Security Log Analytics

Introduction

Security logs capture events related to authentication, firewall decisions, intrusion attempts, and abnormal traffic patterns. They are one of the most critical data sources for defending against cyber threats. Conatix ingests and analyzes these logs in real time, using machine learning to detect patterns that indicate attacks, reconnaissance, or policy violations.

You can explore live security events, suspicious IP activity, and protocol breakdowns in our interactive Grafana dashboard:

View Security Dashboard

What We Monitor

  • Source and destination IP activity to identify attackers or compromised hosts.
  • TCP flag combinations to detect suspicious connection patterns.
  • High-volume or unusual event types such as repeated login failures or DNS floods.
  • Security event trends over time, segmented by protocol and severity.
  • Targeted destination ports that could indicate exploitation attempts.

Common Terms in Security Logs

  • Top Source IPs: IP addresses sending the most suspicious or high-volume traffic. Often attackers, scanners, or infected internal devices.
  • TCP Flags: Indicators of connection state. Examples include:
    • SYN: Connection initiation request.
    • SYN+ACK: Response acknowledging a connection request.
    • RST+ACK: Connection reset, often unexpected.
    • FIN+ACK: Graceful connection close.
    • PSH+ACK: Immediate data push within an established connection.
  • Event Types: Categories of detected security activity, such as SYN floods, port scans, DNS queries, or authentication failures.
  • DNS_Query: Logs when a DNS request is made; excessive or suspicious lookups can indicate malware C2 activity.
  • Security Events Over Time: Time-series visualization of events to spot attack bursts or persistent low-level probing.
  • Top Destination IPs & Ports: Targets of suspicious traffic; often servers or services that attackers are attempting to compromise.

How to Interpret Common Metrics

  • Top Source IPs (All): Shows external and internal IP addresses generating the highest event counts. For example:
    • 51.145.22.243 – 10 events
    • 192.168.254.64 – 106 events
    • 192.168.254.211 – 22 events
    • 149.13.75.80 – 4 events
  • TCP Flag / Event Breakdown: Helps identify abnormal handshake patterns or aggressive connection resets. Example counts:
    • SYN – 42
    • SYN+ACK – 32
    • RST+ACK – 18
    • FIN+ACK – 46
    • DNS_Query – 12
  • Top Event Types: Shows which categories of events dominate the logs (e.g., SYN floods, suspicious DNS activity).
  • Security Events Over Time: Charted to reveal when attacks occur, useful for correlating with incident timelines.
  • Top Destination IPs & Ports: Highlights which systems or services are being targeted.