最終更新日:2024-06-12 18:29:13
The Cloud Security 2.0 tracks and records all detected illegitimate traffic. Through the Attack Logs page, you can:
Go to Attack Logs:
Tips:The relationship between multiple values of the same query field is “OR”, while the relationship between multiple query fields is “AND”. For example, if you add the query conditions “Client IP equals 127.0.0.1” AND “Status Code equals 403 OR 404”, it will search for data that satisfies both the client IP address being 127.0.0.1 and the status code being either 403 or 404.
The table below lists the fields supported by the attack log. Some fields allow multiple values to be filled in, separated by semicolons in English. Unless specifically noted, multiple values are not supported by default.
Category | Field | Description | Example |
---|---|---|---|
Common | Policy Type | Indicates which function module under the security policy has blocked the request. | |
Action | The action of the rule or policy that the client request matched. | ||
Client IP | The IP address of the client. | 123.45.xx.xx | |
IP Location | The location of the IP address. | Francisco | |
Path | relative path of the request, The part of a request after the domain name and before the question mark, excluding request parameters. | /common/readme.php | |
URI | The absolute path of the request, specifically referring to the part after the domain name in the request. | /common/readme.php?uid=212&tpye=content | |
Request ID | A unique identifier for the request. | ||
Event ID | A unique identifier generated for the event after the request triggers the rule. | ||
User-Agent | Request header: User-Agent | PostmanRuntime/7.32.3 | |
Referer | Request header: Referer | http://example.com | |
Request Method | The request method. | GET | |
HTTP Version | The HTTP version | HTTP/1.1 | |
API Name | API name. | ||
Response Code | HTTP status code. | 200 | |
IP/Geo Block | Policy Name | IP Block, Area Block | |
DDoS Protection | Policy Name | Indicates which subfunction module under the DDoS Protection has blocked the request. | Managed Ruleset, Adaptive DDoS Protection |
Rule ID | The rule ID of the hit rule. | ||
Rule Name | |||
WAF | Rule Type | The type of the hit rule. | SQL Injection |
Rule ID | The ID of the hit rule. | 5040 | |
Rule Name | The name of the hit rule. | Oracle_injection_16 | |
Bot Management | Policy Name | Indicates which subfunction module under the Bot management has blocked the request. | Custom Bots |
Bot Category | |||
Bot Label | |||
Rule Name | The name of the hit rule. | analyse-action-1 | |
User Fingerprint | Web risk detection for the request assigned user fingerprint. | ||
Browser Finger | Web risk detection for the request assigned Browser fingerprint. | ||
Device Finger | APP risk detection for the request assigned device fingerprint. | ||
Custom Rules | Rule Name | The name of the hit rule. | |
Rule ID | The ID of the hit rule. | ||
Rate Limiting | Rule Name | The name of the hit rule. | |
Rule ID | The ID of the hit rule. | ||
Threat Intelligence | Threat Type |
When viewing query results, you will see the total number of log hits processed by the filters, and the system will display the most recent 10,000 logs from the end of the query. If you need to view more logs, it is recommended that you export a CSV file for review, with a maximum of 10,000 logs each time.
Expanding the logs, you can see the following information: