Attack Logs

Last update:2024-06-12 18:29:13

The Cloud Security 2.0 tracks and records all detected illegitimate traffic. Through the Attack Logs page, you can:

  • Filter logs from specific clients (such as Client IP) and view the details of all matched policies, analyze the interception reasons.
  • Query logs over a period of time, preliminary analysis of whether the results of security policy detection meet expectations.
  • Analyze the intent and characteristics of the attack, evaluate the impact on the business to decide whether to adjust the security policies.

Go to Attack Logs:

  1. Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
  2. Go to Analysis & Logs > Attack Logs.

Filter data

  • Select a time range and hostname.
  • Click Self-Service Configuration for China Premium Service Onboarding and choose a field, an operator, and value. For example, to filter logs by client IP, select “client IP”, choose the “equals” operator, and then input the IP address. If there are multiple values, please separate them with a semicolon (; ). You can also disable or remove entered query conditions. These options will appear when you hover over a query field.
  • Click Query.

Tips:The relationship between multiple values of the same query field is “OR”, while the relationship between multiple query fields is “AND”. For example, if you add the query conditions “Client IP equals 127.0.0.1” AND “Status Code equals 403 OR 404”, it will search for data that satisfies both the client IP address being 127.0.0.1 and the status code being either 403 or 404.

Supported Operators

  • equals: Searches for data where the field is equal to any specified value.
  • does not equal: Searches for data where the field is not equal to any specified value.
  • contains: Searches for data where the field contains a specified string.
  • does not contain: Searches for data where the field does not contain a specified string.

Field Description

The table below lists the fields supported by the attack log. Some fields allow multiple values to be filled in, separated by semicolons in English. Unless specifically noted, multiple values are not supported by default.

Category Field Description Example
Common Policy Type Indicates which function module under the security policy has blocked the request.
Action The action of the rule or policy that the client request matched.
Client IP The IP address of the client. 123.45.xx.xx
IP Location The location of the IP address. Francisco
Path relative path of the request, The part of a request after the domain name and before the question mark, excluding request parameters. /common/readme.php
URI The absolute path of the request, specifically referring to the part after the domain name in the request. /common/readme.php?uid=212&tpye=content
Request ID A unique identifier for the request.
Event ID A unique identifier generated for the event after the request triggers the rule.
User-Agent Request header: User-Agent PostmanRuntime/7.32.3
Referer Request header: Referer http://example.com
Request Method The request method. GET
HTTP Version The HTTP version HTTP/1.1
API Name API name.
Response Code HTTP status code. 200
IP/Geo Block Policy Name IP Block, Area Block
DDoS Protection Policy Name Indicates which subfunction module under the DDoS Protection has blocked the request. Managed Ruleset, Adaptive DDoS Protection
Rule ID The rule ID of the hit rule.
Rule Name
WAF Rule Type The type of the hit rule. SQL Injection
Rule ID The ID of the hit rule. 5040
Rule Name The name of the hit rule. Oracle_injection_16
Bot Management Policy Name Indicates which subfunction module under the Bot management has blocked the request. Custom Bots
Bot Category
Bot Label
Rule Name The name of the hit rule. analyse-action-1
User Fingerprint Web risk detection for the request assigned user fingerprint.
Browser Finger Web risk detection for the request assigned Browser fingerprint.
Device Finger APP risk detection for the request assigned device fingerprint.
Custom Rules Rule Name The name of the hit rule.
Rule ID The ID of the hit rule.
Rate Limiting Rule Name The name of the hit rule.
Rule ID The ID of the hit rule.
Threat Intelligence Threat Type

View Logs

When viewing query results, you will see the total number of log hits processed by the filters, and the system will display the most recent 10,000 logs from the end of the query. If you need to view more logs, it is recommended that you export a CSV file for review, with a maximum of 10,000 logs each time.

Expanding the logs, you can see the following information:

  • Policy Information: It displays the security policies and rules triggered by the request, helping you understand why the request was detected.
  • General Information: It displays basic information about the request, such as request ID, event ID, request method, path, etc.
  • Original Request Information: It displays the header information of the original request.
  • Client Information: It displays the IP of the client, the geographic location of the IP, and the unique identity information generated by the whole site protection for auxiliary security detection for the client terminal, such as device fingerprints, browser fingerprints, etc.
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!