New

The User SDK allows you to track user activity. Users that are detected as malicious can then be blocked automatically with Playbooks. However, some of them do not generate enough activity while you know they should be stopped. That's why we're now adding a way to block any user through the dashboard.

To block a user, go to your dashboard under User monitoring. Select a user to block and click "Block user". You can select how long the user should be blocked and add a comment. That user will then be listed under Blocked actors. Note that this feature requires your application to implement the User SDK.

If you have any feedback, let us know by email at feedback@sqreen.com.

New

Sometimes, the In-App WAF can detect attacks in requests that are harmless. That's because pattern-based detection only looks at what the request looks like. By design, some application can have many of these false positives.

To let you have better control over what's being detected, we've extended the In-App WAF passlist to ignore some parameters or paths.

• Parameters: you can now tell the In-App WAF to ignore some parameters. This is useful for fields that contain user input with SQL queries or searches.
• Paths: the In-App WAF can also ignore paths matching a prefix, a regex or an exact value.

You'll find these settings under Settings > Passlist, or directly from the Security Activity.

If you have any feedback, let us know by email at feedback@sqreen.com.

Improvement

We just refreshed the design of our incident Slack and e-mail notifications. When an incident happens, you will now know directly in the notification:

• The severity of the incident
• If the involved actors were blocked
• If the vulnerability was blocked (for RASP incidents)

Check it out and give us feedback directly by email at feedback@sqreen.com. You can also reach out to us anytime via the chat widget.

Improvement

We have refreshed the User and IP details pages to give a better overview. It's now easier to see the sequence of security activities and incidents for each actor.

We've also added some capabilities:

• Filters let you see the relevant events only
• The top incidents breakdown all the incidents triggered by the actor
• The bar chart makes it easy to see the volume of activity over time

We will add more improvements to this page. If you have any feedback, please let us know via the chat button or send an email at feedback@sqreen.com.

Fix

Thanks to your feedback, we released some improvements and bug fixes. Here's a quick summary of the recent changes.

Incidents

• In the list of incidents, the security response was only displayed when the protection blocked automatically. It now also shows up for security responses you apply manually.
• In some cases, zooming on the Incidents timeline ended with no results. This is now fixed.
• When going back from an incident to the list of incident, the filters were lost. They are now correctly preserved.
• We've improved the description of some incidents to make them easier to understand.
• In the Incidents & Security Activity, IPs now have tags showing if the address is from TOR, a VPN, a proxy or a datacenter.

Protection

• When editing an In-App WAF rule, we now highlight more precisely the fields targeted by the rule
• In the RASP, blocking attackers was only applied to the SQL injection. Next time you turn this on, it will apply to all protections.

Miscellaneous

• On smaller screens, it was hard to access some links in your profile menu. You can now scroll that menu to access all the links.

Let us know if you see bugs or anything that could be improved!

New

We've added new facets to incidents! You can now filter them by request paths, tag names, involved IPs and user identifiers:

Check it out and give us feedback directly by email at feedback@sqreen.com. You can also reach out to us anytime via the chat widget.

New

We have improved the incident details view again!

You can now get a better overview of what happened:

However, though investigating through your incidents is great, being able to react quickly is better! We added a few actions that you can perform on your incidents:

• Block actors for a specific duration:

• Block compromised users to prevent them from being used to perform malicious actions

• Export the list of compromised users to reach out to them to change their passwords:

Check it out and feel free to give us any feedback directly by email at feedback@sqreen.com or via the chat button.

Improvement

We have just added support for the Strict-Transport-Security and Access-Control-Allow-Origin headers. You can enable them from the Protection Configuration tab:

Check it out and give us feedback directly by email at feedback@sqreen.com. You can also reach out to us anytime via the chat widget.

New

The insecure deserialization protection is now available to all PHP applications with agent version >= 1.23.0 .

Insecure deserialization occurs when unsanitized user inputs are processed through a deserialization function.

Insecure Deserialization results in code being loaded and executed through object instantiation and autoloading An attacker could exploit it in order to manipulate the code execution flow or run their own code, leading to Remote Code Execution (RCE).

Sqreen will detect attempts to exploit insecure deserialization vulnerabilities and prevent object injections in the context of the protected HTTP request.

Enable the RASP protection from your Dashboard

PHP update instructions are available in the docs

If you have any questions or feedback, we'd love to hear about it. Let us know via the chat button or send us an email at feedback@sqreen.com

Improvement

At a glance, see all security responses applied per incident. This should help you understand quickly where to focus your attention and where to enable automatic security responses.

Check it out on your dashboard and give us feedback directly by email at feedback@sqreen.com.