DecoyStructureSummary - SAP/cloud-active-defense GitHub Wiki
These tables summarize all supported configuration operations for decoys. Please refer to each individual section for details.
[decoy](/SAP/cloud-active-defense/wiki/Decoy)
JSON path |
|
|
Values |
Regex |
Type |
Overwrites |
Default value |
.key |
|
|
|
no |
string |
- |
Mandatory |
.dynamicKey |
|
|
|
yes |
string |
.key |
Mandatory |
.separator |
|
|
|
no |
string |
- |
= |
.value |
|
|
|
no |
string |
- |
none |
.dynamicValue |
|
|
|
yes |
string |
.value |
none |
.string |
|
|
|
no |
string |
.key, .dynamicKey, .separator, .value, .dynamicValue |
none |
[inject](/SAP/cloud-active-defense/wiki/Inject)
JSON path |
|
|
Values |
Regex |
Type |
Overwrites |
Default value |
.store |
.inResponse |
|
endpoint e.g. /login |
yes |
string |
- |
none |
|
.inRequest |
|
endpoint e.g. /login |
yes |
string |
- |
none |
|
withVerb |
|
"", GET, POST, UPDATE, DELETE, ... |
no |
string |
- |
all verbs |
|
.as |
|
cookie, header, body |
no |
string |
- |
Mandatory |
|
.at |
.method |
character, line, replace, always, before, after |
no |
string |
- |
character:-0 (end of line) |
|
|
.property |
(int) 0 means at start, -4 means 4th backwards from last position. (string) regex to match against. |
yes |
int or string |
- |
Mandatory if .method is set |
.whenTrue[{}] |
.key |
|
|
yes |
string |
- |
Mandatory if .whenTrue is set |
|
.value |
|
|
yes |
string |
- |
Mandatory if .key is set |
|
.in |
|
cookie, header, url, getParam, postParam, payload |
no |
string |
- |
Mandatory if .key is set |
.whenFalse[{}] |
.key |
|
|
yes |
string |
- |
Mandatory if .whenFalse is set |
|
.value |
|
|
yes |
string |
- |
Mandatory if .key is set |
|
.in |
|
cookie, header, url, getParam, postParam, payload |
no |
string |
- |
Mandatory if .key is set |
[detect](/SAP/cloud-active-defense/wiki/Detect)
JSON path |
|
Values |
Regex |
Type |
Overwrites |
Default value |
.seek |
.inRequest |
endpoint e.g. /login |
yes |
string |
- |
none |
|
.inResponse |
endpoint e.g. /login |
yes |
string |
- |
none |
|
.withVerb |
"", GET, POST, UPDATE, DELETE, ... |
no |
string |
- |
all verbs |
|
.in |
cookie, header, url, getParam, postParam, payload |
no |
string |
- |
Mandatory |
[.alert](/SAP/cloud-active-defense/wiki/Detect#alert) |
.severity |
LOW, MEDIUM, HIGH |
no |
string |
- |
Mandatory |
|
.whenSeen |
true, false |
no |
bool |
- |
false |
|
.whenComplete |
true, false |
no |
bool |
- |
false |
|
.whenModified |
true, false |
no |
bool |
- |
false |
|
.whenAbsent |
true, false |
no |
bool |
- |
false |
[.respond](/SAP/cloud-active-defense/wiki/Detect#respond[{})] |
.source |
"ip", "userAgent", "session", "ip,userAgent", "ip,session", "ip,userAgent,session" |
no |
string |
- |
Mandatory if .respond is set |
|
.behavior |
divert, error, drop, throttle |
no |
string |
- |
"clone" (divert), "500" (error), "30-120" (throttle) |
|
.property |
XX (seconds) or XX-YY (range, in seconds) |
no |
int or string |
throttle default |
none |
|
.delay |
now, XXs, YYm, ZZh |
no |
string |
- |
now |
|
.duration |
forever, XXs, YYm, ZZh |
no |
string |
- |
forever |