Events Introduction

The trigger of security automation playbooks is made of events.

Events categories:

  • built-in: automatically tracked based on your traffic.
  • custom: tracked using Sqreen SDK.

Refer to your technology guide to learn how-to track your first custom events:

The app.sqreen namespace is reserved to events tracked by Sqreen.

Event Explorer

Visit the Event Explorer from your dashboard to dig into the events tracked from your applications.

From an event Live Feed, click on an entry to review the payload.

security-automation-event-live-feed.png

Schema

HTTP request context

The HTTP request context (serialised as request object) is tracked by Sqreen automatically and cannot be customised at the moment.

{
    "name": "", // the unique event identifier
    "request": { // HTTP request context tracked by Sqreen, cannot be customised.
        "referer": "", // URL that linked to the resource being requested
        "remote_port": "", // Remote client port
        "port": "", // Application host server port
        "headers": {}, // Collection of  HTTP headers set in the request
        "scheme": "", // HTTP schema used
        "path": "", // Path requested
        "parameters": {
            "json": {}, // JSON request body
            "query": {}, // request query parameters
            "form": [], // request form data
            "other": {} // request body (serialisation not recognized)
        },
        "remote_ip": "", // IP of the remote client
        "rid": "", // Sqreen request UUID
        "user_agent": "", // Request user agent
        "host": "", // Application host server IP
        "verb": "" // Request HTTP verb
    },
    "properties": {}, // Custom properties
    "client_ip": "", // Remote client IP
    "timestamp": "" // Event timestamp formatted in RFC3339
}

Sample event

{
    "name": "app.sqreen.foobar",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "properties": {
        "plugin": "sql_injection_pg",
        "category": "injection"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}