All Products
Search

This Product

    Security Center:View and handle alerts

    Document Center

    Security Center:View and handle alerts

    Last Updated:Jul 12, 2024

    To ensure the security of your assets, we recommend that you view the alerts that are generated by Security Center on your assets and handle the alerts at the earliest opportunity. This topic describes how to view and handle alerts.

    View alerts

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Detection and Response > Alerts.

    3. On the Alerts page, view alerts.

      Filter alerts

      You can filter alerts in an efficient manner by using various filters that are provided in the Security Center console.

      • Filter alerts by asset type

        You can perform this operation only if you use the Ultimate edition of Security Center. Above the alert list, click the All, Host, Container, K8S, or Cloud Product tab to view the alerts that are generated on each type of asset.

      • Filter alerts by using the Severity filter or Handled or Not filter above the alert list

        For example, you can set Handled or Not to Handled and Status to Blocked. Then, the system displays the alerts generated for common viruses that are automatically blocked by Security Center.

      • Filter alerts by option in the Alert Type section or ATT&CK Phase section to the left of the alert list.

        The ATT&CK Phase section displays the phases of virus attacks. You can view the attack phases that are indicated by icons in the Alert Name column to obtain the phases of virus attacks on your servers. This helps you quickly understand the security status of your assets.

      View the details of an alert

      Click the name of an alert or click Details in the Actions column of an alert. The details panel of the alert appears. In the details panel, you can view the basic information about the alert, affected assets, and description of the alert. You can also use the AI tool to analyze the alert and handle the alert based on the alert analysis result.

      Note

      The information in the details panel of an alert varies. The information that is displayed in the panel shall prevail.

      • View affected assets

        Click the name of an affected asset in the Affected Asset column to view the details of the asset. The details include alerts, vulnerabilities, baseline risks, and asset fingerprints.

      • View alert causes

        In the Event Description section, view the causes and handling suggestions of the alert.

      Use the feature of attack source tracing

      Note

      • Only the Enterprise and Ultimate editions support the feature of attack source tracing.

      • Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after an alert is generated.

      • Three months after an alert is generated, the information about attack source tracing for the alert is automatically deleted. We recommend that you view the information about attack source tracing for alerts at the earliest opportunity.

      Security Center provides the feature of attack source tracing. This feature automatically traces the sources of attacks and provides original data previews. The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.

      In the alert list, find the alert whose sources you want to trace and click the image.png icon in the Alert Name column. Alternatively, click Details in the Actions column of the required alert to go to the alert details page. On the alert details page, view the event tracing diagram in the Tracing section. You can click each node in the event tracing diagram to view the node information. You can also click AI Analysis to view the description of the event tracing diagram.

      View sandbox check results

      Security Center provides the cloud sandbox check feature, which allows files to run in a secure and isolated environment and analyzes dynamic and static data of file behavior. This helps you run suspicious applications in a secure manner and identify suspicious behavior of files. If alerts are generated, you can handle malicious applications based on sandbox check results.

      Note

      The cloud sandbox check feature can detect only some malware. The supported malware that is displayed on the page shall prevail.

      1. In the alert list, find the alert that you want to manage and click Details in the Actions column.

      2. In the Sandbox section, view the sandbox check results.

      Use the investigation feature

      The investigation feature provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the causes of intrusions. This feature helps you identify the attacked assets and reinforce your asset security.

      You can find the required alert in the alert list and click the 事件调查图标 icon in the Alert Name column to go to the Investigation page.

      Note

      • If Blocked is displayed in the Alert Name column, Security Center terminated the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.

      • If Strict Mode is displayed in the Alert Name column, the alert detection mode of a server is the strict mode. In Strict Mode, Security Center detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. For more information, see Enable features on the Host Protection Settings tab.

    Handle alerts

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Detection and Response > Alerts.

    3. On the Alerts page, find the alert that you want to manage and click Handle in the Actions column. In the dialog box that appears, select a processing method to handle the alert and click Process Now.

      Note

      • Different types of alerts support different processing methods. The processing methods displayed in the Security Center console shall prevail.

      • You can add a note based on your business requirements. For example, you can enter the reason for handling the alert and the user who handles the alert. This helps manage alerts that are handled.

      Method

      Description

      Virus Detection and Removal

      If you select Virus Detection and Removal, you can terminate the malicious process for which the alert is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services.

      If you confirm that the alert is a positive, you can use one of the following methods to manually handle the alert:

      • Terminate Process: terminates the malicious process.

      • Terminate Process and Quarantine Source File: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see View and restore quarantined files.

        Warning

        • If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable.

        • A quarantined file can be restored within 30 days. After the restoration, the alert generated for the file is displayed in the alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.

      Add to Whitelist

      If the alert is a false positive, you can add the alert to the whitelist. You can also specify a whitelist rule to add alerts that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the Exploit Kit Behavior alert and specify a rule to add the alerts generated for commands that contain aa to the whitelist. After the configuration, the status of the alert changes to Handled. Security Center no longer generates alerts for the commands that contain aa. In the handled alert list, you can remove the alert from the whitelist.

      Note

      • If you select this method, the alert that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same alert as the selected alert if the condition in the rule is met. For more information about the alerts that can be added to the whitelist of Security Center, see What alerts can I add to the whitelist?

      • If Security Center generates an alert on a normal process, the alert is considered a false positive. Common false positives include an alert generated for Unusual TCP Packets. This alert notifies you that your server initiated suspicious scans on other devices.

      Ignore

      If you select Ignore, the status of the alert changes to Ignored. Security Center still generates this alert in the subsequent detection.

      Note

      If one or more alerts can be ignored or are false positives, you can select the alerts and click Ignore Once or Add to Whitelist below the alert list of the Alerts page.

      In-depth Cleanup

      After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the In-depth Cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.

      Quarantine

      If you select Quarantine, Security Center quarantines webshell files. The quarantined files can no longer threaten your services.

      Warning

      • If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable.

      • A quarantined file can be restored within 30 days. After the restoration, the alert generated for the file is displayed in the alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.

      Block

      If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.

      End Process

      If you select End Process, Security Center terminates the process for which the alert is generated.

      Troubleshooting

      If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed.

      You can select one of the following modes for troubleshooting:

      • Standard

        In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis.

      • Strict

        In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.

      Manually Handled

      If you select this method, it indicates that you have handled the risks for which the alert is generated.

      Handle Same Type of Alerts

      If you select this method, you can select multiple alerts to handle at a time. Before you handle multiple alerts at a time, we recommend that you view the details of the alerts.

      Do Not Intercept Rule

      If you do not want Security Center to block requests whose URI matches blocking rules, select Do Not Intercept Rule. After you select Do Not Intercept Rule, Security Center no longer blocks requests that use the URI or generates alerts.

      Defense Without Notification

      If you select this method, the same alerts are automatically added to the handled alert list. Security Center no longer notifies you of the alerts. Proceed with caution.

      Disable Alerting Defense Rule

      If you select this method, the system disables the automatic defense rule. Proceed with caution.

      After you handle the alert, the status of the alert changes from Unhandled to Handled.

    View statistics about alerts

    Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the alerts on your assets and on the enabled and disabled alert types. You can view the statistics about alerts and the enabled alert types.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Detection and Response > Alerts.

    3. In the upper part of the Alerts page, view the statistics about alerts.

      Parameter

      Description

      Operation

      Alerting Servers

      The number of servers on which alerts are generated.

      Click the number below Alerting Servers to go to the Server tab of the Host page. On the Server tab, view the details of servers on which alerts are generated.

      Urgent Alerts

      The number of unhandled Urgent alerts.

      Click the number below Urgent Alerts. The system displays the urgent alerts on the Alerts page. You can view and handle the Urgent alerts.

      Note

      We recommend that you handle the Urgent alerts at the earliest opportunity.

      Unhandled Alerts

      The total number of unhandled alerts.

      View the details of all unhandled alerts on the Alerts page. For more information, see View and handle alerts.

      Precise Defense

      The number of viruses that are automatically quarantined by the Malicious Host Behavior Prevention feature.

      Click the number below Precise Defense. The system displays the related alerts on the Alerts page. You can view all viruses that are automatically quarantined by the malicious host behavior prevention feature.Malicious Host Behavior Prevention

      Note

      You can ignore the viruses that are quarantined by Security Center.

      Enabled IP Address Blocking Policies/All Policies

      • Enabled IP Address Blocking Policies: the number of IP addresses blocked by the defense policies against brute-force attacks that are enabled

      • All Policies: the number of IP addresses blocked by all defense policies against brute-force attacks that are created

      Click a number below Enabled IP Address Blocking Policies/All Policies. In the IP Policy Library panel, you can view the IP address blocking policies that are enabled or all IP address blocking policies that are created. For more information about IP address blocking policies, see Configure alert settings.

      Quarantined Files

      The number of files that are quarantined by Security Center based on handled alerts.

      Click the number below Quarantined Files. In the Quarantined Files panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see View and restore quarantined files.

    View the statistics about archived alerts

    If more than 100 alerts exist, Security Center automatically archives only the alerts that are handled prior to 30 days ago. Archived alerts are no longer displayed in the Security Center console. If you want to view the statistics about archived alerts, you can download the file of archived alerts to your computer.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Detection and Response > Alerts.

    3. In the upper-right corner of the Alerts page, click Archive data.

    4. In the Archive data dialog box, view the file of archived alerts.

    5. Click Download in the Download Link column to download the file of archived alerts to your computer.

      The file of archived alerts is in the XLSX format. It takes 2 to 5 minutes to download a file of archived alerts. The time required by a download operation varies based on the network bandwidth and the file size.

      After you download the file, you can view the information about alerts in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of alerts. You can also view information about affected assets, names of the affected assets, suggestions for handling the alerts, and points in time at which alerts were generated.

      Note

      If an alert is in the Expired state, the alert has been generated within the last 30 days but you have not handled the alert. We recommend that you handle the alerts generated by Security Center at the earliest opportunity.

    View and restore quarantined files

    Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. If you confirm that the quarantined file is not exposed to security risks, you can restore the quarantined file with a few clicks within 30 days after the file is quarantined.

    1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

    2. In the left-side navigation pane, choose Detection and Response > Alerts.

    3. In the upper-right corner of the Alerts page, click Quarantined Files.

    4. In the Quarantined Files panel, view information about quarantined files or restore the quarantined files.

      • You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.

      • You can also restore a quarantined file: Find the file and click Restore in the Actions column. The alert generated for the file is displayed in the alert list again.

    What to do next

    • You can enable features such as malicious host behavior defense and webshell prevention. After you enable the features, the system automatically blocks viruses on servers. For more information, see Enable features on the Host Protection Settings tab.

    • You can enable the Kubernetes threat detection and container escape prevention features. After you enable the features, the system generates alerts of the K8s Abnormal Behavior and Container Escape Prevention types. For more information, see Enable features on the Container Protection Settings tab.

    • You can manage web directories on your assets and configure whitelist rules for alerts. For more information, see Configure alert settings.