Response format

Response events are configured as described in the Detect section.

By default, response events are sent to the console. A typical event looks as follows:

{
  "action": [
    {
      "Time": 1715956535,
      "RequestID": "f916b220-3c2c-493d-9ff4-a543bc39816c",
      "Behavior": "error",
      "Delay": "2m",
      "Duration": "1h",
      "SourceIP": "172.25.0.1",
      "Useragent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:125.0) Gecko/20100101 Firefox/125.0",
      "Session": "c32272b9-99d8-4687-b57e-a606952ae870"
    }
  ]
}

When a decoy is triggered, all relevant 'response' actions are triggered. Irrelevant actions are ignored (for example: actions which shall match on the 'session', where no session is set). These events are also sent to the configmanager, which updates the /data/blocklist/throttlelist.json file (for 'throttle' behavior) and the /data/blocklist/blocklist.json file (for all other behaviors). Details below:

Time

The UTC time at which the alert is triggered, in timestamp format.

a log should always have a timestamp, for correlation.

RequestID

The value of the x-request-id header added by Envoy to each received request

may be useful for correlation with other Envoy logs or with application logs.

Behavior

The type of response which will be executed by the proxy.

useful to know what to expect. If a user complains about a system slow down or about an unreachable system, the reason might be that a 'throttle' or 'drop' behavior is at play

Delay

The time which will be spent before the Behavior is executed.

useful to understand why a response is not active. It may just not be active yet.

Duration

For how long the response will be in place.

Once the duration is exceeded, the corresponding response action will be cleaned from the blocklist.json or throttlelist.json file by the configmanager. If the duration is set to 'forever', the only way to remove the response is to manually edit the corresponding json file.

SourceIP

The source IP, as resolved by Envoy. Contrarily to the 'alert', contains only the IP address, not the port. If this is set, this means that this IP address will be considered in subsequent requests for defining a match.

useful to debug complaints from users about possible false positives. If the userAgent and/or the session parameters are set, then the matching will be done against the combination of those.

Useragent

The source user agent, as resolved by Envoy. If this is set, this means that this user agent will be considered in subsequent requests for defining a match.

useful to debug complaints from users about possible false positives. If the IP address and/or the session parameters are set, then the matching will be done against the combination of those.

Session

The session token, as resolved by Envoy. Retrieved based on the configuration of the config-default.json file. If this is set, this means that this session value will be considered in subsequent requests for defining a match.

useful to debug complaints from users about possible false positives. If the IP address and/or the user agent parameters are set, then the matching will be done against the combination of those.