diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 7165486..189ef62 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -1789,7 +1789,20 @@ monitor_apache_logs() {
 
                 # Show ET detection if found
                 if [ "$et_attack_score" -gt 0 ]; then
-                    log_line+=" | 🛡️ET:$et_attack_types"
+                    # Show primary attack type (cleaner than full list)
+                    local primary_type=$(echo "$et_attack_types" | grep -oE 'SQLI|XSS|CMD|TRAVERSAL|WEBSHELL|RCE|UPLOAD|CVE' | head -1)
+                    if [ -z "$primary_type" ]; then
+                        primary_type=$(echo "$et_attack_types" | cut -d',' -f1)
+                    fi
+                    log_line+=" | 🛡️ET:$primary_type"
+
+                    # Show signature names (the key improvement!)
+                    if [ -n "$et_signatures" ]; then
+                        # Limit to first 3 signatures to keep display clean
+                        local sig_display=$(echo "$et_signatures" | tr ',' '\n' | head -3 | tr '\n' ',' | sed 's/,$//')
+                        log_line+=" | Sigs:$sig_display"
+                    fi
+
                     # Show rate info if elevated
                     if [ "$et_rate_score" -gt 0 ]; then
                         log_line+=" | 🌊Rate:+$et_rate_score"