Built-in events

The Sqreen Microagent can track user activity in your app using built-in events. You can use built-in events to monitor users and create Security Automation Playbooks. Refer to Security Automation Playbooks for details on how and when to use built-in events.

app.sqreen.plugins.attack

This event tracks attacks performed on your application.

Custom properties

Name Description Type Allowed values
category category of the attack performed string • injection
• http_error
plugin source security plugin which detected the attack string • sql_injection_mysql
• sql_injection_mariadb
• sql_injection_pg
• sql_injection_sqlite
• sql_injection_hql
• nosql_injection_mongodb
• sql_injection_doctrine
• lfi
• shell_injection
• csp
• vulnerable_dependencies
• shellshock
• xss_jade
• xss_erb
• xss_haml
• xss_slim
• xss_django
• xss_jinja2
• xss_php
• xss_freemarker
• xss_gsp_codehaus
• xss_gsp
• xss_jsp
• xss_thymeleaf
• xss_velocity
• account_enumeration
• account_takeover
• failed_auth_peak
• account_creation_peak
• user_risk_increase
• blacklist_ip
• crs
• http_scan
• http_5xx_peak
• browser_directive_xss_protection
• browser_directive_referral_policy
• browser_directive_iframe_options
• browser_directive_content_type_options
• security_scan
• massive_http_scan
• code_injection

Sample event

{
    "name": "app.sqreen.plugins.attack",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "plugin": "sql_injection_pg",
        "category": "injection"
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.users.login

This event tracks login activity from your users. The event source is based on calls to auth_track SDK methods (trackLogin in Java) or when using compatible libraries (Devise, Passport, Django).

Custom properties

Name Description Type Allowed values
success indicates if a login was successful, or not boolean • true
• false

Sample event

{
    "name": "app.sqreen.users.login",
    "request": {
        "referer": null,
        "remote_port": "",
        "port": "80",
        "headers": {
            "HTTP_X_FORWARDED_FOR": "104.32.80.211, 235.157.86.159",
            "HTTP_X_REAL_IP": "104.32.80.211"
        },
        "scheme": "http",
        "path": "/foo/bar",
        "parameters": {
            "json": {},
            "query": {
                "lang": "<script>foo</script>"
            },
            "form": [],
            "other": {}
        },
        "remote_ip": "138.17.125.79",
        "rid": "03ec31ad9f5e5776866327357890b58d",
        "user_agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)",
        "host": "241.59.142.81",
        "verb": "GET"
    },
    "ip":
    {
        "geo":
        {
            "code":"USA",
            "point":[-77.4728,39.0481],
            "city":"Ashburn"
        },
        "date_resolved":"2018-10-08T15:26:17.313000+00:00",
        "hostname":"ec2-54-167-78-181.compute-1.amazonaws.com",
        "address":"54.167.78.181",
        "is_tor":false
        }
    },
    "properties": {
        "success": false
    },
    "client_ip": "77.78.114.178",
    "timestamp": "2018-07-11T14:48:23.698699+00:00"
}

app.sqreen.host.login

This event tracks new hosts connecting to Sqreen.

Custom properties

Name Description Type Allowed values
runtime_type the app's runtime technology • ruby
• CPythony
• etc.

Sample event

{
    "name": "app.sqreen.host.login",
    "request": {},
    "properties": {
        "host_bundle_id": "5f032e4babccc4af3d8e762f",
        "runtime_type": "ruby",
        "ip": {
            "address": "3.248.103.135",
            "is_tor": false,
            "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com",
            "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] },

            "date_resolved": "2020-07-20T06:50:55.212000+00:00"
        },
        "various_infos": {
            "name": "puma: cluster worker 1: 1 [weblog-rails60]",
            "gid": 0,
            "uid": 0,
            "egid": 0,
            "euid": 0,
            "ppid": 1,
            "pid": 21211,
            "time": "2020-07-20T06:50:55+00:00"
        },
        "runtime_version": "ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-linux]",
        "hostname": "ip-10-0-1-204.eu-west-1.compute.internal",
        "agent_type": "ruby",
        "os_type": "x86_64-linux",
        "timeshift": -0.187,
        "date_created": "2020-07-20T06:50:55.212000+00:00",
        "os_version": "",
        "agent_version": "1.18.1"
    },
    "timestamp": "2020-07-20T06:50:55.212000+00:00",
    "backend_time": "2020-07-20T06:50:55.212000+00:00",
    "client_ip": "3.248.103.135",
    "ip_meta": {
        "is_tor": false,
        "date_resolved": "2020-07-19T23:07:22.825024+00:00",
        "proxy": false,
        "metadata": {
            "version": 4,
            "multicast": false,
            "private": false,
            "global": true,
            "unspecified": false,
            "reserved": false,
            "loopback": false
        },
        "geo": { "code": "IRL", "city": "Dublin", "point": [-6.2488, 53.3338] },
        "hostname": "ec2-3-248-103-135.eu-west-1.compute.amazonaws.com",
        "vpn": false,
        "address": "3.248.103.135",
        "tags": ["datacenter"],
        "datacenter": true,
        "critical": false
    }
}

Event schema

Sqreen automatically tracks the HTTP request context (serialized as request object). At present, it cannot be customized.

{
    "name": "", // the unique event identifier
    "request": { // HTTP request context tracked by Sqreen, cannot be customised.
        "referer": "", // URL that linked to the resource being requested
        "remote_port": "", // Remote client port
        "port": "", // Application host server port
        "headers": {}, // Collection of  HTTP headers set in the request
        "scheme": "", // HTTP schema used
        "path": "", // Path requested
        "parameters": {
            "json": {}, // JSON request body
            "query": {}, // request query parameters
            "form": [], // request form data
            "other": {} // request body (serialization not recognized)
        },
        "remote_ip": "", // IP of the remote client
        "rid": "", // Sqreen request UUID
        "user_agent": "", // Request user agent
        "host": "", // Application host server IP
        "verb": "" // Request HTTP verb
    },
    "properties": {}, // Custom properties
    "client_ip": "", // Remote client IP
    "timestamp": "", // Event timestamp formatted in RFC3339
    "ip_meta": {}, // IP Metadata (geo, is TOR, etc)
    "email_meta": {} // Email Metadata (is disposable, domain, etc)
}