Security playbook

Sqreen provides you with built-in playbooks to help you get started as fast as possible.

You can also create your own, based on custom events (tracked via our SDK) or the ones Sqreen automatically tracks based on your apps' traffic.

Visit your Sqreen dashboard to get started.

What's a security playbook?

A playbook is made of 3 elements:

  1. A trigger.
  2. Security response(s).
  3. Notifications.



The playbook's trigger represents the conditions for the plugin to raise an alert.

The trigger is made of:

  • An event (built-in or custom) filtered by conditions (optional) to monitor.
  • A detection method (threshold only for now) to apply.
  • A period of time.
  • A type of actor (IP / user account).

Tracking events


Finding the right threshold

When using the threshold based detection, it's often tricky to set the threshold to the right value.

Using the Event Explorer, you can quickly visualise the event trend and determine what an usual volume of activity represents for your use-case.


Security Response

security response

Sqreen libraries contains code to dynamically change your app behavior for supicious actors (IP and/or user accounts).

Security responses can be applied for a pre-defined duration (5 minutes to 24 hours).

You can always remove any live security response from your Sqreen dashboard.

What blocked IP or user will see




Whenever a live playbook triggers, Sqreen can notify you immediately by email or through Slack. See how to setup Slack in your account.