search close

Investigating An Attack

access_time Updated Jun 29, 2022

Now that you’ve run attack tooling against your site, you can start to explore the data available in Signal Sciences:

Using the Attack and Anomaly Panels

  1. The attack and anomaly panels on the Overview page show the signals we’ve identified over time.

    • You can zoom into a particular date range by clicking and dragging on the chart. Your time selection will be carried through as you drill down into your data.

    investigate1.png “Using Signal Sciences”

  2. At the bottom of each panel there are Quick Look and View Requests buttons. Clicking on the Quick Look button will display a summary view of the data in the graph.

    investigate2.png “Using Signal Sciences”

  3. Clicking on the View Requests button will take you to the search page with the data from the graph already filtered. The search page shows individual requests that contain attack or anomaly data. In addition to general metadata (HTTP request, hostname, response code, response size, etc.), we display the specific attacks and anomalies under the “Signals/Payloads” column.

    investigate3.png “Using Signal Sciences”

    • You can filter by any value by clicking on any of the signals or links. For example, clicking on the source IP will constrain the results to all requests by that IP.
    • To view full request details, click View request detail.
  4. The request details page lists all of the metadata we’ve captured about the request including request and response headers and all the signals we’ve identified. This page can help you further debug a particular attack or anomaly.

    investigate4.png “Using Signal Sciences”

Note: Because we only send over the parts of a request that we consider anomalous and redact sensitive data, you may need additional context to fully investigate an attack or anomaly. To address this use case, we recommend using a header link to add a link to your internal systems on the request details page via a linking identifier (e.g., an X-Request-Id response header).

Using the Flagged and Suspicious IPs Lists

  1. The Events and Suspicious IPs lists on the Overview page list IP addresses that are the origin of requests containing attack payloads.

    Suspicious IPs represent IP addresses from which requests containing attack payloads have originated, but the volume of attack traffic from that IP address has not exceeded the decision threshold. Once the threshold is met or exceeded, the IP address will be flagged and added to the Events list. If the agent mode is set to “blocking” then all malicious requests from flagged IPs are blocked (without blocking legitimate traffic).

  • If a suspicious IP has been detected as malicious and flagged by other sites on the Signal Sciences network, there will be an indicator stating “Flagged on other Signal Sciences Network sites”.

  • If a flagged IP is listed as “Active”, it is currently being blocked (if the agent mode is set to “blocking”) or logged (if set to “not blocking”).

  • If a flagged IP is listed as “Expired”, then the event has ended and requests from that IP address will no longer be blocked or logged.

    investigate5.png “Using Signal Sciences”

  1. Clicking directly on the IP address will take you to the search page displaying all requests from that IP address.

  2. Clicking on View will take you to the Events page for that IP address. This page provides detailed information about the event associated with this IP address, including:

  • The signal assigned to the event.

  • A timeline of what transpired during this event.

  • Additional details about the event.

    investigate6.png “Using Signal Sciences”

  1. The timeline illustrates the actions that occurred during the event. This includes when the IP address was identified as suspicious, how many requests were received from the IP before it was flagged, when the IP was flagged, and how many requests were blocked or logged accordingly.

  2. The “Details” section provides additional, detailed information regarding the event. Depending on the nature of the attack, this can include the host, user agents, file paths, and country of origin.

  3. The “Sample Request” highlights a single request received during the event, including the request itself and the signals applied to it. Clicking on View this request will take you to the request details page for that request.

Now that you know how to investigate and drill down into the data captured by Signal Sciences, learn how to [test blocking mode](/using-signal-sciences/walkthrough/testing-blocking-mode).