Current release: v7.4.2
Release Highlights
The 7.4 release of the Cequence Unified API Protection (UAP) platform is generally available as of Aug 26, 2024. The key highlights of this release are listed below.
New Features
The new features in the 7.4 release require version 7.4 or newer of Cequence Bridge and 5.2.1 or newer of Cequence Defender.
Advanced filtering configuration from the web UI: You can now configure advanced filters directly from the Cequence web UI. Using advanced filtering, you can configure query parameters, request headers, or response headers to decide whether to send traffic to Cequence UAP. Filtering configuration is now based on application tags instead of host and path values.
Configure traffic sampling in the web UI: You can configure traffic sampling directly from the web UI to send just a portion of the total application traffic to Cequence UAP instead of all traffic. This is particularly useful for API discovery and inventory use cases for which all API traffic need not be analyzed in order to discover, classify and inventory APIs. Sampling configuration includes a percentage value of traffic, which can be changed at any time by a Cequence administrator. Sampling is enforced at the API endpoint level.
Order traffic filter priority in the web UI: You can reorder the priority list of traffic filters directly from the UI. Filters are evaluated by the platform in the order in which they are configured from top to bottom on the UI. You can reorder the filters to list the higher priority filters at the top followed by lower priority filters.
Sensitive data masking: Cequence now supports masking sensitive data before transmitting to the Cequence UAP platform for analysis. This is particularly useful for SaaS deployments where customers may want to configure masking of sensitive data values in API request or response payloads before sending traffic to Cequence for analysis. This configuration is also part of the filtering configuration and can be configured per application tag.
Broken Object Level Authorization (BOLA) detection: Cequence now supports out-of-the-box detection of BOLA threat activity without custom rules. This capability saves administrator time and configuration effort as the platform automatically detects enumeration activity of path or query parameters at a the API endpoint level.
Changed functionality
Filters enforced as opt-out vs opt-in: In previous releases, only traffic that matched an existing filter would get sent for analysis (opt-in) to the Cequence UAP platform. Starting with the 7.4 release, all traffic is sent from data plane components to the Cequence UAP platform (opt-out). When no existing filter configuration exists for a particular host or path, the Cequence UAP platform samples traffic automatically at a reduced rate (10% of total traffic). Users can opt in to all traffic or exclude traffic entirely by configuring a filtering configuration for relevant hosts and/or paths.
Resolved Issues
Release 7.4.2
CEQASP-3434 JEXL and MVEL Privilege Execution: Transformation script functionality allows for exfiltration of sensitive data
CEQASP-5373 UAP UI - Transactions - Does not sort by am/pm
CEQASP-5502 host filtering on dashboard and navigating to inventory not working
CEQASP-5525 API Sentinel: 3rd party classification should only happen with an internal domain is specified.
CEQASP-5528 API Sentinel: New inventory displays "n/a" if there are more than one auth types
CEQASP-5529 API Sentinel: New Inventory endpoint details does not reflect updates to the class type
CEQASP-5556 API Sentinel: Login Endpoint is being flagged for No Auth
CEQASP-5563 API Sentinel: clear Risk does not update API Endpoints Details Risk tab
CEQASP-5564 API Sentinel: NLP PII\_customer\_account creating too many false positives
CEQASP-5572 Filters for Location Source in Sensitive Data Dashboard broken
CEQASP-5580 API Sentinel: Ad hoc report data display issues
CEQASP-5581 API Sentinel: V2 rule to find secret | key not ported to V3 rules
CEQASP-5596 Transaction widget on Sentinel Dashboard should show count from Defender
CEQASP-5598 error in bff when graphql response is empty
CEQASP-5602 Risk contributors are missing on the new inventory -
CEQASP-5606 API Sentinel: third party detection does not work with two character country code domains
CEQASP-5640 \[Elasticsearch Init\] Remove readonly from ILM template for all indices
CEQASP-5789 Traffic metrics hangs on any API call that needs backend communication to Elasticsearch
CEQASP-5813 SensorBridge - Update connector version to release-5.2.2 for the connector bug fixes
CEQASP-5841 saml user with uppercase email chars does not show as federated
Release 7.4.1
CEQASP-4167 Spartan support for new filtering, rate-limiting, and data-masking
CEQASP-4739 Sentinel support for new filtering, rate-limiting, and data-masking - Intelligent Edge
On-Premises Deployments
Package | Version | Location |
Helm Chart | 7.4.2 | https://cequence.gitlab.io/helm-charts/ |