Built-in events

Security automation has been designed with extensibility in mind: you can track as many custom events tied to your app business logic as you need to automate security scenarios.

That said, there is already a lot that Sqreen can learn from your apps' traffic.

The app.sqreen namespace is reserved to events tracked by Sqreen.

Visit the events payload section to learn more about the event's schema.

app.sqreen.plugins.attack

Description

Tracks attacks performed on your application.

Custom properties

Name	Description	Type	Allowed values
category	category of the attack performed	string	• injection • http_error
plugin	source security plugin which detected the attack	string	• sql_injection_mysql • sql_injection_mariadb • sql_injection_pg • sql_injection_sqlite • sql_injection_hql • nosql_injection_mongodb • sql_injection_doctrine • lfi • shell_injection • csp • vulnerable_dependencies • shellshock • xss_jade • xss_erb • xss_haml • xss_slim • xss_django • xss_jinja2 • xss_php • xss_freemarker • xss_gsp_codehaus • xss_gsp • xss_jsp • xss_thymeleaf • xss_velocity • account_enumeration • account_takeover • failed_auth_peak • account_creation_peak • user_risk_increase • blacklist_ip • crs • http_scan • http_5xx_peak • browser_directive_xss_protection • browser_directive_referral_policy • browser_directive_iframe_options • browser_directive_content_type_options • security_scan • massive_http_scan • code_injection

Sample event

{
    "name": "app.sqreen.plugins.attack",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "plugin": "sql_injection_pg",
        "category": "injection"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.users.login

Description

Tracks login activity from your users.

Sourced based on calls to auth_track SDK methods or when using compatible libraries (Devise, Passport, etc).

Custom properties

Name	Description	Type	Allowed values
success	indicates if a login was successful, or not	boolean	• true • false

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "success": false
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.host.login

Description

Track new hosts connecting to Sqreen.

Custom properties

Name	Description	Type	Allowed values
runtime_type	the app's runtime technology	• ruby • CPythony • etc.

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "runtime_type": "ruby"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}