Security Center：View and handle alerts

View alerts

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. On the Alerts page, view alerts.

   Filter alerts

   You can filter alerts in an efficient manner by using various filters that are provided in the Security Center console.

   • Filter alerts by asset type

     You can perform this operation only if you use the Ultimate edition of Security Center. Above the alert list, click the All, Host, Container, K8S, or Cloud Product tab to view the alerts that are generated on each type of asset.

   • Filter alerts by using the Severity filter or Handled or Not filter above the alert list

     For example, you can set Handled or Not to Handled and Status to Blocked. Then, the system displays the alerts generated for common viruses that are automatically blocked by Security Center.

   • Filter alerts by option in the Alert Type section or ATT&CK Phase section to the left of the alert list.

     The ATT&CK Phase section displays the phases of virus attacks. You can view the attack phases that are indicated by icons in the Alert Name column to obtain the phases of virus attacks on your servers. This helps you quickly understand the security status of your assets.

   View the details of an alert

   Click the name of an alert or click Details in the Actions column of an alert. The details panel of the alert appears. In the details panel, you can view the basic information about the alert, affected assets, and description of the alert. You can also use the AI tool to analyze the alert and handle the alert based on the alert analysis result.

   Note

   The information in the details panel of an alert varies. The information that is displayed in the panel shall prevail.

   • View affected assets

     Click the name of an affected asset in the Affected Asset column to view the details of the asset. The details include alerts, vulnerabilities, baseline risks, and asset fingerprints.

   • View alert causes

     In the Event Description section, view the causes and handling suggestions of the alert.

   Use the feature of attack source tracing

   Note

   • Only the Enterprise and Ultimate editions support the feature of attack source tracing.

   • Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after an alert is generated.

   • Three months after an alert is generated, the information about attack source tracing for the alert is automatically deleted. We recommend that you view the information about attack source tracing for alerts at the earliest opportunity.

   Security Center provides the feature of attack source tracing. This feature automatically traces the sources of attacks and provides original data previews. The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.

   In the alert list, find the alert whose sources you want to trace and click the icon in the Alert Name column. Alternatively, click Details in the Actions column of the required alert to go to the alert details page. On the alert details page, view the event tracing diagram in the Tracing section. You can click each node in the event tracing diagram to view the node information. You can also click AI Analysis to view the description of the event tracing diagram.

   View sandbox check results

   Security Center provides the cloud sandbox check feature, which allows files to run in a secure and isolated environment and analyzes dynamic and static data of file behavior. This helps you run suspicious applications in a secure manner and identify suspicious behavior of files. If alerts are generated, you can handle malicious applications based on sandbox check results.

   Note

   The cloud sandbox check feature can detect only some malware. The supported malware that is displayed on the page shall prevail.

   1. In the alert list, find the alert that you want to manage and click Details in the Actions column.

   2. In the Sandbox section, view the sandbox check results.

   Use the investigation feature

   The investigation feature provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the causes of intrusions. This feature helps you identify the attacked assets and reinforce your asset security.

   You can find the required alert in the alert list and click the icon in the Alert Name column to go to the Investigation page.

   Note

   • If Blocked is displayed in the Alert Name column, Security Center terminated the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.

   • If Strict Mode is displayed in the Alert Name column, the alert detection mode of a server is the strict mode. In Strict Mode, Security Center detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. For more information, see Enable features on the Host Protection Settings tab.

Handle alerts

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. On the Alerts page, find the alert that you want to manage and click Handle in the Actions column. In the dialog box that appears, select a processing method to handle the alert and click Process Now.

   Note

   • Different types of alerts support different processing methods. The processing methods displayed in the Security Center console shall prevail.

   • You can add a note based on your business requirements. For example, you can enter the reason for handling the alert and the user who handles the alert. This helps manage alerts that are handled.

   Method	Description
   Virus Detection and Removal	If you select Virus Detection and Removal, you can terminate the malicious process for which the alert is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services. If you confirm that the alert is a positive, you can use one of the following methods to manually handle the alert: Terminate Process: terminates the malicious process. Terminate Process and Quarantine Source File: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see View and restore quarantined files. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the alert generated for the file is displayed in the alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
   Add to Whitelist	If the alert is a false positive, you can add the alert to the whitelist. You can also specify a whitelist rule to add alerts that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the Exploit Kit Behavior alert and specify a rule to add the alerts generated for commands that contain aa to the whitelist. After the configuration, the status of the alert changes to Handled. Security Center no longer generates alerts for the commands that contain aa. In the handled alert list, you can remove the alert from the whitelist. Note If you select this method, the alert that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same alert as the selected alert if the condition in the rule is met. For more information about the alerts that can be added to the whitelist of Security Center, see What alerts can I add to the whitelist? If Security Center generates an alert on a normal process, the alert is considered a false positive. Common false positives include an alert generated for Unusual TCP Packets. This alert notifies you that your server initiated suspicious scans on other devices.
   Ignore	If you select Ignore, the status of the alert changes to Ignored. Security Center still generates this alert in the subsequent detection. Note If one or more alerts can be ignored or are false positives, you can select the alerts and click Ignore Once or Add to Whitelist below the alert list of the Alerts page.
   In-depth Cleanup	After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the In-depth Cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.
   Quarantine	If you select Quarantine, Security Center quarantines webshell files. The quarantined files can no longer threaten your services. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the alert generated for the file is displayed in the alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
   Block	If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.
   End Process	If you select End Process, Security Center terminates the process for which the alert is generated.
   Troubleshooting	If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed. You can select one of the following modes for troubleshooting: Standard In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis. Strict In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.
   Manually Handled	If you select this method, it indicates that you have handled the risks for which the alert is generated.
   Handle Same Type of Alerts	If you select this method, you can select multiple alerts to handle at a time. Before you handle multiple alerts at a time, we recommend that you view the details of the alerts.
   Do Not Intercept Rule	If you do not want Security Center to block requests whose URI matches blocking rules, select Do Not Intercept Rule. After you select Do Not Intercept Rule, Security Center no longer blocks requests that use the URI or generates alerts.
   Defense Without Notification	If you select this method, the same alerts are automatically added to the handled alert list. Security Center no longer notifies you of the alerts. Proceed with caution.
   Disable Alerting Defense Rule	If you select this method, the system disables the automatic defense rule. Proceed with caution.

   After you handle the alert, the status of the alert changes from Unhandled to Handled.

View statistics about alerts

Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the alerts on your assets and on the enabled and disabled alert types. You can view the statistics about alerts and the enabled alert types.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. In the upper part of the Alerts page, view the statistics about alerts.

   Parameter	Description	Operation
   Alerting Servers	The number of servers on which alerts are generated.	Click the number below Alerting Servers to go to the Server tab of the Host page. On the Server tab, view the details of servers on which alerts are generated.
   Urgent Alerts	The number of unhandled Urgent alerts.	Click the number below Urgent Alerts. The system displays the urgent alerts on the Alerts page. You can view and handle the Urgent alerts. Note We recommend that you handle the Urgent alerts at the earliest opportunity.
   Unhandled Alerts	The total number of unhandled alerts.	View the details of all unhandled alerts on the Alerts page. For more information, see View and handle alerts.
   Precise Defense	The number of viruses that are automatically quarantined by the Malicious Host Behavior Prevention feature.	Click the number below Precise Defense. The system displays the related alerts on the Alerts page. You can view all viruses that are automatically quarantined by the malicious host behavior prevention feature.Malicious Host Behavior Prevention Note You can ignore the viruses that are quarantined by Security Center.
   Enabled IP Address Blocking Policies/All Policies	Enabled IP Address Blocking Policies: the number of IP addresses blocked by the defense policies against brute-force attacks that are enabled All Policies: the number of IP addresses blocked by all defense policies against brute-force attacks that are created	Click a number below Enabled IP Address Blocking Policies/All Policies. In the IP Policy Library panel, you can view the IP address blocking policies that are enabled or all IP address blocking policies that are created. For more information about IP address blocking policies, see Configure alert settings.
   Quarantined Files	The number of files that are quarantined by Security Center based on handled alerts.	Click the number below Quarantined Files. In the Quarantined Files panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see View and restore quarantined files.

View the statistics about archived alerts

If more than 100 alerts exist, Security Center automatically archives only the alerts that are handled prior to 30 days ago. Archived alerts are no longer displayed in the Security Center console. If you want to view the statistics about archived alerts, you can download the file of archived alerts to your computer.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. In the upper-right corner of the Alerts page, click Archive data.

4. In the Archive data dialog box, view the file of archived alerts.

5. Click Download in the Download Link column to download the file of archived alerts to your computer.

   The file of archived alerts is in the XLSX format. It takes 2 to 5 minutes to download a file of archived alerts. The time required by a download operation varies based on the network bandwidth and the file size.

   After you download the file, you can view the information about alerts in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of alerts. You can also view information about affected assets, names of the affected assets, suggestions for handling the alerts, and points in time at which alerts were generated.

   Note

   If an alert is in the Expired state, the alert has been generated within the last 30 days but you have not handled the alert. We recommend that you handle the alerts generated by Security Center at the earliest opportunity.

View and restore quarantined files

Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. If you confirm that the quarantined file is not exposed to security risks, you can restore the quarantined file with a few clicks within 30 days after the file is quarantined.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. In the upper-right corner of the Alerts page, click Quarantined Files.

4. In the Quarantined Files panel, view information about quarantined files or restore the quarantined files.

   • You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.

   • You can also restore a quarantined file: Find the file and click Restore in the Actions column. The alert generated for the file is displayed in the alert list again.