DecoyStructureSummary - SAP/cloud-active-defense GitHub Wiki

These tables summarize all supported configuration operations for decoys. Please refer to each individual section for details.

[decoy](/SAP/cloud-active-defense/wiki/Decoy)

JSON path Values Regex Type Overwrites Default value
.key no string - Mandatory
.dynamicKey yes string .key Mandatory
.separator no string - =
.value no string - none
.dynamicValue yes string .value none
.string no string .key, .dynamicKey, .separator, .value, .dynamicValue none

[inject](/SAP/cloud-active-defense/wiki/Inject)

JSON path Values Regex Type Overwrites Default value
.store .inResponse endpoint e.g. /login yes string - none
.inRequest endpoint e.g. /login yes string - none
withVerb "", GET, POST, UPDATE, DELETE, ... no string - all verbs
.as cookie, header, body no string - Mandatory
.at .method character, line, replace, always, before, after no string - character:-0 (end of line)
.property (int) 0 means at start, -4 means 4th backwards from last position. (string) regex to match against. yes int or string - Mandatory if .method is set
.whenTrue[{}] .key yes string - Mandatory if .whenTrue is set
.value yes string - Mandatory if .key is set
.in cookie, header, url, getParam, postParam, payload no string - Mandatory if .key is set
.whenFalse[{}] .key yes string - Mandatory if .whenFalse is set
.value yes string - Mandatory if .key is set
.in cookie, header, url, getParam, postParam, payload no string - Mandatory if .key is set

[detect](/SAP/cloud-active-defense/wiki/Detect)

JSON path Values Regex Type Overwrites Default value
.seek .inRequest endpoint e.g. /login yes string - none
.inResponse endpoint e.g. /login yes string - none
.withVerb "", GET, POST, UPDATE, DELETE, ... no string - all verbs
.in cookie, header, url, getParam, postParam, payload no string - Mandatory
[.alert](/SAP/cloud-active-defense/wiki/Detect#alert) .severity LOW, MEDIUM, HIGH no string - Mandatory
.whenSeen true, false no bool - false
.whenComplete true, false no bool - false
.whenModified true, false no bool - false
.whenAbsent true, false no bool - false
[.respond](/SAP/cloud-active-defense/wiki/Detect#respond[{})] .source "ip", "userAgent", "session", "ip,userAgent", "ip,session", "ip,userAgent,session" no string - Mandatory if .respond is set
.behavior divert, error, drop, throttle no string - "clone" (divert), "500" (error), "30-120" (throttle)
.property XX (seconds) or XX-YY (range, in seconds) no int or string throttle default none
.delay now, XXs, YYm, ZZh no string - now
.duration forever, XXs, YYm, ZZh no string - forever