Security Center:Handle attack alerts

View and handle attack alerts

The following example describes how to view and handle an attack alert that is generated for a malicious file upload.

1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

3. On the Attack Alerts tab, find the alert that you want to view and click Details in the Actions column.

4. On the alert details page, view the alert information.

   Take note of the following fields in Details and the alert information provided by AI models in Alert Analysis to determine whether the alert is a true positive.

   

   Section	Field	Description	Solution
   Basic Alert	Attacker IP Address	The source IP address that is used to access your application.	Determine whether the IP address is a normal IP address that is used to access your application.
   	Vulnerability Name	The vulnerability name that is exploited by attackers during the access. A vulnerability name is available only for attacks that are launched by exploiting the vulnerability.	To reduce the attack surface that can be exploited by attackers, we recommend that you handle application vulnerabilities at the earliest opportunity. You can click the vulnerability ID to view the vulnerability details.
   Advanced Alert	Malicious Characteristics	The malicious data that is sent by attackers to your application.	View information in the Advanced Alert section to determine whether the alert indicates normal service requests. In this example, check whether the request to upload the addservlet.jsp file in the /usr/local/tomcat/webapps/upload/addservlet.jsp directory is normal. If the request is normal, you can add the characteristics to a whitelist. After you add the characteristics to the whitelist, the application protection feature no longer generates alerts for the requests that have the characteristics. If the request is abnormal, the request may be a reconnaissance attack or an actual attack. If you set the protection mode to Monitor, a malicious file may be executed. In this case, you must manually delete the file at the earliest opportunity. If you set the protection mode to Block, the application protection feature blocks the attack, and the file cannot be stored on your server.
   	Trigger Function	The security-sensitive function within the application. When this function is called, an alert is triggered. When the RASP agent detects the calls of the function, the agent checks and processes the invocations to detect for risks.
   	Specified Parameters	The behavior and event logs generated by the application when the application processes requests. This field is a JSON object that contains a key-value pair.
   	Stack Calling	The call stack of the application when an event occurs, which records the sequence of function calls.
   More Information	Request URL	The information about the request to access the application.	View the information about the request to access the application and check whether the request is sent from a legitimate source. If the request is sent from an illegitimate source, implement access control on or deny the requests from the source.

Add an attack alert to a whitelist

If you confirm that an attack alert is triggered by a normal access request, you can add the attack alert to a whitelist to prevent similar alerts from being triggered. You can add an attack alert to a whitelist based on the following alert information: malicious attack characteristics, input parameters, and request URL. Before you add an attack alert to the whitelist, obtain the information on the alert details page.

The following section describes how to add an attack alert to a whitelist. If you want to configure a whitelist for multiple application groups at a time, click Whitelists in the upper-right corner of the alert list. On the Whitelists page, click Configure Whitelist.

1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

3. On the Attack Alerts tab, find the alert that you want to manage and choose Handle > Add to Whitelist in the Actions column.

4. In the Add to Whitelist panel, configure the whitelist rules and click OK.

   • Before you configure the whitelist rules, take note of the following items:

     You can configure the whitelist rules in one of the following whitelist modes: Malicious Characteristics, Specified Parameters, and Request URL. The application protection feature automatically populates the whitelist rule fields based on the data that is obtained from the alert details. The whitelist rules that use the automatically populated fields can identify and control similar requests in an accurate manner.

     If you want to enlarge the scope of requests on which a whitelist rule takes effect, you can modify the Match Mode and Content to Match fields.

     For example, the Malicious Characteristics field of the alert that is triggered by a malicious file upload is /usr/local/tomcat/webapps/upload/1.jsp. If you confirm that all access requests to the upload directory are normal, perform the following steps:

     • Change the value of the Match Mode field to Prefix Match.

     • Change the value of the Content to Match field to /usr/local/tomcat/webapps/upload/.

   • The following items describe the match modes supported by a whitelist:

     • Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered.

     • Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered.

     • Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered.

     • Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.

   Note

   After you configure the whitelist rules, you can view and manage the whitelist rules on the Whitelists page. For more information, see Manage whitelist rules.

Manage whitelist rules

View whitelist rules

1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

3. On the Attack Alerts tab, click Whitelists.

4. On the Whitelists page, view the whitelist rules.

   To manage whitelist rules, you can perform the following operations:

   • Enable or disable a whitelist rule: Turn on or turn off the switch in the Rule Switch column.

   • Modify or delete a whitelist rule: Click Edit or Delete in the Actions column.

   • Create a whitelist rule: Click Configure Whitelist. For more information, see Create whitelist rules.

Create whitelist rules

When you create a whitelist rule, you can specify multiple threat types and multiple application groups. This way, the whitelist rule applies to the specified application groups at the same time, and the types of threats are added to the whitelist of the application groups.

1. Log on to the Security Center console. In the top navigation bar, select the region of the assets that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Application Protection.

3. On the Attack Alerts tab, click Whitelists.

4. On the Whitelists page, click Configure Whitelist.

5. In the Configure Whitelist panel, configure the whitelist rules and click OK.

   Parameter	Description
   Rule Name	The name of the whitelist rule.
   White Mode	The whitelist mode. Valid values: Malicious Characteristics Specified Parameters Request URL
   Threat Type	The type of the threat that you want to add to the whitelist rule. You can click Select to select a threat type in the Threat Type panel.
   Match Mode	The match mode in which the whitelist rule takes effect. Exact Match: If the transmitted content is the same as the string that is specified in the Content to Match field, no alert is triggered. Partial Match: If the transmitted content contains a string that is specified in the Content to Match field, no alert is triggered. Prefix Match: If the transmitted content starts with the string that is specified in the Content to Match field, no alert is triggered. Suffix Match: If the transmitted content ends with the string that is specified in the Content to Match field, no alert is triggered.
   Content to Match	The content that is used to validate data against the whitelist rule based on the specified whitelist mode. You can configure this parameter based on the Malicious Characteristics, Specified Parameters, and Request URL parameter values provided on the alert details page.
   Destination Application Groups	The application group to which you want to apply the whitelist rule. You can click Select to select an application group in the Destination Application Groups panel.

References

The application protection feature of Security Center also provides the in-memory webshell prevention. You can enable the in-memory webshell prevention feature to enhance your overall detection capabilities. For more information, see Use the in-memory webshell prevention feature.