What data does tCell collect?

Overview

tCell collects a variety of runtime information from your application. There are two types of data collected, events and metrics. Events represent discrete events or pieces of information. Metrics represent time based counts of different events.

Sanitization

All data is passed through a sanitization filter before being asynchronously sent to the tCell service. No data leaves the application agent without first passing through this sanitization process. Sanitization steps are designed to prevent private data from leaving your network.

Sanitization steps include

  • HMACing of session IDs (sid). This lets tCell bind together multiple events from the same user session without knowing anything about the session itself.
  • Transaction IDs (tid): Generate UUIDs for transaction IDs using no customer or user identifiable data.
  • URI sanitization: URIs are all sanitized by stripping parameter values. For example, the referrer URL "http://localhost:8080/WebGoat/login.mvc?error=SomeErrorHere&test=SomeValue" will be sanitized to "http://localhost:8080/WebGoat/login.mvc?error=&test="

 

Events

Event Type Protection Category Trigger Fields Sample
 server_agent_details Server Details App server startup user: User account the server process is running as
user group: Group the server process is running as
"event_type":"server_agent_details",
"group":"1000",
"user":"userx",
 server_agent_packages Server Details Class loaded/App Initialization n: Name of package
v: Version of package
l: License type
 
"event_type":"server_agent_packages",
"packages": [
  {"v": "0.0.4"
   "n": "tcell-agent"
  }, 
  {"v": "1.0.4"
   "n": "enum34"
  }
]
 appserver_routes AppSensor  Route registered/App Initialization uri: uri with placeholders for variables
method: GET, POST, etc or * for any
rid: tCell route id. A hash of route&method
destination: Description of where this route goes, i.e. name of controller, function, etc defined on a per-framework basis
 
"event_type":"appserver_routes",
"uri":"/user/:id/address",
"method":"*"
"rid":1396482959514716287,
"destination":"com.customer123.controllers.UserAddress"
app_config_setting Application Config Audit  App Initialiation

 section: "service" or "connector"

prefix: service\engine\host\context or service\connector

name: field name

value: field value

package: Server type (Tomcat, etc.)

"event_type" : "app_config_setting",
"section" : "context",
"prefix" : "Tomcat\nTomcat\nlocalhost\n/WebGoat",
"name" : "timeout",
"value" : "2880",
"package" : "Tomcat",
 redirect Open Redirect Http response with a 3xx response code remote_addr: remote ip of the user
method: GET, POST etc
to: target redirect domain that violated policy
from_domain: domain user started on (HOST)
from: Sanitized uri doing the redirect
sid: HMAC of session id
rid: tCell route id
"event_type":"redirect",
"method":"get",
"remote_addr":"10.0.2.2",
"status_code":303,
"to":"domain.com",
"from_domain":"the current domain",
"from":"path redirect came from",
"sid":"cb38d7630b38d7630b38d7630"
 as App Sensor Suspicious HTTP request or response payload dp: Name of detection point, i.e. xss, sqli, etc.
param: Parameter name with suspicious payload
uid: User ID if login enabled and user authenticated
loc: Sanitized URI path
sess HMAC of session ID
data: parameter type (header, query, etc.)
rou: tCell route ID
m: HTTP method
remote_addr: IP Address of client
"event_type":"as",
"dp":"xss",
"cnt":1,
"uid":"james",
"sid":"sessionhash",
"loc":"location/url",
"rou":"32432432",
"m":"get",
"data":{"fp":"s\u0026sos"},
"remote_addr":"3.3.3.3"
 discovery Data Exposure First access to any data source (database table, REST api, etc.) type: database, REST API, etc.
db: database name
schema: database schema name
table: database table name
fields: name fields accessd
rid: tCell route_id
uid: user_id if known
q: Query type
"event_type":"discovery",
"type":"db",
"rid":"2323224",
"uid":"bob@bob.com",
"q":"select",
"db":"redis:4334",
"schema":"asfdasf",
"table":"users",
"fields":["ssn","first_name"],
"field":"field"
 login Login fraud User login event_name: login-failure, login-success
user_agent: HTTP header
referrer: HTTP header
remote_addr
header_keys: HTTP header names, in order if possible
user_id: user that tried to login
document_uri: uri that was posted to
session: HMAC of sessionid
user_valid: null, true, false
"event_type":"login",
"event_name":"login-success",
"user_agent":"Mozilla/5.0 ...",
"referrer":"http://localhost:3085/users/sign_in",
"remote_addr":"10.0.2.2",
"header_keys":["VERSION","HOST","CONNECTION","CACHE_CONTROL","COOKIE"],
"user_id":"1",
"document_uri":"/users/sign_in",
"session":"e9e80cd52ad521ddb9090ac9ac",
"user_valid": true

 

Metrics

Metric Type Description Fields Sample
rct Route count table c: Total requests
mx: Maximum Request Time (ms)
mn: Minimum Request Time (ms)
t: Average Request Time (ms)
{
"event_type":"metrics",
"rct": {
"98246921": {
"c":3,
"mx":446,
"mn":68,
"t":318
},
"?": {
"c":4,
"mx":9,
"mn":5,
"t":7
}
}
}
sessions Per session metrics for authenticated users

ua:
A dictionary of user-agents whose value is the ip's they came from

uid: User ID for that session

 {
"event_type":"metrics",
"sessions": {
"hmac_of_session_id_x": [
{
"uid":"user_x",
"track":[
["Mozilla/5.0 User Agent V1.03",["1.1.1.1","1.1.2.2"]]
]
}
],
"hmac_of_session_id_y": [
{
"uid":"user_y",
"track":[
["Mozilla/3.0 User Agent V1.03",["1.1.3.1"],
["Chrome 30 User Agent",["1.101.3.4"]
]
}
]
}
}
Have more questions? Submit a request

Comments