Built-in events¶ The Sqreen Microagent can track user activity in your app using built-in events. You can use built-in events to monitor users and create Security Automation Playbooks. Refer to Security Automation Playbooks for details on how and when to use built-in events. app.sqreen.plugins.attack¶ This event tracks attacks performed on your application. Custom properties¶ Name Description Type Allowed values category category of the attack performed string • injection• http_error plugin source security plugin which detected the attack string • sql_injection_mysql• sql_injection_mariadb• sql_injection_pg• sql_injection_sqlite• sql_injection_hql• nosql_injection_mongodb• sql_injection_doctrine• lfi• shell_injection• csp• vulnerable_dependencies• shellshock• xss_jade• xss_erb• xss_haml• xss_slim• xss_django• xss_jinja2• xss_php• xss_freemarker• xss_gsp_codehaus• xss_gsp• xss_jsp• xss_thymeleaf• xss_velocity• account_enumeration• account_takeover• failed_auth_peak• account_creation_peak• user_risk_increase• blacklist_ip• crs• http_scan• http_5xx_peak• browser_directive_xss_protection• browser_directive_referral_policy• browser_directive_iframe_options• browser_directive_content_type_options• security_scan• massive_http_scan• code_injection Sample event¶ { "name": "app.sqreen.plugins.attack", "request": { "referer": null, "remote_port": "", "port": "80", "headers": { "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159", "HTTP_X_REAL_IP": "104.32.80.211" }, "scheme": "http", "path": "/foo/bar", "parameters": { "json": {}, "query": { "lang": "<script>foo</script>" }, "form": [], "other": {} }, "remote_ip": "138.17.125.79", "rid": "03ec31ad9f5e5776866327357890b58d", "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "host": "241.59.142.81", "verb": "GET" }, "ip": { "geo": { "code":"USA", "point":[-77.4728,39.0481], "city":"Ashburn" }, "date_resolved":"2018-10-08T15:26:17.313000+00:00", "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com", "address":"54.167.78.181", "is_tor":false } }, "properties": { "plugin": "sql_injection_pg", "category": "injection" }, "client_ip": "77.78.114.178", "timestamp": "2018-07-11T14:48:23.698699+00:00" } app.sqreen.users.login¶ This event tracks login activity from your users. The event source is based on calls to auth_track SDK methods (trackLogin in Java) or when using compatible libraries (Devise, Passport, Django). Custom properties¶ Name Description Type Allowed values success indicates if a login was successful, or not boolean • true• false Sample event¶ { "name": "app.sqreen.users.login", "request": { "referer": null, "remote_port": "", "port": "80", "headers": { "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159", "HTTP_X_REAL_IP": "104.32.80.211" }, "scheme": "http", "path": "/foo/bar", "parameters": { "json": {}, "query": { "lang": "<script>foo</script>" }, "form": [], "other": {} }, "remote_ip": "138.17.125.79", "rid": "03ec31ad9f5e5776866327357890b58d", "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)", "host": "241.59.142.81", "verb": "GET" }, "ip": { "geo": { "code":"USA", "point":[-77.4728,39.0481], "city":"Ashburn" }, "date_resolved":"2018-10-08T15:26:17.313000+00:00", "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com", "address":"54.167.78.181", "is_tor":false } }, "properties": { "success": false }, "client_ip": "77.78.114.178", "timestamp": "2018-07-11T14:48:23.698699+00:00" } app.sqreen.host.login¶ This event tracks new hosts connecting to Sqreen. Custom properties¶ Name Description Type Allowed values runtime_type the app's runtime technology • ruby• CPythony• etc. Sample event¶ { "name": "app.sqreen.host.login", "request": {}, "properties": { "host_bundle_id": "5f032e4babccc4af3d8e762f", "runtime_type": "ruby", "ip": { "address": "3.248.103.135", "is_tor": false, "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com", "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] }, "date_resolved": "2020-07-20T06:50:55.212000+00:00" }, "various_infos": { "name": "puma: cluster worker 1: 1 [weblog-rails60]", "gid": 0, "uid": 0, "egid": 0, "euid": 0, "ppid": 1, "pid": 21211, "time": "2020-07-20T06:50:55+00:00" }, "runtime_version": "ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]", "hostname": "ip-10-0-1-204.eu-west-1.compute.internal", "agent_type": "ruby", "os_type": "x86_64-linux", "timeshift": -0.187, "date_created": "2020-07-20T06:50:55.212000+00:00", "os_version": "", "agent_version": "1.18.1" }, "timestamp": "2020-07-20T06:50:55.212000+00:00", "backend_time": "2020-07-20T06:50:55.212000+00:00", "client_ip": "3.248.103.135", "ip_meta": { "is_tor": false, "date_resolved": "2020-07-19T23:07:22.825024+00:00", "proxy": false, "metadata": { "version": 4, "multicast": false, "private": false, "global": true, "unspecified": false, "reserved": false, "loopback": false }, "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] }, "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com", "vpn": false, "address": "3.248.103.135", "tags": ["datacenter"], "datacenter": true, "critical": false } } Event schema¶ Sqreen automatically tracks the HTTP request context (serialized as request object). At present, it cannot be customized. { "name": "", // the unique event identifier "request": { // HTTP request context tracked by Sqreen, cannot be customised. "referer": "", // URL that linked to the resource being requested "remote_port": "", // Remote client port "port": "", // Application host server port "headers": {}, // Collection of HTTP headers set in the request "scheme": "", // HTTP schema used "path": "", // Path requested "parameters": { "json": {}, // JSON request body "query": {}, // request query parameters "form": [], // request form data "other": {} // request body (serialization not recognized) }, "remote_ip": "", // IP of the remote client "rid": "", // Sqreen request UUID "user_agent": "", // Request user agent "host": "", // Application host server IP "verb": "" // Request HTTP verb }, "properties": {}, // Custom properties "client_ip": "", // Remote client IP "timestamp": "", // Event timestamp formatted in RFC3339 "ip_meta": {}, // IP Metadata (geo, is TOR, etc) "email_meta": {} // Email Metadata (is disposable, domain, etc) }