How to view and handle alert events - Security Center - Alibaba Cloud Documentation Center

After you deploy a honeypot on your server, the honeypot captures the attacks on the server that are launched within and outside the cloud. The attack statistics are displayed as alert events on the Cloud Honeypot page. To ensure the security of your server, we recommend that you view and handle the alert events at the earliest opportunity. This topic describes how to view and handle the alert events.

View alert events

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event.
In the upper part of the Alert Event page, view the alert event statistics, such as Manage Node Status, Authorized Probes, Available Probes, and Deployed Host Probes.
If you do not have sufficient probes for your honeypot, you can click Upgrade Configuration to purchase probes.
In the alert event list, view the details about the alert events generated for attacks. The attacks are captured by honeypots. The alert event list displays information such as Risk Level, Risk Overview, and Attack Source.
1. Find an alert event and click View Logs in the Actions column. On the Event Log page, view the list of logs that are related to the alert event.
2. Find a log and click Details in the Actions column. On the Log Details page, view Basic Information and Attack Timeline.

Handle alert events

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event.
On the Alert Event page, handle alert events.
You can handle an alert event by using one of the following methods based on the details of the alert event:
- Add an alert event to the whitelist
  Important
  After you add an alert event to the whitelist, other alert events with the same attack information as the alert event are no longer displayed in the alert event list, and the attack no longer triggers alert events. To ensure the security of your asset, we recommend that you do not add alert events to the whitelist unless necessary.
  If you confirm that an alert event is generated for normal workloads, you can add the alert event to the whitelist. To add the alert event to the whitelist, perform the following operations: Find the alert event and click Handle in the Actions column. In the Handle Alert dialog box, set Solution to Add to Whitelist and click OK.
  Note
  After the alert event is added to the whitelist, you can enable Security Center to report the alert event in subsequent detection. To enable Security Center to report the alert event, perform the following operations: In the handled alert event list, find the alert event and click Handle in the Actions column. In the Handle Alert dialog box, set Solution to Remove from Whitelist and click OK.
- Mark an alert event as handled
  If you confirm that an alert event is generated for attacks, you must handle the attacks that are detected on your server or VPC. After you handle the attacks, you can mark the alert event as handled. To mark the alert event as handled, perform the following operations: Find the alert event and click Handle in the Actions column. In the Handle Alert dialog box, set Solution to Mark as Handled and click OK.