Built-in events

Security automation has been designed with extensibility in mind: you can track as many custom events tied to your app business logic as you need to automate security scenarios.

That said, there is already a lot that Sqreen can learn from your apps' traffic.

The app.sqreen namespace is reserved to events tracked by Sqreen.

Visit the events payload section to learn more about the event's schema.

app.sqreen.plugins.attack

Description

Tracks attacks performed on your application.

Custom properties

Name Description Type Allowed values
category category of the attack performed string • injection
• http_error
plugin source security plugin which detected the attack string • sql_injection_mysql
• sql_injection_mariadb
• sql_injection_pg
• sql_injection_sqlite
• sql_injection_hql
• nosql_injection_mongodb
• sql_injection_doctrine
• lfi
• shell_injection
• csp
• vulnerable_dependencies
• shellshock
• xss_jade
• xss_erb
• xss_haml
• xss_slim
• xss_django
• xss_jinja2
• xss_php
• xss_freemarker
• xss_gsp_codehaus
• xss_gsp
• xss_jsp
• xss_thymeleaf
• xss_velocity
• account_enumeration
• account_takeover
• failed_auth_peak
• account_creation_peak
• user_risk_increase
• blacklist_ip
• crs
• http_scan
• http_5xx_peak
• browser_directive_xss_protection
• browser_directive_referral_policy
• browser_directive_iframe_options
• browser_directive_content_type_options
• security_scan
• massive_http_scan
• code_injection

Sample event

{
    "name": "app.sqreen.plugins.attack",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "plugin": "sql_injection_pg",
        "category": "injection"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.users.login

Description

Tracks login activity from your users.

Sourced based on calls to auth_track SDK methods or when using compatible libraries (Devise, Passport, etc).

Custom properties

Name Description Type Allowed values
success indicates if a login was successful, or not boolean • true
• false

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "success": false
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.host.login

Description

Track new hosts connecting to Sqreen.

Custom properties

Name Description Type Allowed values
runtime_type the app's runtime technology • ruby
• CPythony
• etc.

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "runtime_type": "ruby"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}