Attack Logs
更新时间:2024-06-12 18:29:13
The Cloud Security 2.0 tracks and records all detected illegitimate traffic. Through the Attack Logs page, you can:
- Filter logs from specific clients (such as Client IP) and view the details of all matched policies, analyze the interception reasons.
- Query logs over a period of time, preliminary analysis of whether the results of security policy detection meet expectations.
- Analyze the intent and characteristics of the attack, evaluate the impact on the business to decide whether to adjust the security policies.
Go to Attack Logs:
- Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
- Go to Analysis & Logs > Attack Logs.
Filter data
- Select a time range and hostname.
- Click
and choose a field, an operator, and value. For example, to filter logs by client IP, select “client IP”, choose the “equals” operator, and then input the IP address. If there are multiple values, please separate them with a semicolon (; ). You can also disable or remove entered query conditions. These options will appear when you hover over a query field. - Click Query.
Tips:The relationship between multiple values of the same query field is “OR”, while the relationship between multiple query fields is “AND”. For example, if you add the query conditions “Client IP equals 127.0.0.1” AND “Status Code equals 403 OR 404”, it will search for data that satisfies both the client IP address being 127.0.0.1 and the status code being either 403 or 404.
Supported Operators
- equals: Searches for data where the field is equal to any specified value.
- does not equal: Searches for data where the field is not equal to any specified value.
- contains: Searches for data where the field contains a specified string.
- does not contain: Searches for data where the field does not contain a specified string.
Field Description
The table below lists the fields supported by the attack log. Some fields allow multiple values to be filled in, separated by semicolons in English. Unless specifically noted, multiple values are not supported by default.
| Category | Field | Description | Example |
|---|---|---|---|
| Common | Policy Type | Indicates which function module under the security policy has blocked the request. | |
| Action | The action of the rule or policy that the client request matched. | ||
| Client IP | The IP address of the client. | 123.45.xx.xx | |
| IP Location | The location of the IP address. | Francisco | |
| Path | relative path of the request, The part of a request after the domain name and before the question mark, excluding request parameters. | /common/readme.php | |
| URI | The absolute path of the request, specifically referring to the part after the domain name in the request. | /common/readme.php?uid=212&tpye=content | |
| Request ID | A unique identifier for the request. | ||
| Event ID | A unique identifier generated for the event after the request triggers the rule. | ||
| User-Agent | Request header: User-Agent | PostmanRuntime/7.32.3 | |
| Referer | Request header: Referer | http://example.com | |
| Request Method | The request method. | GET | |
| HTTP Version | The HTTP version | HTTP/1.1 | |
| API Name | API name. | ||
| Response Code | HTTP status code. | 200 | |
| IP/Geo Block | Policy Name | IP Block, Area Block | |
| DDoS Protection | Policy Name | Indicates which subfunction module under the DDoS Protection has blocked the request. | Managed Ruleset, Adaptive DDoS Protection |
| Rule ID | The rule ID of the hit rule. | ||
| Rule Name | |||
| WAF | Rule Type | The type of the hit rule. | SQL Injection |
| Rule ID | The ID of the hit rule. | 5040 | |
| Rule Name | The name of the hit rule. | Oracle_injection_16 | |
| Bot Management | Policy Name | Indicates which subfunction module under the Bot management has blocked the request. | Custom Bots |
| Bot Category | |||
| Bot Label | |||
| Rule Name | The name of the hit rule. | analyse-action-1 | |
| User Fingerprint | Web risk detection for the request assigned user fingerprint. | ||
| Browser Finger | Web risk detection for the request assigned Browser fingerprint. | ||
| Device Finger | APP risk detection for the request assigned device fingerprint. | ||
| Custom Rules | Rule Name | The name of the hit rule. | |
| Rule ID | The ID of the hit rule. | ||
| Rate Limiting | Rule Name | The name of the hit rule. | |
| Rule ID | The ID of the hit rule. | ||
| Threat Intelligence | Threat Type |
View Logs
When viewing query results, you will see the total number of log hits processed by the filters, and the system will display the most recent 10,000 logs from the end of the query. If you need to view more logs, it is recommended that you export a CSV file for review, with a maximum of 10,000 logs each time.
Expanding the logs, you can see the following information:
- Policy Information: It displays the security policies and rules triggered by the request, helping you understand why the request was detected.
- General Information: It displays basic information about the request, such as request ID, event ID, request method, path, etc.
- Original Request Information: It displays the header information of the original request.
- Client Information: It displays the IP of the client, the geographic location of the IP, and the unique identity information generated by the whole site protection for auxiliary security detection for the client terminal, such as device fingerprints, browser fingerprints, etc.