# 5.2 Security Log
#### π Overview
The **Security Log** module in ShieldsGuard provides a dedicated view of **security-related events** β including blocked threats, monitored attacks, WAF rule triggers, brute-force attempts, and behavioral anomalies.
Unlike the Access Log, which shows all requests, the Security Log focuses only on **suspicious, malicious, or policy-violating activity**. Itβs your go-to dashboard for investigating real threats and validating that ShieldsGuard is actively protecting your system.
***
#### π What It Captures
Each entry in the Security Log includes:
| Field | Description |
| ----------------- | ----------------------------------------------------------------------------- |
| **Action** | Whether the threat was `MONITORED`, `BLOCKED`, or `ALLOWED` under observation |
| **URL Address** | The target page or endpoint |
| **Attack Type** | Detected pattern or threat category |
| **IP Address** | Origin of the attack or suspicious request |
| **Date & Time** | When the event occurred |
| **Detail Button** | Shows full request context (payloads, headers, rule triggered) |
***
#### π― Common Attack Types Logged
| Attack Type | Description |
| ------------------------------ | ------------------------------------------------------- |
| **Bruteforce Attack** | Repeated login attempts on login pages |
| **SQL Injection** | Malicious query content in GET/POST data |
| **Cross-Site Scripting (XSS)** | JavaScript-based payloads attempting injection |
| **Command Injection** | OS-level attack patterns in payloads |
| **JITP** | Just-in-time payload detection (heuristic) |
| **DoS/Rate Abuse** | Excessive request triggering protections |
| **Header Tampering** | Suspicious `Origin`, `Referer`, or `User-Agent` headers |
***
#### π§ͺ How to Use
* **Investigate incidents**: Search by IP, attack type, or URL to locate threats.
* **Validate rule effectiveness**: Ensure WAF rules and behavior protections are firing as expected.
* **Correlate actions**: Trace security events in combination with Access Log entries from the same IP or time range.
* **Audit protection logs**: Show proof of blocked or mitigated attempts for compliance/reporting.
***
#### π Filtering & Search Capabilities
You can narrow the Security Log by:
* **Date range**
* **URL Address**
* **Attack Type**
* **Operation Type (Monitored / Blocked)**
* **IP Address**
All results can be expanded for detailed insight, including exact payloads, headers, and triggered security rules.
***
#### π Use Case Scenarios
| Situation | Security Log Helps You... |
| ------------------------------------ | ----------------------------------------------- |
| Review a blocked SQL injection | Find exact URL, parameter, and source IP |
| Investigate login brute-force attack | Track multiple POST attempts to login endpoint |
| Monitor zero-day behavior | Identify JITP matches or unclassified anomalies |
| Detect abuse patterns over time | Filter by date and attack type |
| Produce a security report | Export attack data with classification and IPs |
***
#### π Best Practices
* Review this log daily during high-risk periods (campaigns, launches).
* Cross-reference with your WAF configuration to optimize rule coverage.
* Use IPs found here to enrich your blacklist or inform your threat feeds.
* Enable notifications or alerts if your plan includes real-time webhook/report integration.
***
#### π§ Why It Matters
Security Log provides evidence that ShieldsGuard is **actively defending your infrastructure**, giving you visibility into threats that were:
* Mitigated automatically
* Blocked before execution
* Detected and monitored (for behavioral learning)
***
> π― The Security Log is your battlefield journal β it records every blocked attempt, monitored anomaly, and protected moment. Itβs where real cyber defense becomes visible.
