Built-in events

The Sqreen Microagent can track user activity in your app using built-in events. You can use built-in events to monitor users and create Security Automation Playbooks. Refer to Security Automation Playbooks for details on how and when to use built-in events.

app.sqreen.plugins.attack

This event tracks attacks performed on your application.

Custom properties

Name	Description	Type	Allowed values
category	category of the attack performed	string	• injection • http_error
plugin	source security plugin which detected the attack	string	• sql_injection_mysql • sql_injection_mariadb • sql_injection_pg • sql_injection_sqlite • sql_injection_hql • nosql_injection_mongodb • sql_injection_doctrine • lfi • shell_injection • csp • vulnerable_dependencies • shellshock • xss_jade • xss_erb • xss_haml • xss_slim • xss_django • xss_jinja2 • xss_php • xss_freemarker • xss_gsp_codehaus • xss_gsp • xss_jsp • xss_thymeleaf • xss_velocity • account_enumeration • account_takeover • failed_auth_peak • account_creation_peak • user_risk_increase • blacklist_ip • crs • http_scan • http_5xx_peak • browser_directive_xss_protection • browser_directive_referral_policy • browser_directive_iframe_options • browser_directive_content_type_options • security_scan • massive_http_scan • code_injection

Sample event

{
    "name": "app.sqreen.plugins.attack",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "plugin": "sql_injection_pg",
        "category": "injection"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.users.login

This event tracks login activity from your users. The event source is based on calls to auth_track SDK methods (trackLogin in Java) or when using compatible libraries (Devise, Passport, Django).

Custom properties

Name	Description	Type	Allowed values
success	indicates if a login was successful, or not	boolean	• true • false

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "success": false
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.host.login

This event tracks new hosts connecting to Sqreen.

Custom properties

Name	Description	Type	Allowed values
runtime_type	the app's runtime technology	• ruby • CPythony • etc.

Sample event

{
    "name": "app.sqreen.host.login",
    "request": {},
    "properties": {
        "host_bundle_id": "5f032e4babccc4af3d8e762f",
        "runtime_type": "ruby",
        "ip": {
            "address": "3.248.103.135",
            "is_tor": false,
            "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com",
            "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] },

            "date_resolved": "2020-07-20T06:50:55.212000+00:00"
        },
        "various_infos": {
            "name": "puma: cluster worker 1: 1 [weblog-rails60]",
            "gid": 0,
            "uid": 0,
            "egid": 0,
            "euid": 0,
            "ppid": 1,
            "pid": 21211,
            "time": "2020-07-20T06:50:55+00:00"
        },
        "runtime_version": "ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]",
        "hostname": "ip-10-0-1-204.eu-west-1.compute.internal",
        "agent_type": "ruby",
        "os_type": "x86_64-linux",
        "timeshift": -0.187,
        "date_created": "2020-07-20T06:50:55.212000+00:00",
        "os_version": "",
        "agent_version": "1.18.1"
    },
    "timestamp": "2020-07-20T06:50:55.212000+00:00",
    "backend_time": "2020-07-20T06:50:55.212000+00:00",
    "client_ip": "3.248.103.135",
    "ip_meta": {
        "is_tor": false,
        "date_resolved": "2020-07-19T23:07:22.825024+00:00",
        "proxy": false,
        "metadata": {
            "version": 4,
            "multicast": false,
            "private": false,
            "global": true,
            "unspecified": false,
            "reserved": false,
            "loopback": false
        },
        "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] },
        "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com",
        "vpn": false,
        "address": "3.248.103.135",
        "tags": ["datacenter"],
        "datacenter": true,
        "critical": false
    }
}

Event schema

Sqreen automatically tracks the HTTP request context (serialized as request object). At present, it cannot be customized.

{
    "name": "", // the unique event identifier
    "request": { // HTTP request context tracked by Sqreen, cannot be customised.
        "referer": "", // URL that linked to the resource being requested
        "remote_port": "", // Remote client port
        "port": "", // Application host server port
        "headers": {}, // Collection of  HTTP headers set in the request
        "scheme": "", // HTTP schema used
        "path": "", // Path requested
        "parameters": {
            "json": {}, // JSON request body
            "query": {}, // request query parameters
            "form": [], // request form data
            "other": {} // request body (serialization not recognized)
        },
        "remote_ip": "", // IP of the remote client
        "rid": "", // Sqreen request UUID
        "user_agent": "", // Request user agent
        "host": "", // Application host server IP
        "verb": "" // Request HTTP verb
    },
    "properties": {}, // Custom properties
    "client_ip": "", // Remote client IP
    "timestamp": "", // Event timestamp formatted in RFC3339
    "ip_meta": {}, // IP Metadata (geo, is TOR, etc)
    "email_meta": {} // Email Metadata (is disposable, domain, etc)
}