DecoyStructureSummary - SAP/cloud-active-defense GitHub Wiki
These tables summarize all supported configuration operations for decoys. Please refer to each individual section for details.
[decoy](/SAP/cloud-active-defense/wiki/Decoy)
| JSON path | Values | Regex | Type | Overwrites | Default value | ||
|---|---|---|---|---|---|---|---|
| .key | no | string | - | Mandatory | |||
| .dynamicKey | yes | string | .key | Mandatory | |||
| .separator | no | string | - | = | |||
| .value | no | string | - | none | |||
| .dynamicValue | yes | string | .value | none | |||
| .string | no | string | .key, .dynamicKey, .separator, .value, .dynamicValue | none |
[inject](/SAP/cloud-active-defense/wiki/Inject)
| JSON path | Values | Regex | Type | Overwrites | Default value | ||
|---|---|---|---|---|---|---|---|
| .store | .inResponse | endpoint e.g. /login | yes | string | - | none | |
| .inRequest | endpoint e.g. /login | yes | string | - | none | ||
| withVerb | "", GET, POST, UPDATE, DELETE, ... | no | string | - | all verbs | ||
| .as | cookie, header, body | no | string | - | Mandatory | ||
| .at | .method | character, line, replace, always, before, after | no | string | - | character:-0 (end of line) | |
| .property | (int) 0 means at start, -4 means 4th backwards from last position. (string) regex to match against. | yes | int or string | - | Mandatory if .method is set | ||
| .whenTrue[{}] | .key | yes | string | - | Mandatory if .whenTrue is set | ||
| .value | yes | string | - | Mandatory if .key is set | |||
| .in | cookie, header, url, getParam, postParam, payload | no | string | - | Mandatory if .key is set | ||
| .whenFalse[{}] | .key | yes | string | - | Mandatory if .whenFalse is set | ||
| .value | yes | string | - | Mandatory if .key is set | |||
| .in | cookie, header, url, getParam, postParam, payload | no | string | - | Mandatory if .key is set |
[detect](/SAP/cloud-active-defense/wiki/Detect)
| JSON path | Values | Regex | Type | Overwrites | Default value | |
|---|---|---|---|---|---|---|
| .seek | .inRequest | endpoint e.g. /login | yes | string | - | none |
| .inResponse | endpoint e.g. /login | yes | string | - | none | |
| .withVerb | "", GET, POST, UPDATE, DELETE, ... | no | string | - | all verbs | |
| .in | cookie, header, url, getParam, postParam, payload | no | string | - | Mandatory | |
| [.alert](/SAP/cloud-active-defense/wiki/Detect#alert) | .severity | LOW, MEDIUM, HIGH | no | string | - | Mandatory |
| .whenSeen | true, false | no | bool | - | false | |
| .whenComplete | true, false | no | bool | - | false | |
| .whenModified | true, false | no | bool | - | false | |
| .whenAbsent | true, false | no | bool | - | false | |
| [.respond[{}]](/SAP/cloud-active-defense/wiki/Detect#respond) | .source | "ip", "userAgent", "session", "ip,userAgent", "ip,session", "ip,userAgent,session" | no | string | - | Mandatory if .respond is set |
| .behavior | divert, error, drop, throttle | no | string | - | "clone" (divert), "500" (error), "30-120" (throttle) | |
| .property | XX (seconds) or XX-YY (range, in seconds) | no | int or string | throttle default | none | |
| .delay | now, XXs, YYm, ZZh | no | string | - | now | |
| .duration | forever, XXs, YYm, ZZh | no | string | - | forever |