Based on the globally shared white hat security asset library, Log Service provides security check functions that you can use to check whether an IP address, domain name, or URL in logs is secure.
- Some enterprises and organizations have strong requirements on service maintenance, such as companies that focus on Internet, game, and information. The IT, security, and maintenance personnel of these companies can use security check functions to filter suspicious access and protect the companies from network attacks and intrusions. In addition, they can use the security check functions to perform in-depth analysis and take measures for defense.
- Some enterprises and organizations have strong requirements on the security of internal assets, such as banks, securities companies, and e-commerce companies. The IT, security, and maintenance personnel of these enterprises and organizations can use security check functions to detect and prevent risky behavior, such as accessing websites with security risks and downloading Trojans.
- Reliable: relies on the global shared white hat security asset library that updates in a timely manner.
- Fast: takes only a few seconds to detect millions of IP address, domain names, or URLs.
- Simple: supports any type of network logs. The result can be obtained by calling three SQL functions: security_check_ip, security_check_domain, and security_check_url.
- Flexible: supports both interactive queries and creation of report views. You can configure alerts and take further action.
|security_check_ip||Checks whether the IP address is secure. One of the following values is returned:
|security_check_domain||Checks whether the domain name is secure. One of the following values is returned:
|security_check_url||Checks whether the URL is secure. One of the following values is returned:
- Detect suspicious external access and generate reports
An e-commerce company collects logs from the NGINX server operated by itself, and wants to check whether clients access the server over insecure IP addresses. In this case, pass the Client IP field in the logs to
security_check_ipas input parameters. Filter the IP addresses for which value 1 is returned, and display the country and ISP of the IP address.
The query statement is as follows:
Specify map view display, as shown in the following figure.
* | select ClientIP, ip_to_country(ClientIP) as country, ip_to_provider(ClientIP) as provider, count(1) as PV where security_check_ip(ClientIP) = 1 group by ClientIP order by PV desc
- Detect suspicious internal access and configure alerts
For example, a securities company collects network traffic logs recorded when its internal devices access the Internet through a gateway proxy. To check if someone has accessed websites with security risks, use the following query statement:You can also save this statement as a quick query and configure an alert. When a client access websites with security risks frequently, the alert is triggered. You can set the search period to 5 minutes to check whether someone has accessed websites with security risks frequently (more than 5 times) in the past hour, as shown in the following figure.
* | select client_ip, count(1) as PV where security_check_ip(remote_addr) = 1 or security_check_site(site) = 1 or security_check_url(concat(site, url)) = 1 group by client_ip order by PV desc