All Products
Search

This Product

    :Security check functions

    Document Center

    :Security check functions

    更新時間:Aug 02, 2023

    Simple Log Service provides security check functions based on the globally shared asset library of WhiteHat Security. You can use security check functions to check whether an IP address, a domain name, or a URL in a log is secure. This topic describes the syntax of security check functions. This topic also provides examples on how to use security check functions.

    Scenarios

    You can use security check functions in the following scenarios:

    • Enterprises and institutions in industries, such as Internet, gaming, and consulting, require robust O&M services. The enterprises and institutions can use security check functions to identify suspicious requests or attacks, perform in-depth analysis, and defend against potential attacks.

    • Enterprises and institutions in industries, such as banking, securities, and e-commerce, require strong protection for internal assets. The enterprises and institutions can use security check functions to identify access to suspicious websites and identify download of trojans. This way, the enterprises and institutions can prevent security risks at the earliest opportunity.

    Features

    Security check functions provide the following features:

    • Reliability: Security check functions are based on the globally shared asset library of WhiteHat Security. When WhiteHat Security is updated, the security check functions are also updated.

    • Efficiency: Security check functions can check millions of IP addresses, domain names, and URLs within seconds.

    • Ease of use: You can use the security_check_ip, security_check_domain, and security_check_url functions to analyze network logs.

    • Flexibility: You can perform interactive queries, visualize query and analysis results, and configure alerts.

    Functions

    The following table describes the security check functions that are supported by Simple Log Service.

    Important If you want to use strings in analytic statements, you must enclose strings in single quotation marks (''). Strings that are not enclosed or enclosed in double quotation marks ("") indicate field names or column names. For example, 'status' indicates the status string, and status or "status" indicates the status log field.

    Function

    Syntax

    Description

    security_check_ip function

    security_check_ip(x)

    Checks whether an IP address is secure.

    security_check_domain function

    security_check_domain(x)

    Checks whether a domain name is secure.

    security_check_url function

    security_check_url(x)

    Checks whether a URL is secure.

    security_check_ip function

    The security_check_ip function is used to check whether an IP address is secure.

    Syntax

    security_check_ip(x)

    Parameters

    Parameter

    Description

    x

    The value of this parameter is an IP address.

    Return value type

    The bigint type. Valid values:

    • 1: The specified IP address is suspicious.

    • 0: The specified IP address is secure.

    Examples

    Query suspicious clients that access a website based on the client_ip field.

    • Query statement

      * |
SELECT
  client_ip,
  ip_to_country(client_ip,'en') AS country,
  ip_to_provider(client_ip) AS provider,
  count(1) AS PV
WHERE
  security_check_ip(client_ip) = 1
GROUP BY
  client_ip
ORDER BY
  PV DESC

    • Query and analysis resultMap

    security_check_domain function

    The security_check_domain function is used to check whether a domain name is secure.

    Syntax

    security_check_domain(x)

    Parameters

    Parameter

    Description

    x

    The value of this parameter is a domain name.

    Return value type

    The bigint type. Valid values:

    • 1: The specified domain name is suspicious.

    • 0: The specified domain name is secure.

    Examples

    Calculate the number of times that a website is accessed by suspicious domain names per minute. The query and analysis result is displayed in a line chart.

    • Query statement

      status : * |
SELECT
  count_if(
    security_check_domain (http_referer) != 0
  ) AS "Total Issues",
  time_series(__time__, '1m', '%H:%i:%s', '0') AS time
GROUP BY
  time

    • Query and analysis resultsecurity_check_domain

    security_check_url function

    The security_check_url function is used to check whether a URL is secure.

    Syntax

    security_check_url(x)

    Parameters

    Parameter

    Description

    x

    The value of this parameter is a URL.

    Return value type

    The bigint type. Valid values:

    • 1: The specified URL is suspicious.

    • 0: The specified URL is secure.

    Examples

    Calculate the number of times that a website is accessed by secure URLs per minute. The query and analysis result is displayed in a line chart.

    • Query statement

      status : * |
SELECT
  count_if(
    security_check_url (request_uri) = 0
  ) AS "Total Issues",
  time_series(__time__, '1m', '%H:%i', '0') as time
GROUP BY
  time
LIMIT
  20

    • Query and analysis resultsecurity_check_url