DEV Community

Cover image for Detect Malicious Source IPs in CLS Logs with Tencent Security Intelligence
Tencent Cloud -Cloud Log Service
Tencent Cloud -Cloud Log Service

Posted on

Detect Malicious Source IPs in CLS Logs with Tencent Security Intelligence

#security #logging #cloud #devops

Access logs often contain the earliest evidence of attacks. The problem is that an IP address by itself is not enough. Operators need to know whether that source has been associated with attacks, exploitation, web attacks, brute force, or other malicious behavior.

Threat IP Detection in Tencent Cloud CLS, jointly released with Tencent Security Keen Lab, is based on Tencent Security threat intelligence from https://tix.qq.com/. CLS analyzes source IPs in access logs, identifies malicious IPs, and links the result back to business access logs so teams can assess and block risk.

Intelligence source and detection scope

The intelligence library contains 300 million+ security intelligence records and processes more than 3 trillion threat-data records per day.

After the feature is enabled, CLS automatically analyzes IPs in logs and identifies malicious categories including:

Threat category Meaning
Network attack Attacks against information systems, infrastructure, computer networks, or personal devices.
Exploit Abuse of software vulnerabilities to access or damage a system without authorization.
Web attack Examples include XSS, CSRF, and SQL injection.
Brute force Attempts to gain account access through repeated password or credential guessing.

When a malicious IP is detected, the system provides threat level, threat classification tags, and related access logs in the current business system.

The detection dashboard turns threat intelligence into operational context. The visible layout combines summary counts, trend charts, a distribution chart, and a table of detected IPs. Instead of sending operators to a separate intelligence system first, the CLS view starts from business logs and then enriches suspicious sources.

The threat profile provides verdict, threat tags, sample records, geographic information, ASN, operator, visit count, and associated samples. The IP is marked as malicious and displays multiple labels such as malicious sample or bot-related risk. In an investigation workflow, this helps decide whether to block, rate-limit, or keep monitoring that IP.

Blocking example with CLB

Cloud Load Balancer provides a clear blocking example. After identifying a malicious IP, operators can bind or update a security group to deny that IP.

The CLB control plane supports binding a security group to the load balancer path. After the detection result identifies a risky source, attach a security policy and add the malicious IP to a deny rule.

Applicable log scenarios

Threat IP Detection can analyze several cloud-product access-log sources:

  • CLB access logs;
  • COS access logs;
  • CDN access logs;
  • EdgeOne access logs;
  • cloud-native API Gateway logs;
  • and other access-log sources.

Four usage scenarios are especially relevant:

Scenario How the detection helps
Cloud-service access security Detect malicious IP access to CLB, COS, CDN, EdgeOne, API Gateway, and similar services.
Web application security Discover malicious IPs visiting websites.
API security Identify abusive IP requests and reduce API misuse.
Security audit Analyze internal traffic and operation logs for abnormal behavior.

Enable Threat IP Detection in CLS

To enable the feature, log in to the CLS console, open the cloud product center, and click Tencent Security | Threat IP Detection.

The configuration dialog asks for the log topic and the IP field to analyze. The minimal setup is:

  1. choose the CLS log topic that contains the access logs;
  2. select the field that stores the source IP;
  3. confirm the configuration;
  4. review detected malicious IPs and linked access logs;
  5. configure an alert policy if teams need proactive notification.

Why this is useful in operations

The capability has three operational advantages:

  • Real-time detection: logs do not need preprocessing before analysis.
  • Proactive alerting: alert policies can notify users when a malicious IP is found.
  • Security collaboration: results can work with security groups, firewalls, WAF, and similar controls.

In practice, the strongest workflow is closed loop: detect a malicious source from logs, inspect its threat-intelligence profile, review which business endpoints it touched, trigger an alert when needed, and block or mitigate through the relevant security product.

Top comments (0)