Log Service provides security check functions based on the globally shared asset library of WhiteHat Security. You can use security check functions to check whether an IP address, a domain name, or a URL in a log is secure. This topic describes the syntax of security check functions. This topic also provides examples on how to use the functions.

Scenarios

You can use security check functions in the following scenarios:

  • Enterprises in Internet-based industries, such as gaming and information technology that require robust O&M services, can use security check functions to identify suspicious requests or attacks. The enterprises can also use security check functions to perform in-depth analysis and defend against potential attacks.
  • Enterprises in industries, such as banking, financial securities, and e-commerce that require strong protection for internal assets, can use security check functions to identify high-risk access to suspicious websites and downloads that are initiated by trojans. This way, enterprises and institutions can take immediate actions to prevent security risks.

Features

Security check functions provide the following features:

  • Reliability: Security check functions are based on the globally shared asset library of WhiteHat Security. The functions are automatically updated when updates are made to WhiteHat Security.
  • Efficiency: Security check functions can check millions of IP addresses, domain names, and URLs within seconds.
  • Ease of use: You can use the security_check_ip, security_check_domain, and security_check_url functions to analyze network logs.
  • Flexibility: You can perform interactive queries, visualize query and analysis results, and configure alerts.

Functions

The following table describes the security check functions that are supported by Log Service.

Notice If you want to use strings in analytic statements, you must enclose strings in single quotation marks (''). Strings that are not enclosed or enclosed in double quotation marks ("") indicate field names or column names. For example, 'status' indicates the status string, and status or "status" indicates the status log field.
Function Syntax Description
security_check_ip function security_check_ip(x) Checks whether an IP address is secure.
security_check_domain function security_check_domain(x) Checks whether a domain name is secure.
security_check_url function security_check_url(x) Checks whether a URL is secure.

security_check_ip function

The security_check_ip function is used to check whether an IP address is secure.

Syntax

security_check_ip(x)

Parameters

Parameter Description
x The value of this parameter is an IP address.

Return value type

The bigint type. Valid values:
  • 1: The specified IP address is suspicious.
  • 0: The specified IP address is secure.

Examples

Query suspicious clients that access a website based on the client_ip field.

  • Query statement
    * |
    SELECT
      client_ip,
      ip_to_country(client_ip,'en') AS country,
      ip_to_provider(client_ip) AS provider,
      count(1) AS PV
    WHERE
      security_check_ip(client_ip) = 1
    GROUP BY
      client_ip
    ORDER BY
      PV DESC
  • Query and analysis resultMap

security_check_domain function

The security_check_domain function is used to check whether a domain name is secure.

Syntax

security_check_domain(x)

Parameters

Parameter Description
x The value of this parameter is a domain name.

Return value type

The bigint type. Valid values:
  • 1: The specified domain name is suspicious.
  • 0: The specified domain name is secure.

Examples

Calculate the number of times that a website is accessed by suspicious domain names per minute. The query and analysis result is displayed on a line chart.

  • Query statement
    status : * |
    SELECT
      count_if(
        security_check_domain (http_referer) != 0
      ) AS "Total Issues",
      time_series(__time__, '1m', '%H:%i:%s', '0') AS time
    GROUP BY
      time
  • Query and analysis resultsecurity_check_domain

security_check_url function

The security_check_url function is used to check whether a URL is secure.

Syntax

security_check_url(x)

Parameters

Parameter Description
x The value of this parameter is a URL.

Return value type

The bigint type. Valid values:
  • 1: The specified URL is suspicious.
  • 0: The specified URL is secure.

Examples

Calculate the number of times that a website is accessed by secure URLs per minute. The query and analysis result is displayed on a line chart.

  • Query statement
    status : * |
    SELECT
      count_if(
        security_check_url (request_uri) = 0
      ) AS "Total",
      time_series(__time__, '1m', '%H:%i', '0') as time
    GROUP BY
      time
    LIMIT
      20
  • Query and analysis resulttotal