How to Analyze Security Logs

Security logs provide visibility into attacks, false positives, and traffic patterns. This guide covers log analysis techniques for identifying threats and tuning protection.

Understanding Log Types

AtomicEdge generates two log types:

Security Logs (WAF Logs)

Records of blocked requests:

Fields: – Timestamp: When block occurred – Source IP: Attacker address – URI: Requested path – Method: HTTP method (GET, POST, etc.) – Rule ID: Specific rule triggered – Severity: CRITICAL, WARNING, NOTICE – Message: Attack description – Group: Rule group (OWASP, WordPress, Comodo)

Use: Identify attacks, tune rules, analyze threats.

Access Logs

Records of all requests (blocked and allowed):

Fields: – Timestamp: Request time – Source IP: Client address – URI: Requested path – Method: HTTP method – Status: HTTP status code (200, 403, 404, etc.) – Bytes: Response size – User Agent: Client identifier

Use: Traffic analysis, performance monitoring, user behavior.

Basic Log Analysis

Viewing Recent Blocks

Dashboard Logs section:

Default View: – Last 24 hours of security logs – Most recent first – All rule groups included

Quick Scan: – Note attack volume – Identify repeat offenders (same IP) – Check attack types (SQL injection, XSS, etc.) – Verify expected vs unexpected blocks

Filtering Logs

Narrow focus to specific criteria:

By Time Period:

Last Hour: Recent attacks
Last 24 Hours: Daily patterns
Last 7 Days: Weekly trends
Last 30 Days: Monthly analysis
Custom Range: Specific incident investigation

By IP Address:

Filter: 203.0.113.45
Shows: All blocks from this IP
Use: Track specific attacker

By URI:

Filter: /wp-admin/
Shows: All admin area attacks
Use: Analyze specific endpoint security

By Rule ID:

Filter: 942100
Shows: All SQL injection attempts (specific rule)
Use: Understand attack type frequency

Identifying Attack Patterns

Common patterns in security logs:

Repeated IP Attacks:

203.0.113.45 - 45 blocks in 10 minutes
Pattern: Single IP, multiple attacks
Indicates: Automated tool, single attacker
Response: Consider IP blocking

Distributed Attacks:

198.51.100.10 - 5 blocks
192.0.2.20 - 5 blocks
203.0.113.30 - 5 blocks
[...50 more IPs]
Pattern: Many IPs, coordinated timing
Indicates: Botnet, distributed campaign
Response: Geographic blocking, rate limiting

Scanning Activity:

Requests to /admin/, /administrator/, /phpmyadmin/, /wp-admin/
Pattern: Multiple common paths from same IP
Indicates: Reconnaissance, scanner tool
Response: Normal WAF blocking sufficient

Attack Type Analysis

SQL Injection Attempts

Rule IDs: 942xxx series

Log Example:

IP: 203.0.113.45
URI: /products.php?id=1' OR '1'='1
Rule: 942100
Severity: CRITICAL
Message: SQL Injection Attack Detected

Analysis: – Check frequency (isolated vs campaign) – Identify targeted parameters – Verify blocking is effective – Confirm no false positives

Response: WAF blocks automatically. Monitor for bypass attempts.

Cross-Site Scripting (XSS)

Rule IDs: 941xxx series

Log Example:

IP: 198.51.100.30
URI: /search?q=<script>alert(1)</script>
Rule: 941130
Severity: CRITICAL  
Message: XSS Attack Detected

Analysis: – Distinguish tests vs actual attacks – Check if user input fields targeted – Verify legitimate HTML in forms not blocked

Response: Confirm blocking. Check for false positives in rich text editors.

Path Traversal

Rule IDs: 930xxx series

Log Example:

IP: 192.0.2.50
URI: /index.php?file=../../../../etc/passwd
Rule: 930100
Severity: CRITICAL
Message: Path Traversal Attack

Analysis: – Highly suspicious (rarely false positive) – Check for multiple attempts – Note targeted files (passwd, config files)

Response: Consider IP blocking for persistent offenders.

Remote Code Execution

Rule IDs: 932xxx series (application attacks)

Log Example:

IP: 203.0.113.100
URI: /upload.php
Method: POST
Rule: 932160
Severity: CRITICAL
Message: Remote Command Execution

Analysis: – Very serious attack type – Check upload endpoints carefully – Verify blocking prevented execution

Response: Investigate aggressively, consider additional protections for upload endpoints.

WordPress-Specific Attacks

Rule IDs: WPxxx series

Log Example:

IP: 198.51.100.75
URI: /xmlrpc.php
Method: POST
Rule: WP001
Severity: WARNING
Message: WordPress XML-RPC Attack

Analysis: – xmlrpc.php commonly abused – Check for brute force patterns – Verify legitimate plugin use

Response: Consider disabling xmlrpc.php if not needed.

False Positive Identification

Signs of False Positives

Indicators legitimate traffic is blocked:

User Reports: – Support tickets about access errors – Specific legitimate users blocked – Timing matches business hours – Known good IPs in logs

Log Patterns: – Blocks during form submission – Admin area operations blocked – Known legitimate user IPs – Business hour timing – Specific legitimate URLs

Example False Positive:

IP: 203.0.113.10 (Office IP)
URI: /wp-admin/post.php
Method: POST
Rule: 941130
Time: 10:30 AM (business hours)
Message: XSS detected in post content

Analysis: Office IP, business hours, admin operation – likely legitimate HTML in blog post.

Investigating False Positives

Step 1: Reproduce – Attempt same operation – Note exact error – Identify specific input causing block

Step 2: Review Triggered Rule – Check rule ID in logs – Understand what rule detects – Verify input legitimately matches pattern

Step 3: Confirm Legitimacy – Verify user is legitimate – Confirm operation is normal business function – Check if security risk exists

Step 4: Decide Action – Disable rule if clearly false positive – Modify input if possible – Whitelist specific user/IP – Document decision

Trend Analysis

Daily Attack Patterns

Analyze attack timing:

Time-of-Day Analysis:

Attacks by Hour (Last 7 Days):
00:00-06:00: 2,450 blocks (low - scanners)
06:00-12:00: 890 blocks (moderate)
12:00-18:00: 1,234 blocks (moderate)
18:00-24:00: 3,567 blocks (high - peak attack time)

Insight: Attacks peak evening/night. May correlate with attacker time zones.

Weekly Patterns

Attacks by Day:
Monday: 1,234
Tuesday: 1,456
Wednesday: 1,567
Thursday: 1,234
Friday: 890
Saturday: 3,456 (peak)
Sunday: 2,890

Insight: Weekend attacks higher. Possibly automated campaigns running while offices closed.

Attack Source Geography

Top Attack Source Countries:
Russia: 4,567 blocks (35%)
China: 3,234 blocks (25%)
Romania: 1,890 blocks (15%)
Ukraine: 1,234 blocks (10%)
Others: 1,945 blocks (15%)

Insight: 75% of attacks from 4 countries. Geographic blocking would significantly reduce attack volume.

Rule Trigger Frequency

Most Triggered Rules:
942100 (SQL Injection): 3,456 blocks
941130 (XSS): 2,345 blocks
930100 (Path Traversal): 1,234 blocks
920100 (Invalid Request): 890 blocks

Insight: SQL injection most common. Targeted attack type or broad scanning.

Advanced Analysis Techniques

Attacker Profiling

Build profile of persistent attackers:

Single Attacker Analysis:

IP: 203.0.113.45
Total Attacks: 245 over 7 days
Attack Types:
  - SQL Injection: 156 (64%)
  - XSS: 67 (27%)
  - Path Traversal: 22 (9%)
Targeted URIs:
  - /products.php: 89 attempts
  - /search: 67 attempts
  - /admin/: 45 attempts
Pattern: Automated tool, broad scanning

Response: IP-level block, all attack types blocked successfully.

Attack Campaign Detection

Identify coordinated attacks:

Campaign Indicators: – Multiple IPs – Similar timing – Same attack types – Geographic clustering – User agent patterns

Example Campaign:

Time: 2024-01-15 14:00-14:30
IPs: 45 unique (mostly Russian)
Attack Type: WordPress xmlrpc.php abuse
Volume: 2,340 requests
Pattern: Distributed, coordinated timing

Response: Geographic blocking, rate limiting, monitor for continuation.

Success Rate Analysis

Measure attack success:

Attack Attempts: 10,000
Blocked: 9,987 (99.87%)
Allowed (false negatives): 13 (0.13%)

Low Success Rate: Good protection, attacks ineffective.

High Success Rate: Review configuration, may need stricter rules or additional protection.

False Positive Rate

Total Blocks: 10,000
Legitimate Blocks: 45 (0.45%)
Attack Blocks: 9,955 (99.55%)

Low False Positive Rate (<1%): Good balance, minimal legitimate impact.

High False Positive Rate (>5%): Need rule tuning, legitimate users affected.

Exporting and External Analysis

Log Export

Export logs for external analysis:

Dashboard Export: – Select date range – Apply filters if needed – Export to CSV or JSON – Import to analysis tools

External Tools

Analyze with specialized tools:

Spreadsheet Analysis (Excel, Google Sheets): – Pivot tables for grouping – Charts for visualization – Filtering and sorting – Basic trend analysis

Log Analysis Tools (ELK Stack, Splunk): – Advanced querying – Real-time dashboards – Alerting – Correlation analysis

SIEM Integration: – Centralize with other security logs – Correlation with other events – Compliance reporting – Advanced threat detection

Sample Analysis Queries

SQL (if imported to database):

-- Top attacking IPs
SELECT source_ip, COUNT(*) as attack_count
FROM waf_logs
WHERE timestamp > NOW() - INTERVAL 7 DAY
GROUP BY source_ip
ORDER BY attack_count DESC
LIMIT 10;

-- Attack types by hour
SELECT HOUR(timestamp) as hour, rule_id, COUNT(*) as count
FROM waf_logs
WHERE timestamp > NOW() - INTERVAL 1 DAY
GROUP BY hour, rule_id
ORDER BY hour, count DESC;

Actionable Insights

From Log Analysis to Action

High Volume Single IP: – Action: IP-level block – Implementation: Add to blocked IPs list

Distributed Attack from Single Country: – Action: Geographic blocking – Implementation: Block source country

Repeated False Positives: – Action: Disable specific rule – Implementation: Add rule ID to disabled list

Successful Attack Indicators: – Action: Investigate further, patch vulnerability – Implementation: Review application logs, apply security updates

Normal Attack Patterns: – Action: No changes needed – Implementation: Continue monitoring

Regular Review Schedule

Daily (5 minutes): – Quick scan for unusual activity – Check for new attack types – Verify no legitimate traffic blocked

Weekly (30 minutes): – Review attack trends – Analyze top attackers – Check false positive rate – Adjust configuration if needed

Monthly (2 hours): – Comprehensive trend analysis – Review all disabled rules – Analyze geographic patterns – Update protection strategy – Document findings

Common Analysis Scenarios

Investigating User Complaint

User reports can’t access site:

Analysis: 1. Get user’s IP and timestamp 2. Filter logs to that IP and time 3. Identify triggered rule 4. Review rule legitimacy 5. Verify user’s action was legitimate

Resolution: Disable problematic rule or whitelist user IP.

Preparing Attack Report

Management requests attack summary:

Data to Collect: – Total attacks (7/30 days) – Attack types (pie chart) – Top source countries (bar chart) – Trend over time (line chart) – Blocked vs allowed – Most targeted endpoints

Tools: Export logs, create visualizations, summarize findings.

Incident Investigation

Possible breach detected:

Log Analysis: 1. Identify suspicious timeframe 2. Filter to suspected compromised endpoint 3. Look for successful requests (200 status) 4. Identify attack patterns around success 5. Correlate with application logs 6. Check for multiple attack types

Report: Timeline, attack methods, potential impact, recommendations.

Best Practices

Regular Review: Check logs daily, analyze deeply weekly.

Trend Tracking: Monitor trends over time, not just current state.

Document Findings: Record significant patterns and actions taken.

Correlate Events: Connect log patterns with business events, deployments, etc.

Act on Insights: Use analysis to improve configuration, don’t just observe.

Share Knowledge: Brief team on attack patterns and protections.

Maintain History: Keep archived logs for trend analysis and compliance.

Automate Alerts: Set up alerts for unusual patterns (covered in monitoring guide).

Validate Protection: Ensure blocked attacks don’t indicate bypasses.

Learn Attack Techniques: Understanding attacks helps identify and prevent them.

Effective log analysis transforms raw data into actionable security intelligence, enabling proactive defense and optimized protection.