All Collections
Coralogix tutorials
Coralogix Automatic Threat Discovery
Coralogix Automatic Threat Discovery

This tutorial will explain you how to utilize Threat Discovery in Coralogix

Ariel Assaraf avatar
Written by Ariel Assaraf
Updated over a week ago

Web server logs, not only for troubleshooting

A large portion of log data generated by our customers is web server logs. These logs contain important information about each request including the URL, IP address, server information, user agent, response code, and more. Web server logs are often used to monitor production issues and performance, but also contain extremely valuable data about your production security and potential threats.

We at Coralogix decided to bridge the gap between IT and the old school SIEM tools to the fast pace DevOps organization which needs to have its data flexible, real-time, and combined between all sources: Apps, Infrastructure, Network, and Security.

Coralogix first security feature is a super simple way for you to get your web server logs enriched with the world's most updated IP reputation lists.

All you have to do is go to the Coralogix Settings, and under "Threat discovery" define the IP fields you like to track for security threats.

If you don't have your IP fields set or your data isn't JSON formatted, you can use Coralogix's Rules Engine to extract the IP addresses which lay in your log records using the "Extract" rule which gives you the option to use Regex and extract a single value without having to parse your entire log record.

Once the definition is done, Coralogix will compare any IP in your logs to a constantly updated list of Blacklisted IPs and enrich your log in real time (in case it is suspected) with the following fields:

  • Reliability - How reliable is the rating (1-10)

  • Activity - What type of host is it

  • Risk - How risky is the target (1-10)

  • Country - What is the IPv4 country of origin

  • City - What is the IPv4 city of origin

  • Coordinates - Geolocated latitude and longitude of the IPv4

  • Activity rank - A calculated risk factor (0 - 100)

  • Score - A string value to rank the risk factor

Did this answer your question?