Observe your app security with Sqreen

Beyond protecting your applications, microservices, and APIs from malicious attacks, Sqreen offers real-time visibility into the behavior of the apps across your network infrastructure.

Inventory your application assets

Sqreen leverages its placement inside your apps to catalog and make available information about apps and assets. The App Inventory compiles a table that displays details about each app, which enables you to search across apps in multiple environments for answers to security questions. For example, you can use Sqreen to search for all apps in production with a high security risk.

Further leveraging the insider information the Sqreen microagents collect, you can use the App Inventory to gain visibility into individual apps in your infrastructure. Without reading the code of each app or trying to discern what an app does from its behavior within a distributed system, you can use the metadata the microagent collected to reveal the inner-workings of your apps.

With this revealed information available, you have the opportunity to observe the “big picture” of all the apps in your infrastructure, acting as a source-of-truth list of your infrastructure’s apps, assets, and dependencies. Use filters to search across multiple environments for answers to security questions, like "Which apps in production are performing database requests but not using an ORM?"

The following table lists the information the App Inventory makes available.

App Inventory section Application details
App information Name, Environment
Security information Risk, Incidents, Security weaknesses, Blocked actors, First connected at
Sqreen configuration status RASP, In-app WAF, CSP, Security headers, Is sqreen enabled
Stack information Technology, Frameworks, Packages, ORMs, Templating engines

Further enriching your "big picture" view, the Security Flow Map helps you visualize your infrastructure and how the parts interact with each other.

Observe security activity

Beyond getting a "big picture" view of your app infrastructure, you can get a similar view of activity. Access Security Activity to study all the requests that triggered a Protection (RASP, In-App WAF, Security Header, CSP) or SDK event in your apps. This view organizes security activity across apps in your infrastructure so that you can get a broad sense of the type and volume of suspicious behavior that is occuring within your entire app infrastructure.


By presenting this information objectively, without trying to correlate activity or discern patterns, Sqreen gives you the opportunity to zero in on behavior that you identify as suspicious. Apply filters to quickly narrow your search into a particular user's activity, a particular path attackers are using, or a specific type of vulnerability. Drill into individual activities to examine details such as IP address and user, the timeline of what happened and why Sqreen reported the activity, and even the raw payload of the request. Where the security activity is one element of a an identifiable security incident, you can follow a link directly to Incidents to explore the full context of the attack.

From inside your apps, the Sqreen Microagents send security signals (security metadata about app traffic) to the Sqreen Platform. The platform uses the information to monitor and protect your app, but you can use it to get to know an app. The security signals let you hold a magnifying glass up to an app: learn what it does with Personally Identifiable Information (PII) for example, or which third-party applications it calls. Use the Events Explorer to examine these signals and study the way an app behaves when it is under attack; this might reveal a bug or vulnerability that you can take steps to address.

The primary source for real-time data about your app’s security status is the Monitoring view in the Sqreen Dashboard. Monitor the volume of malicious requests and blocked attacks over time, assess the app’s security risk (low, medium, high), and review recent security incidents all in one place. Notably, Sqreen’s In-App WAF limits the volume of false positives security incidents. This allows your team to focus on addressing signals (true threats) instead of noise (false positives).

Where the Events Explorer and Security Activity offer a relatively raw and objective view of activity in your app(s), the Incidents feature applies an intelligent layer of context for a concerted attack on a specific app. Review incidents, such as an attempted SQL injection or Shell injection, and drill down into the details to examine the timeline and geolocation of an exploited vulnerability. Follow the advice each incident offers for actions you can take to mitigate an issue. For example, if Sqreen detects that "A brute force attack compromised user accounts", the Incident details make a suggestion: "You should block this account as soon as possible and contact the user." You can also use the Denylist/Passlist IP button to instantly and permanently block the IP address involved in the incident from accessing the app.

With the knowledge you gain from examining security activity and incidents, you may wish to create an In-App WAF custom rule to log or block specific requests. For example, create a rule that blocks POST requests to a specific path where the request header does not contain a referer. Read more about custom rules in the Log or block requests documentation.

Monitor suspicious users

Use Sqreen’s built-in or integrated User Monitoring feature to observe suspicious user activity and take steps to prevent an attack before it happens. Sqreen uses a risk score to identify users that warrant monitoring such as users who have accessed the Darknet, or users with unexpected geographic locations or shared accounts. Drill into a user’s details to examine their activities over time and use a Security Automation Playbook to arrange to block a malicious user from accessing, or further attacking, your app.

Sqreen offers built-in and integrated user monitoring capabilities:

  • Automatic user monitoring: Several Sqreen Microagents give you the ability to automatically monitor user activity from the Sqreen Dashboard. If your app’s HTTP authenticator is compatible with the Sqreen microagent, you can start monitoring users’ behavior out of the box.

  • Advanced user monitoring: Where a microagent does not facilitate automatic user monitoring or when you want your app to track more advanced user behavior, you can install and use the Sqreen SDK for User monitoring. Then, you can create custom events to track and record user activity specific to your app.

Navigate to User monitoring to review the risk scores and flags that Sqreen assigns to users that warrant careful monitoring. You can use risk scores, flags, and filters to narrow the focus of your investigation into a particular user's activity, then drill further into a user's details.

Sqreen applies a risk score to a user identifier to indicate the potential threat the user represents. A risk score increases when:

  • an authenticated user performed an attack on your app
  • a non-shared set of credentials was used to log in from two disparate locations at nearly the same time
  • a set of shared credentials was used to log in from two locations at nearly the same time
  • a user connected to your app from the Darknet (TOR, open proxies)
  • a user's activity displays evidence of an attempted Account Takeover Attack (ATO) or other, non-human behavior

Sqreen applies a flag to a user identifier to indicate the type of suspicious activity associated with the user.

  • TOR user: The user accessed, or attempted to access, your app from a TOR IP address.
  • Lost password: The user tried and failed to connect to your app three or more times.
  • Shared account: The user credentials of a shared account were used to log in to your app from two different locations at nearly the same time. Because the credentials are known to be shared amongst legitimate users, this may not be malicious behavior, but it is worth logging and tracking.
  • Seen once: The user has only successfully logged into your application once.
  • Inactive user: The user has not successfully logged into your application in more than two weeks.
  • Disposable email: The user used a disposable email account to connect to your application.
  • Multiple geo: The user credentials of a non-shared account were used to log in to your app from two different locations at nearly the same time. This behavior could be a benign indicator of a traveling user, or it could indicate that a user's credentials have been stolen or illegitimately shared.

Drill into a user’s details to examine their activities over time such as login successes and attempts, attempted attacks, geographical location, and authenticated IP addresses. You can drill even further down into each incident to examine attack details, request details, and backtraces. For example, for an attempted SQL Injection, you can drill into the event to see the database the user was attempting to access, the query the user wrote, and the port and path of the request.

As you monitor users and begin to notice suspicious behavior and attacks that Sqreen has blocked, you may want to prevent specific users from accessing, and attacking, your app. Use a Security Automation Playbook to temporarily or permanently block a malicious user from accessing your app. Read more about blocking users in the Security Automation Playbook documentation.

Integrate and streamline security responses

Beyond observing your apps, examining security incidents, and monitoring user activity, you can use Sqreen’s built-in and integrated functionality to streamline your security responses. Integrate Sqreen with third-party technologies to alert your team (email, Slack), or hook into other tools to build custom workflows. Use Security Automation Playbooks to streamline and automate your response to security events. For example, you can create a playbook that automatically blocks or redirects a malicious user, then sends a notification to a SecOps channel in Slack.

  • Turn on a Pre-defined Security Automation Playbook to instruct Sqreen to take action when it detects an anomaly or attack. For example, enable the “Reset password abuse” playbook to take action.
  • Install the SDK for user monitoring so that you can define your own custom events to track in your app. Use your custom events to craft your own Security Automation Playbooks. Refer to the "SDK for user monitoring" and "Track custom events" documentation for your technology's Sqreen Microagent.
  • Use Sqreen Webhooks to customize the way your playbook sends notifications to third-party tools or applications.