Updated on 2023-12-22 GMT+08:00

Enabling an Alert Model

SecMaster uses models to scan log data in pipelines. If the data is not within the model range, an alert will be generated. After data access, you can enable alert models for automated threat detection.

SecMaster provides the following built-in templates to create and enable alert models:

Application-WAF Key Attack Alert, Host-Virtual Machine Lateral Connection, Network-High-Risk Port Exposure to the Outside, Network-Login Brute Force Alarm, Host-Suspected External Connection, Network-Source IP Attacking Multiple Targets, Network-Command Injection Alert, Network-Malicious External Communications, Host-Reverse Shell, Host-Malware, Application-distributed URL Traversal Attack, Application-Source IP Conducting URL Traversal, Host-High-risk Command Detection, Application-Source IP Brute-Forcing Domain Names, Host-Brute Force Crack Success, Host-Abnormal Shell, Host-Weak Password, Host-Remote Login, and Host-Rootkit Events.

Creating an Alert Model

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation tree on the left, choose Threat Operations > Intelligent Modeling. On the Intelligent Modeling page that is displayed, click the Model Templates tab. The Model Template page is displayed.

    Figure 2 Model Templates tab page

  5. In the model template list, click Details in the Operation column of the target model template. The template details page is displayed on the right.

    Figure 3 Model template details

  6. On the details page, click Create Model in the lower right corner. The page for creating an alert model is displayed.
  7. On the Create Alarm Model page, configure basic information.

    • Pipeline Name: Select an execution pipeline for the alert model.
      Table 1 Available pipelines

      Alert Template

      Execution Pipeline

      Application-WAF Key Attack Alert

      sec-waf-attack

      Host-Virtual Machine Lateral Connection

      sec-hss-log

      Network-High-Risk Port Exposure to the Outside

      sec-nip-attack

      Network-Login Brute Force Alarm

      sec-nip-attack

      Host-Suspected External Connection

      sec-hss-log

      Network-Source IP Attacking Multiple Targets

      sec-nip-attack

      Network-Command Injection Alert

      sec-nip-attack

      Network-Malicious External Communications

      sec-nip-attack

      Host-Reverse Shell

      sec-hss-alarm

      Host-Malware

      sec-hss-alarm

      Application-Distributed URL Traversal Attack

      sec-waf-access

      Application-Source IP Conducting URL Traversal

      sec-waf-access

      Host-High-risk Command Detection

      sec-hss-alarm

      Application-Source IP Brute-Forcing Domain Names

      sec-waf-attack

      Host-Brute Force Crack Success

      sec-hss-alarm

      Host-Abnormal Shell

      sec-hss-alarm

      Host-Weak Password

      sec-hss-alarm

      Host-Remote Login

      sec-hss-alarm

      Host-Rootkit Events

      sec-hss-alarm

    • Retain default values of other parameters.
    Figure 4 Basic Settings

  8. After the setting is complete, click Next in the lower right corner of the page. The page for setting the model logic is displayed.
  9. Set the model logic. You are advised to retain the default value.

    For details, see Creating an Alert Model.

  10. After completing the basic settings, click Next in the lower right corner of the page.
  11. After confirming that the model is correct, click OK in the lower right corner of the page.
  12. Repeat 5 to 11 to create alert models with other templates.

Enabling an Alert Model

  1. In the navigation pane on the left, choose Threat Operations > Intelligent Modeling.

    Figure 5 Available Models

  2. To enable models in batches, select all models you want to enable and click Enable in the upper left corner of the list.
  3. If the model status changes to Enabled, the model is successfully started.