Quick start guide

This guide outlines the macro steps to follow to get off the ground and running with Sqreen.

Step 1: Create a Sqreen account

Sign up to create a free account with Sqreen. This gives you a 14-day free trial – no need for a non-disclosure agreement or screening call.

Sign in to the Sqreen Dashboard. Sqreen automatically generates a unique organization token that it uses to identify your entire organization. You will use this token when you install the Sqreen Microagent in your app.

Get started by following the product onboarding guide. It gives you access to a "Getting started app" and guides you through the steps to install, deploy, and start using Sqreen.

Step 2: Install the Sqreen Microagent

Connect a new app from your Sqreen Dashboard. Click "Select an application", then click “Connect a new application.”

Follow the steps in the onboarding guide to install the Sqreen Microagent, which is as straightforward as adding any library to your application. Reference the documentation for the microagent that matches the language of your app.

• Node.js
• Ruby
• PHP
• Java
• Go
• Python

Alternatively, you can implement the Sqreen Microagent as a security add-on from the Heroku marketplace.

Step 3: Review, test, and deploy

Once installed, Sqreen configures itself automatically. Its Smart Stack Detection detects the specifics of your application's stack -- database, framework, template rendering engine -- and automatically configures a comprehensive set of security and protection modules.

Review the protection modules that the microagent automatically configured, if you wish. By default, Sqreen initiates all protections modules in "Log-only" mode, so it does not block requests until you’re ready.

Test Sqreen according to your use cases and environment. Consider testing how Sqreen responds to a security incident in your application.

Sqreen provides runtime security to ensure that your production environments are protected in real-time, while ensuring high availability and minimal impact to your application's performance. Once you have validated Sqreen's functionality with your application and tested Sqreen in your test environment, deploy the microagent to production and restart your application.

Step 4: Invite your teammates

To invite your teammates to Sqreen, log in to the Sqreen Dashboard, then navigate to Account > Team Members. Use the interface to send email invitations to your teammates.

Step 5: Enable blocking mode (optional)

Sqreen automatically deploys all protection modules in "Log-only" mode. This ensures that it does not start blocking suspicious requests until you're clear on the types of requests you want to block. After you have spent some time monitoring traffic in "Log-only" mode, consider switching some modules to "Blocking" mode to block critical attacks and prevent the exploitation of potential vulnerabilities.

A good starting point is to switch your RASP protection module to "Blocking" mode and leave your In-App WAF protection module in "Log-only" mode.

After Sqreen has gathered enough data about your application's traffic, the best way to determine which modules to switch to "Blocking" mode is to evaluate your security activity and security incidents. These illustrate the types of attacks and security events that are occurring in your application. With this information, you can make informed decisions about which modules to set to "Blocking" mode.

To fine-tune the way your In-App WAF module logs requests to your app, you can create custom rules. These rules enable you to log specific types of requests to your app according conditions and actions you define. For example, you can log all requests that return a 4XX status code response, or log all requests that are missing a specific header. Learn more about custom rules in the Log or block requests documentation.

Step 6: Set up user monitoring (optional)

Access User Monitoring in the Sqreen Dashboard to get new levels of visibility into your users' activity. User monitoring goes beyond IP-based visibility that network level solutions provide, enabling you to track users and take action to protect your app.

• Track suspicious activities performed by authenticated users. Authenticated access offers a broader attack surface allowing a user to query most endpoints (application backend services). Monitoring these activities is key to identifying attackers early.
• Protect your users from account takeovers. Detect automated credential-stuffing attacks and human-powered account takeovers to avoid sensitive data leaks or compromised users.

User monitoring in Sqreen has three modes: "Off", "Automatic", and "Advanced".

• Automatic: The Sqreen Microagent supports several HTTP authentication tools that automatically establish user context in your app. If the authentication tool your app uses is one that Sqreen supports (passport, devise, or django), the microagent can track user activity in your app using built-in events. You can set the User Monitoring setting to "Automatic" and begin monitoring users right away.

• Advanced: If the authentication tool your app uses is not one that Sqreen supports, you set the User Monitoring setting to "Advanced", then install and integrate the Sqreen SDK for user monitoring. This enables the microagent inside your app to track user activity using custom events. To use Advanced user monitoring, you must take the small extra steps to install the SDK and add three methods to your app, but it enables you to extend the scope of Sqreen's user monitoring.

Refer to the documentation for each microagent's SDK for user monitoring.

• Node.js
• Ruby
• PHP
• Java
• Go
• Python

Step 7: Protect your business logic (optional)

Sqreen enables you to monitor and protect against business-logic attacks and the security situations that matter most for the specifics of your business.

Use a Security Automation Playbook to automate custom security rules without having to redeploy your app. Use built-in events or custom events to define conditions, set a threshold, and instruct how Sqreen responds to an attack.

A playbook consists of three parts:

• A trigger is a condition (or multiple conditions) that you set based on a threshold of events that occur in a specific timeframe by a specific actor (user or IP address). For example, When app.sqreen.plugins.attack is performed 3 or more times over a period of 10 minutes by an IP.
• A security response is an action that you define to instruct Sqreen to block or redirect the bad actor to a specific page. For example, Block the IP for 5 minutes.
• A notification is an action that you customize to instruct Sqreen on how to notify you when user activity triggers the playbook. For example, Send a Slack notification to sec-admin-channel immediately.

Create a new playbook, or use a Pre-defined playbook to jumpstart your business logic protection.

To see an example of a Security Automation Playbook, review the Reset password abuse playbook.

Step 8: Integrate Sqreen with Slack and webhooks (optional)

Integrate Sqreen with your workflow to ensure that you get alerts in real-time when security incidents occur.

Integrate with Slack to send security notifications to your team when user activity triggers a security event.

Use Sqreen Webhooks to send Sqreen security data to a third-party tool in the form of an HTTP POST request. For example, when Sqreen detects that a user has repeatedly failed to login, it can POST a message to the Pager Duty REST API with the details of the security incident.

Integrate with New Relic or Splunk to incorporate Sqreen security incidents into your APM or SIEM analytics.

Read next

• How Sqreen works: In brief
• How Sqreen works: In depth
• Protect your app with Sqreen
• Observe your app with Sqreen
• Log or block requests
• Security Automation Playbooks