All Products
Search
Document Center

:Security check functions

Last Updated:Aug 02, 2023

Simple Log Service provides security check functions based on the globally shared asset library of WhiteHat Security. You can use security check functions to check whether an IP address, a domain name, or a URL in a log is secure. This topic describes the syntax of security check functions. This topic also provides examples on how to use security check functions.

Scenarios

You can use security check functions in the following scenarios:

  • Enterprises and institutions in industries, such as Internet, gaming, and consulting, require robust O&M services. The enterprises and institutions can use security check functions to identify suspicious requests or attacks, perform in-depth analysis, and defend against potential attacks.

  • Enterprises and institutions in industries, such as banking, securities, and e-commerce, require strong protection for internal assets. The enterprises and institutions can use security check functions to identify access to suspicious websites and identify download of trojans. This way, the enterprises and institutions can prevent security risks at the earliest opportunity.

Features

Security check functions provide the following features:

  • Reliability: Security check functions are based on the globally shared asset library of WhiteHat Security. When WhiteHat Security is updated, the security check functions are also updated.

  • Efficiency: Security check functions can check millions of IP addresses, domain names, and URLs within seconds.

  • Ease of use: You can use the security_check_ip, security_check_domain, and security_check_url functions to analyze network logs.

  • Flexibility: You can perform interactive queries, visualize query and analysis results, and configure alerts.

Functions

The following table describes the security check functions that are supported by Simple Log Service.

Important If you want to use strings in analytic statements, you must enclose strings in single quotation marks (''). Strings that are not enclosed or enclosed in double quotation marks ("") indicate field names or column names. For example, 'status' indicates the status string, and status or "status" indicates the status log field.

Function

Syntax

Description

security_check_ip function

security_check_ip(x)

Checks whether an IP address is secure.

security_check_domain function

security_check_domain(x)

Checks whether a domain name is secure.

security_check_url function

security_check_url(x)

Checks whether a URL is secure.

security_check_ip function

The security_check_ip function is used to check whether an IP address is secure.

Syntax

security_check_ip(x)

Parameters

Parameter

Description

x

The value of this parameter is an IP address.

Return value type

The bigint type. Valid values:

  • 1: The specified IP address is suspicious.

  • 0: The specified IP address is secure.

Examples

Query suspicious clients that access a website based on the client_ip field.

  • Query statement

    * |
    SELECT
      client_ip,
      ip_to_country(client_ip,'en') AS country,
      ip_to_provider(client_ip) AS provider,
      count(1) AS PV
    WHERE
      security_check_ip(client_ip) = 1
    GROUP BY
      client_ip
    ORDER BY
      PV DESC
  • Query and analysis resultMap

security_check_domain function

The security_check_domain function is used to check whether a domain name is secure.

Syntax

security_check_domain(x)

Parameters

Parameter

Description

x

The value of this parameter is a domain name.

Return value type

The bigint type. Valid values:

  • 1: The specified domain name is suspicious.

  • 0: The specified domain name is secure.

Examples

Calculate the number of times that a website is accessed by suspicious domain names per minute. The query and analysis result is displayed in a line chart.

  • Query statement

    status : * |
    SELECT
      count_if(
        security_check_domain (http_referer) != 0
      ) AS "Total Issues",
      time_series(__time__, '1m', '%H:%i:%s', '0') AS time
    GROUP BY
      time
  • Query and analysis resultsecurity_check_domain

security_check_url function

The security_check_url function is used to check whether a URL is secure.

Syntax

security_check_url(x)

Parameters

Parameter

Description

x

The value of this parameter is a URL.

Return value type

The bigint type. Valid values:

  • 1: The specified URL is suspicious.

  • 0: The specified URL is secure.

Examples

Calculate the number of times that a website is accessed by secure URLs per minute. The query and analysis result is displayed in a line chart.

  • Query statement

    status : * |
    SELECT
      count_if(
        security_check_url (request_uri) = 0
      ) AS "Total Issues",
      time_series(__time__, '1m', '%H:%i', '0') as time
    GROUP BY
      time
    LIMIT
      20
  • Query and analysis resultsecurity_check_url