The Runtime section of the Monarx Web App is your window into the active protection provided by ThreatShield, our Runtime Application Self-Protection (RASP) service. Unlike static file scanning, this section tracks live execution events, showing you exactly how Monarx is defending your PHP applications in real-time.
Understanding the Event Logs
The Runtime dashboard provides a detailed table of every security event captured. By default, the table includes the following columns:
Discovered: The exact timestamp when the event occurred.
Action: The intervention taken by ThreatShield:
Detected: The request is malicious but the user does not have blocking enabled.
Logged: The request was suspicious but allowed to execute for observation.
Blocked: The request was identified as malicious and terminated before execution.
Feature: The specific protection layer that triggered:
WAF: Web Application Firewall rules targeting common exploits.
Hardening: Restrictions on dangerous PHP functions or configurations.
Anti-Malware: Detection of known malicious code execution.
IP-Blocking: Prevention of access from blacklisted or reputation-based IPs.
Anti-Bot: Mitigation of automated scrapers or malicious bot traffic.
Virtual Patch: Temporary fixes for known vulnerabilities (like Zero-Days) before they are patched in the CMS core.
Anti-Bruteforce: Protection against credential stuffing and login guessing.
Anti-Spam: Filtering of malicious form submissions or comment spam.
Protect: General RASP heuristics guarding the application integrity.
Client IP: The IP address of the visitor who initiated the request.
Count: The number of identical requests grouped under this single event entry.
Region: The geographic origin of the visitor (displayed in ISO 2-letter country format).
URL: The full web address where the event took place.
User-Agent: The browser or tool string provided by the visitor.
Path: The absolute path on your server to the PHP file that was called.
User: The system user on the server who owns the file in question.
HostID: The unique identifier for the specific server registered in the Monarx platform.
Size: The file size of the script involved.
SHA256: The unique cryptographic hash of the file called, useful for forensic tracking.
Event ID: A unique identifier for this specific security event in the Monarx system.
Enterprise ID: The unique ID for your company account.
Data Portability & Reporting
Need to share this data with a client or perform offline analysis? You can easily export your current view.
How to Download: First click the Download button located at the top right of the screen. Then on the sidebar dialog that renders, select the option between downloading all records, or just the last 5000 records. Then select a name and description and click on SUBMIT to start the generation and downloading of the report.
Advanced Filtering
To find "the needle in the haystack," the Runtime section offers powerful filtering capabilities. You can search or filter by any of the following fields:
Action: Filter by the outcome of the event—either Detected, Logged (monitored) or Blocked (execution prevented).
Agent ID: The unique identifier for the specific Monarx software instance running on a server.
Classification: The specific type of threat identified either COMPROMISED or MALICIOUS.
Client IP: The IP address of the external visitor or bot that triggered the event.
Count: Filter by the frequency of the event; useful for finding high-volume brute-force attacks.
Discovered: A time-based filter to view events that happened within a specific window.
Enterprise ID: Your unique Monarx account identifier (useful for users managing multiple organizations).
Event ID: The specific serial number assigned to an individual security incident.
Extension: The file type involved in the event, typically
.phpfor ThreatShield detections.Feature: The specific security module that caught the event (e.g., WAF, Anti-Bot, or Virtual Patch, etc).
Filename: The name of the specific file that was executed or called.
Host ID: The unique ID assigned to the specific server (hardware) where the event occurred.
Path: The full directory string to the file on the server (e.g.,
/var/www/html/wp-content/uploads/...).Region: The 2-letter ISO country code where the request originated.
SHA256: The unique cryptographic fingerprint of the file; used to track the exact same malicious file across different paths.
Size: The file size in bytes; helpful for identifying unusually large scripts.
URL: The full web path requested by the visitor, including query strings.
User: The system-level username on the server that owns the file being executed.
User-Agent: The browser string or identifying text of the software used by the visitor.
These filters can be combined to create highly specific queries.
5 Common Use-Case Examples:
Investigating an Attack Wave: Filter by
Action: BlockedandRegion: UAto see all blocked requests targeting your infrastructure coming from Ukraine.
Audit a Specific User: Filter by
User: [username]to see all security events occurring within a single client's hosting account.
Trace a Malicious Script: Filter by
SHA256: [hash]to find every instance across your entire fleet where that specific file has been executed.
Bot Mitigation: Filter by
Feature: Anti-BotandUser-Agent: [Specific String]to identify and analyze the behavior of a particular scraping tool.
Vulnerability Tracking: Filter by
Feature: Virtual PatchandURL: */wp-login.phpto see how many brute-force or exploit attempts were neutralized on your WordPress login pages.
💡 Useful Tip: If you have a specific use-case or have questions on how to use the multiple filters to drill down to the exact information that you're looking for, do not hesitate to contact our Support team.