single client IP or in a distributed fashion. tCell will identify if the attack is targeting a particular username, or is broad spectrum across many usernames.

In addition, tCell can often infer by pattern of attempts which accounts may have been compromised.

New Package vulnerability detected

Some of the package names, version numbers, and signatures provided by an agent are newly identified as containing vulnerabilities.

This could happen in three different scenarios:

  • You have just brought up an agent for the first time, and it has reported package versions which are known to contain vulnerabilities.
  • New packages or new package versions have been detected in an agent deployment which are known to contain vulnerabilities.
  • No change has occurred to the reported set of packages, but the tCell service has received new vulnerability information, so that pre-existing packages are now known to be vulnerable.

We recommend that you review the CVE information in detail to decide on a course of action. In some cases, there may be vulnerabilities that affect a package version, but only in a certain configuration or operating system.

IP flagged as suspicious

The tCell service has identified an IP address as sending a pattern of suspicious activity. If set to report-only mode, the suspicious actor feature simply identifies the problem in the Newsfeed, alerts, and API. In blocking mode, requests from these IPs may be partially or entirely blocked.

Typically, suspicious IPs will remain automatically flagged until the the suspicious requests cease for a 24 hour period.

This can occur as intended, when an attacker begins probing your site. It could also occur because a pattern of false positives has occurred. Early in a deployment, this is a good opportunity to review the requests made by this client IP to ensure your policy is working well for you. In a mature configuration, it may represent a chance to take proactive action against a potential attacker.

CSP misconfiguration detected

tCell has identified a broad pattern of CSP (Content Security Policy) reports across many clients. This likely means that your web site is intended to load a resource, but the current CSP settings do not list it as a valid resource.

tCell is advising you that you should probably add these identified web resources to your CSP configuration.

Inline Script misconfiguration detected

tCell has identified a broad pattern of inline script reports by the javascript agent (jsagent) across many clients. This likely means that your web site is intentionally including inline scripts that are not currently flagged as intended.

tCell is advising you that you should probably add these inline scripts to the list of expected inline script signatures.

New Package(s) detected

Agents are reporting package or package versions that were not reported in the past. This happens when you add a new agent (the initial set of package reports are all considered new), or when you upgrade packages in your deployment, such as when you deploy a new version of your app with updated libraries.

This could also happen if packages are deployed into your environment that are not intended.

New Route(s) detected

Agents are reporting route IDs that were not reported in the past. This happens when you add a new agent (the initial set of routes are all considered new). This also happens when new routes are added to your application, such as when you deploy a version of your app with new exposed functionality or in some cases where the way the functionality is linked up to URL paths is significantly changed.

This could also happen if route logic is deployed into your environment that is not intended.

Protection area mode changed

When a top-level feature area of tCell is enabled or disabled, there is an event created recording the top-level feature that was changed.

Upgrade notification

When tCell upgrades the App Firewall, Newsfeed displays the title and timestamp of the event.

Config changed

Whenever the configuration of a tCell app is changed, there is an event created recording the configuration area affected, values changed, and the user who made the change. This type of event occurs for all configuration changes that are not top-level features being enabled or disabled.

Alerts

For all of the new newsfeed event categories, you can choose to have tCell communicate proactively when these events occur by configuring Alerting.

Alerts can be sent:

  • Via Email
  • To Slack™ channels
  • To Microsoft Teams™
  • Via general webhooks

The content in email, Slack™, and Microsoft Teams™ is intended for humans to read, and includes links back to the tCell newsfeed items for more information. The generic webhooks, although they contain the same information, are intended for programmatic consumption, and are documented in Using Webhooks Notifications.

Setting up Alerts

Configuring alerts involves choosing combinations of Destinations to receive alerts, and the types of Alerts to send to those destinations.

You must configure a Destination first. Inline help is available for Slack and Microsoft Teams destinations. Email destinations simply take a valid bare email address (user@domain.tld).

Creating a Slack destination

  • Use an existing slack incoming webhook you have configured, or configure a new one for this integration:
    • Log into the desired Slack domain using a browser.
    • Follow the link from the in-UI help, or navigate to Custom Integrations > Incoming Webhooks > New Configuration.
    • Although the slack configuration requires that you select a channel, you will be able to override this in the tCell UI.
  • Copy the Webhook URL out of the Slack UI.
  • In the tCell web UI, go to Settings -> Alerts, and click +Add in the Destinations section.
  • Choose a Destination Type of "Slack"
  • Paste the Webhook URL into the next field.
  • Enter a @user or a #channel to receive these alerts.
  • Choose the set of Alert Types to send to this destination. For testing, you may want to enable Config Changed, as these are easily produced.

Creating an MS Teams destination

Follow the instructions in the Microsoft documentation accessible from the in-UI help or following the url: https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/connectors#setting-up-a-custom-incoming-webhook

The general flow is:

  • Log in to Microsoft Teams
  • Go to a channel you wish to receive alerts.
  • Select More Options (...) and choose Connectors
  • Select the connector type Incoming Webhook and choose Add
  • Choose a name for the webhook, and select Create.
  • Copy the webhook URL.
  • Choose Done
  • In the tCell web UI, go to Settings -> Alerts, and click +Add in the Destinations section.
  • Choose a Destination Type of "Microsoft Teams"
  • Paste the Webhook URL into the next field.
  • Choose the set of Alert Types to send to this destination. For testing, you may want to enable Config Changed, as these are easily produced.