Log Service provides security check functions based on the globally shared asset library of WhiteHat Security. This topic describes security check functions that you can use to identify whether an IP address, domain name, or the URL of a log is secure.
You can use security check functions in the following scenarios:
- Enterprises and institutions in industries such as the Internet, gaming, and information that require robust O&M services can use security check functions to identify suspicious requests or attacks. They can also use the functions to implement in-depth analysis and defend against potential attacks.
- Enterprises and institutions in industries such as banking, financial securities, e-commerce that require strong protection for internal assets can use security check functions to identify risky access to suspicious websites and downloads initiated by trojans. This way, enterprises and institutions can take immediate actions to prevent potential losses.
Security check functions have the following features:
- Reliability: Security check functions are based on the globally shared asset library of WhiteHat Security. The functions update immediately after the WhiteHat Security updates.
- Efficiency: Security check functions can check millions of IP addresses, domain names, and URLs within seconds.
- Ease of use: You can use the security_check_ip, security_check_domain, and security_check_url functions to seamlessly analyze network logs.
- Flexibility: You can perform interactive queries, visualize query and analysis results, and configure alerts.
|security_check_ip||Checks whether an IP address is secure.
|security_check_domain||Checks whether a domain name is secure.
|security_check_url||Checks whether a URL is secure.
||select security_check_domain(concat(host, url))|
- Check external suspicious requests.
For example, an e-commerce enterprise collects logs from its NGINX servers and wants to scan the clients for suspicious IP addresses. To do this, the enterprise can pass the ClientIP field in logs that are collected from the NGINX servers to the security_check_ip function and identify IP addresses whose returned value is 1. Then, the enterprise can view the distribution of the countries and ISPs of those IP addresses by displaying the result on a map.
* | select ClientIP, ip_to_country(ClientIP) as country, ip_to_provider(ClientIP) as provider, count(1) as PV where security_check_ip(ClientIP) = 1 group by ClientIP order by PV desc
- Check internal suspicious access.
For example, a securities operator collects logs of its internal devices that access the Internet by using gateways. To check whether a client has accessed suspicious websites, the operator can run the following statement. The operator can also save this statement as a saved search and configure an alert. This way, the alert is triggered when a client frequently accesses suspicious websites.
* | select client_ip, count(1) as PV where security_check_ip(remote_addr) = 1 or security_check_site(site) = 1 or security_check_url(concat(site, url)) = 1 group by client_ip order by PV desc