SECURITY LOG
| Item | Description |
|---|---|
| Elastic / DB | Select the log search target. (Default: Elastic) |
| Items | Customize the columns displayed in the log table. |
| Real Time | Turn real-time log monitoring ON/OFF. |
| Search Conditions | Search for desired logs by combining various filters. |
| Search | Search logs based on the set conditions. (If no condition is set, searches all logs) |
| Download | Download the current searched log list as a CSV file. |
| AI Comment | Utilizes ChatGPT API to analyze whether the detection log is a true positive/false positive and identify the attack technique. |
AI Comment
Through deep analysis of detection logs using AI (ChatGPT), you can determine whether a log is a real threat (true positive) or a false positive and receive detailed attack type information.
To use this feature, you must first register an API Key in the [MANAGEMENT] > [SETTINGS] > [AI API KEY UPDATE] menu.
Once the API Key registration is complete, the AI Comment icon will become active on the [LOG] > [SECURITY LOG] > [Log Details] screen.
Detection logs can be classified and viewed based on various criteria such as company, domain group, domain, risk, action, detection type, pattern group, URL, attacker IP, country, and period. Selecting the top-level 'Company' allows you to view all logs of subordinate domain groups in an integrated manner.
The main display items in the detection log list are as follows:
| Item | Description |
|---|---|
| NO | Displays a unique detection log number. |
| DATE | Displays the exact date and time the detection log occurred. |
| STATE | Displays the country based on the GeoIP information of the attacker's IP. |
| ATTACKER | Displays the attacker's IP address. |
| TARGET | Displays the IP address of the target server that was attacked. |
| COMPANY | Displays the company to which the target belongs. |
| DOMAIN Grp. | Displays the domain group to which the target belongs. |
| RISK | Displays the severity (risk level) of the detected threat. |
| DETECTION TYPE | Displays the type of threat (e.g., SQL Injection, XSS, etc.). |
| PATTERN Grp. | Displays the name of the group to which the detected pattern belongs. |
| PATTERN | Displays the name of the pattern actually used for detection. |
| ACTION | Displays the action taken upon threat detection (Block, Detect, etc.). |
| URL | Displays the URL path of the web page where the attack was attempted. |
| PARAMETER | In case of parameter-based attacks, displays the problematic parameter name. |
| DETECTION Msg. | Displays detailed detection content or payload. |
Search Detection Logs
[LOG] > [SECURITY LOG] > [SEARCH CONDITIONS] > [SEARCH]
You can precisely search for specific logs by combining various conditions.
The main search conditions are as follows:
| Item | Description |
|---|---|
| Search Period | Set the log inquiry period. |
| COMPANY | Search only logs of a specific company. |
| DOMAIN Grp. | Search only logs of a specific domain group. |
| DOMAIN | Search only logs of a specific domain. |
| ACTION | Filter logs by threat response method. • NONE: Policy not applied • ALLOW: Allow (Skip next policy check) • DENY: Block (Skip next policy check) • REDIRECT: Redirect to block page • DETECT: Detect (Record log only and proceed to next policy check) • MASK: Mask ('') the string matching the pattern • BYPASS*: Skip all security checks (Exception handling) |
| RISK | Search by risk level (High/Medium/Low). |
| No. | Search by specific log number or number range. |
| ATTACKER IP | Search by specific attacker IP range. |
| TARGET IP | Search by victim server IP range. |
| URL | Search for logs containing a specific URL path. |
| DETECTION Msg. | Search for logs containing a specific string in the detection content (payload). |
| STATE | Search for logs originating from a specific country. |
| TYPE / PATTERN GRP. / PATTERN | Search by detailed classification criteria such as detection type, pattern group, and pattern name. |
View Real-time Detection Logs
[LOG] > [SECURITY LOG] > [REAL TIME]
Clicking the [REAL TIME] button activates real-time monitoring mode, automatically updating the log list whenever a new threat is detected. (The button turns red when activated)
※ Past log search functions are restricted in real-time mode.
View Detection Log Details
[LOG] > [SECURITY LOG] > [Click Log List]
Clicking a specific row in the log list displays a detailed information panel on the right side of the screen.
View Detection Log Details (Popup)
[LOG] > [SECURITY LOG] > [Double-click Log Number]
Double-clicking the number in the log list allows you to view detailed information in a separate larger popup window.
View Detection Log Details (Modal Popup)
[LOG] > [SECURITY LOG] > [Click Log] > Click [Detail Icon] on Right Panel
Clicking the [View Detail] icon (
) on the right detail panel allows you to check full information including raw data in a modal popup.
Check Raw Data and Exception Handling
The log detail screen allows you to check the raw data (up to 1KB) of the detected URL, facilitating attack analysis.
You can perform immediate exception handling via the context menu that appears when right-clicking on the log list.
| Item | Description |
|---|---|
| Exclude/Add from Search Results | Adds or excludes the condition of the log to/from the search filter and re-searches. |
| Allow Pattern | Adds an exception for the detected pattern to allow it. (False positive response) |
| Register White/Blacklist | Immediately registers the attacker IP to the whitelist (Allow) or blacklist (Block). |