Data classification enrichment
Data Classification Enrichment lets you to add enrichment data to each request. Every time HUMAN handles a request, it will add the enriched data to the server-to-server call as an additional cookie, _pxde. This lets you send even more information about traffic and activity on your applications, giving you deeper insights and more precise mitigation.
You can learn how to enable enrichment and how to retrieve enriched data with this article.
Prerequisites
- The appropriate role permissions to manage data classification enrichment. By default, this is an Admin role in Sightilne.
- A configured Policy to send enriched data from.
Enable data enrichment
- Navigate to Sightline Cyberfraud Defense > Settings > Data > Data Enrichment and click the Data classification enrichment tab.
- Choose the Policy to send enriched data from.
- Select your desired enrichment sources.
- Click the toggle for each Data Enrichment Type to enable enrichment for them.
Note
As soon as you enable at least one data enrichment type, HUMAN will start sending the
_pxdecookie.
- Click Generate cookie example to see an example of the
_pxdecookie. - If needed, click Download dictionary next to the data enrichment type to export a JSON object of each type.
- Click Save Changes.
HUMAN will start sending enriched data to your Sensor or Enforcer, but you can also choose to send this data to a data analytics integration. See Retrieve enriched data for more information.
Retrieve enriched data
Sensor and Enforcers
The Sensor and most Enforcers support data classification enrichment. They retrieve it by:
Note
If you do not have built-in data classification enrichment, you may need to upgrade your Sensor or Enforcer version. See Getting started with Sightline Cyberfraud Defense to learn how to update your Sensor version. For Enforcers, refer to your Enforcer's specific configuration documentation.
- Enforcers: Retrieve enriched data with a hook function.
- Sensor: Retrieves enriched data by running the initialization code below. This event triggers for each cookie update.
px.Events.on('enrich', function (value) {
// value - the enriched data, in the form of <HMAC>:<Base64 encoded data>
const base64Data = value.split(":")[1]; // split value to get the base64 encoded data
const dataStr = atob(base64Data); // base64 decode the enrichment data
const data = JSON.parse(dataStr); // get the data as JSON
console.log('DATA', data);
});
Supported integrations
You can optionally send enrichment data to a supported data analytics integration. See our documentation for more information.
Disable the data enrichment cookie
The _pxde cookie is an analytics cookie and non-essential. If a user declines to accept non-essential cookies when visiting your website, you can disable it by adding window.pxPreventAnalyticsCookie = true to the Sensor snippet on your application.
<script type="text/javascript">
(function(){
window._pxPreventAnalyticsCookie = true; // disables _pxde if user declines non-essential cookies
var p = document.getElementsByTagName('script')[0],
s = document.createElement('script');
s.async = 1;
s.src = '/xxxxxxxxxxx/.init.js';
p.parentNode.insertBefore(s,p);
}());
</script>
If you want to enable the cookie, you can either:
- Set
window._pxPreventAnalyticsCookietofalse, or - Delete the variable assignment
Available enrichment data by type
Access control
Access control rules are defined in:
The access control cookie is approximately 200 bytes. If an access control filter could not be found on the request, then the cookie will be empty and only the timestamp will be sent. The available fields are:
| Field | Description |
|---|---|
| Timestamp | The time the cookie was created. |
f_type | The access control rule type. Possible values:
|
f_id | The access control rule ID. These are available in its JSON dictionary. |
f_origin | Whether the data is defined as a custom rule or as a default HUMAN rule. Rules from Known bots & crawlers and IP Classification will always be px. |
f_kb | Whether the request was made by a known bot or not. Possible values:
|
IP Categorization
The categories defined in the different services types include cloud, proxy, and other general categories. The available fields are:
| Field | Description |
|---|---|
ipc_id | An array of IP categorization IDs. These are available in its JSON dictionary. |
Incident Types
Incident types describe why HUMAN identified traffic as automated. See our article for a complete list of all incident types. The available fields are:
| Field | Description |
|---|---|
inc_id | An array of hashed incident types. |
CAPTCHA Bypass
The CAPTCHA Bypass filter indicates if the request was allowed after a user solved a CAPTCHA successfully and is now in the grace period. The available fields are:
| Field | Description |
|---|---|
cgp | CAPTCHA Grace Period. Possible values:
|
Access Tokens
Access tokens allow traffic generated by friendly applications or users. See Traffic policy settings for more information.
This enrichment is only provided if:
- The
f_typevalue from Access control iswhitelist, and - The filter reason is
access_token
The available fields are:
| Field | Description |
|---|---|
f_access_token | The access token name |
Credential Intelligence
The available fields are:
| Field | Description |
|---|---|
breached_account | Whether the credentials on the activity were identified as compromised. If it was, the value will be 1. If it was not, the field will not exist. |
Updated about 6 hours ago