Response to comments: improve tests

te te
DataDog · Jan 16, 2025 · 87255a9 · 87255a9
1 parent 2a558cb
commit 87255a9
Show file tree

Hide file tree

Showing 28 changed files with 148 additions and 46 deletions.
diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/HttpTransportBase.cs
@@ -8,7 +8,6 @@
 using System.Collections.Generic;
 using Datadog.Trace.AppSec.Waf;
 using Datadog.Trace.Headers;
-using Datadog.Trace.Vendors.Serilog;
 #if !NETFRAMEWORK
 using Microsoft.AspNetCore.Http;
 #else

diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.Core.cs
@@ -10,6 +10,7 @@
 using System.Collections;
 using System.Collections.Generic;
 using System.Linq;
+using System.Runtime.CompilerServices;
 using Datadog.Trace.AppSec.Waf;
 using Datadog.Trace.Headers;
 using Datadog.Trace.Util.Http;

diff --git a/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs b/tracer/src/Datadog.Trace/AppSec/Coordinator/SecurityCoordinator.cs
@@ -149,29 +149,6 @@ internal readonly partial struct SecurityCoordinator
         return result;
     }
 
-    internal IContext? GetOrCreateAdditiveContext()
-    {
-        var additiveContext = _httpTransport.GetAdditiveContext();
-
-        if (additiveContext == null)
-        {
-            additiveContext = _security.CreateAdditiveContext();
-            // prevent very cases where waf has been disposed between here and has been passed as argument until the 2nd line of constructor..
-            if (additiveContext is not null)
-            {
-                _httpTransport.SetAdditiveContext(additiveContext);
-            }
-        }
-
-        if (!_httpTransport.IsAdditiveContextDisposed())
-        {
-            return additiveContext;
-        }
-
-        Log.Warning("Waf could not run as waf additive context is disposed");
-        return null;
-    }
-
     private static void RecordTelemetry(IResult? result)
     {
         if (result == null)

diff --git a/tracer/src/Datadog.Trace/AppSec/Security.cs b/tracer/src/Datadog.Trace/AppSec/Security.cs
@@ -632,7 +632,6 @@ internal bool IsMetaStructSupported()
 
         private void UpdateActiveAddresses()
         {
-            // So far, RASP is the only one that uses this
             if (_waf?.IsKnowAddressesSuported() is true)
             {
                 var addresses = _waf.GetKnownAddresses();

diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/AspNetCore5AutoUserEvents.cs
@@ -10,6 +10,8 @@
 using System.Net;
 using System.Text.RegularExpressions;
 using System.Threading.Tasks;
+using Datadog.Trace.AppSec.Rcm.Models.AsmData;
+using Datadog.Trace.RemoteConfigurationManagement;
 using Datadog.Trace.TestHelpers;
 using FluentAssertions;
 using VerifyTests;
@@ -91,8 +93,33 @@ protected async Task TestAuthenticatedRequest()
         {
             await TryStartApp();
             var settings = VerifyHelper.GetSpanVerifierSettings();
+            VerifyScrubber.ScrubSessionFingerprint(settings);
             var request = await SubmitRequest("/Account/Index", "Input.UserName=TestUser2&Input.Password=test", contentType: "application/x-www-form-urlencoded");
             request.StatusCode.Should().Be(HttpStatusCode.OK);
+            // this is for testuser2 in the in memory user store and appdb
+            var userId = "7ccfa5b9-14c2-42b9-8064-834b8293aef4";
+            var request2 = await _fixture.Agent.SetupRcmAndWait(
+                               Output,
+                               [
+                                   (new Payload
+                                    {
+                                        RulesData =
+                                        [
+                                            new RuleData
+                                            {
+                                                Id = "blocked_users",
+                                                Type = "data_with_expiration",
+                                                Data =
+                                                [
+                                                    new Data { Expiration = 0, Value = userId }, new Data { Expiration = 0, Value = "blocked-user" }
+                                                ]
+                                            }
+                                        ]
+                                    },
+                                    RcmProducts.AsmData, nameof(TestAuthenticatedRequest)),
+                               ]);
+            request2.Should().NotBeNull();
+            request2.CachedTargetFiles.Should().HaveCount(_enableSecurity ? 1 : 0);
             await TestAppSecRequestWithVerifyAsync(_fixture.Agent, "/Account/SomeAuthenticatedAction", null, 1, 1, settings, fileNameOverride: GetTestFileName(nameof(TestAuthenticatedRequest)));
             // reset memory database (useless for net7 as it runs with EF7 on app.db
             await SendRequestsAsync(_fixture.Agent, "/account/reset-memory-db");

diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db b/tracer/test/Datadog.Trace.Security.IntegrationTests/Data/app.db
diff --git a/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs b/tracer/test/Datadog.Trace.Security.IntegrationTests/VerifyScrubber.cs
@@ -2,6 +2,7 @@
 // Unless explicitly stated otherwise all files in this repository are licensed under the Apache 2 License.
 // This product includes software developed at Datadog (https://www.datadoghq.com/). Copyright 2017 Datadog, Inc.
 // </copyright>
+
 #nullable enable
 using System.Text.RegularExpressions;
 using Datadog.Trace.TestHelpers;
@@ -11,14 +12,23 @@ namespace Datadog.Trace.Security.IntegrationTests;
 
 internal class VerifyScrubber
 {
-    private static readonly Regex AppSecFingerPrintSession = new(@"_dd.appsec.fp.session: ssn.[\s\-a-z0-9]*", RegexOptions.IgnoreCase | RegexOptions.Compiled);
+    private static readonly Regex AppSecFingerPrintSession = new(@"(_dd\.appsec\.fp\.session: ssn-(?:[a-zA-Z0-9]+-){1})([a-zA-Z0-9]+-[a-zA-Z0-9]+-[a-zA-Z0-9]+)(,)?", RegexOptions.IgnoreCase | RegexOptions.Compiled);
+    private static readonly Regex AppSecPartialFingerPrintSession = new(@"(_dd\.appsec\.fp\.session: ssn-(?:[a-zA-Z0-9]*-){3})(?:[a-zA-Z0-9]+)(,)?", RegexOptions.IgnoreCase | RegexOptions.Compiled);
     private static readonly Regex AuthenticationCollectionMode = new(@"_dd.appsec.user.collection_mode: .*,", RegexOptions.IgnoreCase | RegexOptions.Compiled);
 
-    public static void ScrubAuthenticatedTags(VerifySettings settings)
+    internal static void ScrubAuthenticatedTags(VerifySettings settings)
     {
         // these tags are added by HttpContext.SetUser. After a login event it's not always called by all framework versions
         // we dont want to test authenticated tags here anyway, as they're tested by TestAuthenticatedRequest
         settings.AddRegexScrubber(AuthenticationCollectionMode, string.Empty);
-        settings.AddRegexScrubber(AppSecFingerPrintSession, "_dd.appsec.fp.session: <SessionFp>");
+        PartialScrubSessionFingerprint(settings);
     }
+
+    /// <summary>
+    /// Everytime we are going to have a different session id so we need to at least scrub the part with the session
+    /// </summary>
+    /// <param name="settings">settings</param>
+    internal static void ScrubSessionFingerprint(VerifySettings settings) => settings.AddRegexScrubber(AppSecFingerPrintSession, "$1<CookieFieldsHash><CookieHash>-<SessionFp>$3");
+
+    internal static void PartialScrubSessionFingerprint(VerifySettings settings) => settings.AddRegexScrubber(AppSecPartialFingerPrintSession, "$1<FpSession>");
 }
diff --git a/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt b/tracer/test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityEnabled._.verified.txt
@@ -32,7 +32,7 @@
       _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-7bcd1c9f-<CookieFieldsHash><CookieHash>-<SessionFp>,
       _dd.appsec.usr.id: Guid_2,
       _dd.appsec.usr.login: TestUser,
       _dd.runtime_family: dotnet

diff --git a/...test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt b/...test/snapshots/Security.AspNetCore5AsmFeatureUserIdSecurityRemoteActivated._.verified.txt
@@ -32,7 +32,7 @@
       _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-7bcd1c9f-<CookieFieldsHash><CookieHash>-<SessionFp>,
       _dd.appsec.usr.id: Guid_2,
       _dd.appsec.usr.login: TestUser,
       _dd.runtime_family: dotnet

diff --git a/...urity.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt b/...urity.AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestAuthenticatedRequest.verified.txt
@@ -24,9 +24,9 @@
       network.client.ip: 127.0.0.1,
       runtime-id: Guid_1,
       span.kind: server,
-      usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
+      usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1,
       _dd.appsec.user.collection_mode: anonymization,
-      _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
+      _dd.appsec.usr.id: anon_74ff86ebe90bfdc4f169315d955bacd1,
       _dd.runtime_family: dotnet
     },
     Metrics: {

diff --git a/....AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt b/....AspNetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.blocked-user.verified.txt
@@ -12,6 +12,7 @@
       appsec.event: true,
       appsec.events.users.login.success.some-metadata: some-value,
       appsec.events.users.login.success.track: true,
+      appsec.events.users.login.success.usr.login: anon_eb97d409396a3e5392936dad92b909da,
       aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5),
       aspnet_core.route: {controller=home}/{action=index}/{id?},
       component: aspnet_core,
@@ -34,12 +35,15 @@
       runtime-id: Guid_1,
       span.kind: server,
       usr.id: blocked-user,
+      _dd.appsec.events.users.login.success.auto.mode: anonymization,
       _dd.appsec.events.users.login.success.sdk: true,
       _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-ef8eb89f---,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]},
+      _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
+      _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
       _dd.origin: appsec,
       _dd.runtime_family: dotnet
     },

diff --git a/...NetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt b/...NetCore5AutoUserEvents.SecurityOn.anonmode-TestLoginWithSdk.not-blocked-user.verified.txt
@@ -32,6 +32,10 @@
       usr.id: not-blocked-user,
       _dd.appsec.events.users.login.success.auto.mode: anonymization,
       _dd.appsec.events.users.login.success.sdk: true,
+      _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
+      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-ef8eb89f---,
       _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
       _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
       _dd.runtime_family: dotnet

diff --git a/...ts/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt b/...ts/Security.AspNetCore5AutoUserEvents.SecurityOn.anonmode-login.auto.success.verified.txt
@@ -32,7 +32,7 @@
       _dd.appsec.events.users.login.success.auto.mode: anonymization,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-ef8eb89f---,
       _dd.appsec.usr.id: anon_7bcd1c9fc4f6e4c2460e0ad38d6ad0d9,
       _dd.appsec.usr.login: anon_eb97d409396a3e5392936dad92b909da,
       _dd.runtime_family: dotnet

diff --git a/...ty.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt b/...ty.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-TestAuthenticatedRequest.verified.txt
@@ -7,34 +7,49 @@
     Service: Samples.Security.AspNetCore5,
     Type: web,
     Tags: {
+      actor.ip: 86.242.244.246,
+      appsec.blocked: true,
+      appsec.event: true,
       aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5),
       aspnet_core.route: {controller=home}/{action=index}/{id?},
       component: aspnet_core,
       env: integration_tests,
       http.client_ip: 127.0.0.1,
+      http.endpoint: {controller=home}/{action=index}/{id?},
       http.method: GET,
       http.request.headers.host: localhost:00000,
       http.request.headers.user-agent: Mistake Not...,
       http.request.headers.x-forwarded-for: 86.242.244.246,
+      http.response.headers.content-type: application/json,
       http.route: {controller=home}/{action=index}/{id?},
-      http.status_code: 200,
+      http.status_code: 403,
       http.url: http://localhost:00000/Account/SomeAuthenticatedAction,
       http.useragent: Mistake Not...,
       language: dotnet,
       network.client.ip: 127.0.0.1,
       runtime-id: Guid_1,
       span.kind: server,
       usr.id: Guid_2,
+      _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-74ff86eb-<CookieFieldsHash><CookieHash>-<SessionFp>,
+      _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]},
       _dd.appsec.user.collection_mode: identification,
       _dd.appsec.usr.id: Guid_2,
+      _dd.origin: appsec,
       _dd.runtime_family: dotnet
     },
     Metrics: {
       process_id: 0,
       _dd.appsec.enabled: 1.0,
+      _dd.appsec.waf.duration: 0.0,
+      _dd.appsec.waf.duration_ext: 0.0,
       _dd.top_level: 1.0,
       _dd.tracer_kr: 1.0,
       _sampling_priority_v1: 2.0
+    },
+    MetaStruct: {
+      appsec: 
     }
   }
 ]
diff --git a/...pNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt b/...pNetCore5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.blocked-user.verified.txt
@@ -12,6 +12,7 @@
       appsec.event: true,
       appsec.events.users.login.success.some-metadata: some-value,
       appsec.events.users.login.success.track: true,
+      appsec.events.users.login.success.usr.login: TestUser,
       aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5),
       aspnet_core.route: {controller=home}/{action=index}/{id?},
       component: aspnet_core,
@@ -34,12 +35,15 @@
       runtime-id: Guid_1,
       span.kind: server,
       usr.id: blocked-user,
+      _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.events.users.login.success.sdk: true,
       _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-7bcd1c9f---,
       _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]},
+      _dd.appsec.usr.id: Guid_2,
+      _dd.appsec.usr.login: TestUser,
       _dd.origin: appsec,
       _dd.runtime_family: dotnet
     },

diff --git a/...Core5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt b/...Core5AutoUserEvents.SecurityOn.defaultmode-TestLoginWithSdk.not-blocked-user.verified.txt
@@ -32,6 +32,10 @@
       usr.id: not-blocked-user,
       _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.events.users.login.success.sdk: true,
+      _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
+      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-7bcd1c9f---,
       _dd.appsec.usr.id: Guid_2,
       _dd.appsec.usr.login: TestUser,
       _dd.runtime_family: dotnet

diff --git a/...Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt b/...Security.AspNetCore5AutoUserEvents.SecurityOn.defaultmode-login.auto.success.verified.txt
@@ -32,7 +32,7 @@
       _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-7bcd1c9f---,
       _dd.appsec.usr.id: Guid_2,
       _dd.appsec.usr.login: TestUser,
       _dd.runtime_family: dotnet

diff --git a/...y.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt b/...y.AspNetCore5AutoUserEvents.SecurityOn.extendedmode-TestAuthenticatedRequest.verified.txt
@@ -7,34 +7,49 @@
     Service: Samples.Security.AspNetCore5,
     Type: web,
     Tags: {
+      actor.ip: 86.242.244.246,
+      appsec.blocked: true,
+      appsec.event: true,
       aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.SomeAuthenticatedAction (Samples.Security.AspNetCore5),
       aspnet_core.route: {controller=home}/{action=index}/{id?},
       component: aspnet_core,
       env: integration_tests,
       http.client_ip: 127.0.0.1,
+      http.endpoint: {controller=home}/{action=index}/{id?},
       http.method: GET,
       http.request.headers.host: localhost:00000,
       http.request.headers.user-agent: Mistake Not...,
       http.request.headers.x-forwarded-for: 86.242.244.246,
+      http.response.headers.content-type: application/json,
       http.route: {controller=home}/{action=index}/{id?},
-      http.status_code: 200,
+      http.status_code: 403,
       http.url: http://localhost:00000/Account/SomeAuthenticatedAction,
       http.useragent: Mistake Not...,
       language: dotnet,
       network.client.ip: 127.0.0.1,
       runtime-id: Guid_1,
       span.kind: server,
       usr.id: Guid_2,
+      _dd.appsec.fp.http.header: hdr-0000000000-3626b5f8-1-4740ae63,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-74ff86eb-<CookieFieldsHash><CookieHash>-<SessionFp>,
+      _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["Guid_2"],"key_path":[],"value":"Guid_2"}]}]}]},
       _dd.appsec.user.collection_mode: identification,
       _dd.appsec.usr.id: Guid_2,
+      _dd.origin: appsec,
       _dd.runtime_family: dotnet
     },
     Metrics: {
       process_id: 0,
       _dd.appsec.enabled: 1.0,
+      _dd.appsec.waf.duration: 0.0,
+      _dd.appsec.waf.duration_ext: 0.0,
       _dd.top_level: 1.0,
       _dd.tracer_kr: 1.0,
       _sampling_priority_v1: 2.0
+    },
+    MetaStruct: {
+      appsec: 
     }
   }
 ]
diff --git a/...NetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt b/...NetCore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.blocked-user.verified.txt
@@ -12,6 +12,7 @@
       appsec.event: true,
       appsec.events.users.login.success.some-metadata: some-value,
       appsec.events.users.login.success.track: true,
+      appsec.events.users.login.success.usr.login: TestUser,
       aspnet_core.endpoint: Samples.Security.AspNetCore5.Controllers.AccountController.Index (Samples.Security.AspNetCore5),
       aspnet_core.route: {controller=home}/{action=index}/{id?},
       component: aspnet_core,
@@ -34,12 +35,15 @@
       runtime-id: Guid_1,
       span.kind: server,
       usr.id: blocked-user,
+      _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.events.users.login.success.sdk: true,
       _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
       _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
       _dd.appsec.fp.http.network: net-1-1000000000,
-      _dd.appsec.fp.session: <SessionFp>,
+      _dd.appsec.fp.session: ssn-7bcd1c9f---<FpSession>
       _dd.appsec.json: {"triggers":[{"rule":{"id":"blk-001-002","name":"Block User Addresses","tags":{"category":"security_response","type":"block_user"}},"rule_matches":[{"operator":"exact_match","operator_value":"","parameters":[{"address":"usr.id","highlight":["blocked-user"],"key_path":[],"value":"blocked-user"}]}]}]},
+      _dd.appsec.usr.id: Guid_2,
+      _dd.appsec.usr.login: TestUser,
       _dd.origin: appsec,
       _dd.runtime_family: dotnet
     },

diff --git a/...ore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt b/...ore5AutoUserEvents.SecurityOn.extendedmode-TestLoginWithSdk.not-blocked-user.verified.txt
@@ -32,6 +32,10 @@
       usr.id: not-blocked-user,
       _dd.appsec.events.users.login.success.auto.mode: identification,
       _dd.appsec.events.users.login.success.sdk: true,
+      _dd.appsec.fp.http.endpoint: http-post-ae2b84ee-5843629a-,
+      _dd.appsec.fp.http.header: hdr-0000000100-3626b5f8-2-da57b738,
+      _dd.appsec.fp.http.network: net-1-1000000000,
+      _dd.appsec.fp.session: ssn-7bcd1c9f---<FpSession>
       _dd.appsec.usr.id: Guid_2,
       _dd.appsec.usr.login: TestUser,
       _dd.runtime_family: dotnet