# 5.2 Security Log

<figure><img src="/files/exyDPiCjcZaAVL7cIByw" alt=""><figcaption></figcaption></figure>

#### 📖 Overview

The **Security Log** module in ShieldsGuard provides a dedicated view of **security-related events** — including blocked threats, monitored attacks, WAF rule triggers, brute-force attempts, and behavioral anomalies.

Unlike the Access Log, which shows all requests, the Security Log focuses only on **suspicious, malicious, or policy-violating activity**. It’s your go-to dashboard for investigating real threats and validating that ShieldsGuard is actively protecting your system.

***

#### 🔍 What It Captures

Each entry in the Security Log includes:

| Field             | Description                                                                   |
| ----------------- | ----------------------------------------------------------------------------- |
| **Action**        | Whether the threat was `MONITORED`, `BLOCKED`, or `ALLOWED` under observation |
| **URL Address**   | The target page or endpoint                                                   |
| **Attack Type**   | Detected pattern or threat category                                           |
| **IP Address**    | Origin of the attack or suspicious request                                    |
| **Date & Time**   | When the event occurred                                                       |
| **Detail Button** | Shows full request context (payloads, headers, rule triggered)                |

***

#### 🎯 Common Attack Types Logged

| Attack Type                    | Description                                             |
| ------------------------------ | ------------------------------------------------------- |
| **Bruteforce Attack**          | Repeated login attempts on login pages                  |
| **SQL Injection**              | Malicious query content in GET/POST data                |
| **Cross-Site Scripting (XSS)** | JavaScript-based payloads attempting injection          |
| **Command Injection**          | OS-level attack patterns in payloads                    |
| **JITP**                       | Just-in-time payload detection (heuristic)              |
| **DoS/Rate Abuse**             | Excessive request triggering protections                |
| **Header Tampering**           | Suspicious `Origin`, `Referer`, or `User-Agent` headers |

***

<figure><img src="/files/w4inS70wDnnf1t1iVpBu" alt=""><figcaption></figcaption></figure>

#### 🧪 How to Use

* **Investigate incidents**: Search by IP, attack type, or URL to locate threats.
* **Validate rule effectiveness**: Ensure WAF rules and behavior protections are firing as expected.
* **Correlate actions**: Trace security events in combination with Access Log entries from the same IP or time range.
* **Audit protection logs**: Show proof of blocked or mitigated attempts for compliance/reporting.

***

#### 🔍 Filtering & Search Capabilities

You can narrow the Security Log by:

* **Date range**
* **URL Address**
* **Attack Type**
* **Operation Type (Monitored / Blocked)**
* **IP Address**

All results can be expanded for detailed insight, including exact payloads, headers, and triggered security rules.

***

#### 📋 Use Case Scenarios

| Situation                            | Security Log Helps You...                       |
| ------------------------------------ | ----------------------------------------------- |
| Review a blocked SQL injection       | Find exact URL, parameter, and source IP        |
| Investigate login brute-force attack | Track multiple POST attempts to login endpoint  |
| Monitor zero-day behavior            | Identify JITP matches or unclassified anomalies |
| Detect abuse patterns over time      | Filter by date and attack type                  |
| Produce a security report            | Export attack data with classification and IPs  |

***

#### 🔐 Best Practices

* Review this log daily during high-risk periods (campaigns, launches).
* Cross-reference with your WAF configuration to optimize rule coverage.
* Use IPs found here to enrich your blacklist or inform your threat feeds.
* Enable notifications or alerts if your plan includes real-time webhook/report integration.

***

#### 🧠 Why It Matters

Security Log provides evidence that ShieldsGuard is **actively defending your infrastructure**, giving you visibility into threats that were:

* Mitigated automatically
* Blocked before execution
* Detected and monitored (for behavioral learning)

***

> 🎯 The Security Log is your battlefield journal — it records every blocked attempt, monitored anomaly, and protected moment. It’s where real cyber defense becomes visible.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.shieldsguard.com/getting-started/5.-logs/5.2-security-log.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.