Viewing Detections
Detections Overview
Section titled “Detections Overview”The Detections page is your central hub for monitoring all threat events captured by WebDecoy. Every decoy trigger, bot scanner alert, and endpoint interaction is recorded here.
Accessing Detections
Section titled “Accessing Detections”- Click Detections in the sidebar
- View the detections table
- Use filters and search to find specific events
Detections Table Columns
Section titled “Detections Table Columns”| Column | Description |
|---|---|
| Timestamp | When the detection occurred |
| Source | What triggered it (decoy_link, endpoint, bot_scanner, etc.) |
| MITRE Tactic | ATT&CK tactic classification |
| IP Address | Visitor’s IP |
| Bot Score | 0-100 bot likelihood |
| Action | What action was taken (logged, blocked) |
| Menu | View details, block IP, etc. |
Detection Sources
Section titled “Detection Sources”| Source | Icon | Description |
|---|---|---|
| decoy_link | 🔗 | Hidden honeypot link accessed |
| endpoint | 📡 | API honeypot triggered |
| bot_scanner | 🤖 | JavaScript scanner detection |
| wordpress_plugin | 📝 | WordPress plugin detection |
| sdk | 🔧 | Server-side SDK detection |
Filtering Detections
Section titled “Filtering Detections”Use filters to narrow down detections to specific criteria.
Available Filters
Section titled “Available Filters”Source Filter
Section titled “Source Filter”Select one or more detection sources:
- Decoy Links
- Endpoints
- Bot Scanner
- WordPress Plugin
- SDK
Date Range
Section titled “Date Range”Choose a time period:
- Presets: Last 24 hours, Last 7 days, Last 30 days
- Custom: Select specific start and end dates
Bot Score Range
Section titled “Bot Score Range”Set minimum and maximum bot scores:
- Slider from 0 to 100
- Example: 70-100 to see only high-confidence bots
Country Filter
Section titled “Country Filter”Filter by visitor location:
- Multi-select countries
- Based on GeoIP data
Risk Indicators
Section titled “Risk Indicators”Toggle specific risk flags:
- Is Proxy
- Is VPN
- Is TOR
Action Filter
Section titled “Action Filter”Filter by what happened:
- Logged (recorded only)
- Blocked (access denied)
- Challenged (CAPTCHA shown)
Request Method
Section titled “Request Method”For endpoint detections:
- GET, POST, PUT, DELETE, PATCH
Applying Filters
Section titled “Applying Filters”- Click Filters to expand the filter panel
- Select your criteria
- Filters apply automatically
- Click Clear All to reset
Saving Filter Presets
Section titled “Saving Filter Presets”Currently, filter settings are not saved between sessions. Clear your filters before navigating away if you want a fresh view.
Search and Sorting
Section titled “Search and Sorting”Search
Section titled “Search”The search box allows you to find detections by:
- IP Address:
192.168.1.100 - User Agent:
MozillaorGooglebot - Decoy Name: Search by the decoy that was triggered
- Detection ID: Exact ID match
Search is debounced (300ms delay) for performance.
Sorting Options
Section titled “Sorting Options”| Sort By | Description |
|---|---|
| Most Recent | Newest detections first (default) |
| Oldest First | Historical view |
| Threat Score | Highest threats first |
| Bot Score | Most bot-like first |
Sort Order
Section titled “Sort Order”- Descending (default): Highest/newest first
- Ascending: Lowest/oldest first
Pagination
Section titled “Pagination”- Default: 50 detections per page
- Use page navigation at bottom
- Total count shown above table
Understanding Detection Details
Section titled “Understanding Detection Details”Click any detection row to open the detail panel showing comprehensive information about that event.
Detail Panel Sections
Section titled “Detail Panel Sections”The detail panel is organized into collapsible sections:
┌─────────────────────────────────┐│ Detection Details │├─────────────────────────────────┤│ ▼ General Information ││ ▼ Threat Scoring ││ ▼ MITRE ATT&CK ││ ▼ IP Intelligence ││ ▼ Geographic Data ││ ▼ Request Details ││ ▼ Endpoint Data (if applicable)││ ▼ Rule Enforcement │└─────────────────────────────────┘Request Information
Section titled “Request Information”General Information Section
Section titled “General Information Section”| Field | Description |
|---|---|
| Detection ID | Unique identifier (det_xxx) |
| Timestamp | Exact date/time (UTC) |
| Source | Detection source type |
| Property | Which property caught this |
Request Details Section
Section titled “Request Details Section”| Field | Description |
|---|---|
| IP Address | Client IP |
| User Agent | Browser/bot identifier |
| URL | Requested path |
| Referer | Where they came from |
| HTTP Method | GET, POST, etc. |
| Protocol | HTTP/1.1, HTTP/2 |
Headers Captured
Section titled “Headers Captured”Key headers displayed:
AcceptAccept-LanguageAccept-EncodingConnectionCache-Control
Geographic and Network Data
Section titled “Geographic and Network Data”GeoIP Data Section
Section titled “GeoIP Data Section”| Field | Description |
|---|---|
| Country | Country name and flag |
| City | City if available |
| Region | State/province |
| Postal Code | ZIP/postal code |
| Timezone | Visitor’s timezone |
| Coordinates | Latitude/Longitude |
Network Information
Section titled “Network Information”| Field | Description |
|---|---|
| ASN | Autonomous System Number |
| ISP | Internet Service Provider |
| Organization | Network owner |
Risk Indicators
Section titled “Risk Indicators”| Indicator | Meaning |
|---|---|
| 🔴 TOR | Traffic from TOR exit node |
| 🟠 VPN | Using VPN service |
| 🟡 Proxy | Behind proxy server |
| 🟣 Hosting | Datacenter/hosting IP |
| ⚫ Anonymous | Known anonymizer |
| 🔵 High-Risk | Known malicious |
Reverse DNS
Section titled “Reverse DNS”Shows the hostname associated with the IP:
Hostname: ec2-192-168-1-100.compute-1.amazonaws.comAbuseIPDB Threat Intelligence
Section titled “AbuseIPDB Threat Intelligence”If enabled, detections include data from AbuseIPDB.
AbuseIPDB Section
Section titled “AbuseIPDB Section”| Field | Description |
|---|---|
| Abuse Score | 0-100 confidence of abuse |
| Total Reports | Number of abuse reports |
| Last Reported | Most recent report date |
| Categories | Types of abuse reported |
Abuse Score Interpretation
Section titled “Abuse Score Interpretation”| Score | Risk Level | Meaning |
|---|---|---|
| 0-10 | Very Low | Clean or minimal reports |
| 11-25 | Low | Some suspicious activity |
| 26-50 | Medium | Multiple reports |
| 51-75 | High | Significant abuse history |
| 76-100 | Critical | Known malicious IP |
Common Abuse Categories
Section titled “Common Abuse Categories”- Port Scan
- Brute Force
- Web Spam
- SQL Injection
- Hacking
- Fraud
- DDoS Attack
Endpoint Detection Details
Section titled “Endpoint Detection Details”For detections from endpoint decoys, additional information is shown.
Endpoint-Specific Data
Section titled “Endpoint-Specific Data”| Field | Description |
|---|---|
| Request Method | POST, PUT, DELETE, PATCH |
| Content-Type | application/json, etc. |
| Body Size | Request body size in bytes |
| Has Auth Header | Authorization header present |
Captured Request Body
Section titled “Captured Request Body”If body capture is enabled:
{ "username": "admin", "password": "test123", "remember": true}Attack Signatures Detected
Section titled “Attack Signatures Detected”| Signature | Confidence | Location |
|---|---|---|
| SQL Injection | High | body.password |
| XSS | Medium | body.comment |
| Path Traversal | High | url |
Rule Enforcement Section
Section titled “Rule Enforcement Section”Shows what automated actions were taken.
Enforcement Status
Section titled “Enforcement Status”| Status | Meaning |
|---|---|
| Pending | Rules not yet evaluated |
| Enforced | Rules executed successfully |
| Failed | Rule execution failed |
| Skipped | No applicable rules |
Enforcement Details
Section titled “Enforcement Details”| Field | Description |
|---|---|
| Integration | Cloudflare, AWS WAF, etc. |
| Action | Block, notify, etc. |
| Timestamp | When action was taken |
| Error | Error message if failed |
Detection Actions
Section titled “Detection Actions”Available Actions
Section titled “Available Actions”From the detection detail panel or table menu:
| Action | Description |
|---|---|
| View Details | Open detail panel |
| Block in Cloudflare | Manual IP block |
| Copy IP | Copy IP to clipboard |
| Copy Detection ID | Copy ID for reference |
| Export | Download detection data |
Blocking an IP Manually
Section titled “Blocking an IP Manually”- Open detection details
- Click Block in Cloudflare (if configured)
- Confirm the block
- IP is added to Cloudflare WAF
Bulk Operations
Section titled “Bulk Operations”Selecting Multiple Detections
Section titled “Selecting Multiple Detections”- Check the checkbox on detection rows
- Select action from bulk actions menu
- Confirm the operation
Available Bulk Actions
Section titled “Available Bulk Actions”- Export Selected - Download as CSV/JSON
- Block All IPs - Block all selected IPs