Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing application attack monitoring. Actions can include: obtaining a security graph model associated with an attack vulnerability of a distributed application, the security graph model comprising a plurality of rule parts; screening log data obtained by a plurality of connectors to selectively obtain relevant log data corresponding to one or more of the rule parts, each connector being in communication with a respective components of the distributed application; evaluating the relevant log data based on the security graph model to provide an evaluation score; and in response to determining that the evaluation score is greater than a predetermined threshold, providing output indicating an attack on the distributed application.