Viewing Server Alarms
The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.
The status of a handled event changes from Unhandled to Handled.
Constraints and Limitations
- To skip the checks on high-risk command execution, privilege escalation, reverse shells, abnormal shells, or web shells, manually disable the corresponding policies in the policy groups on the Policies page. HSS will not check the servers associated with disabled policies. For details, see Viewing a Policy Group.
- Other detection items cannot be manually disabled.
- Servers that are not protected by HSS do not support operations related to alarms and events.
Procedure
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
Table 1 Alarm statistics Parameter
Description
Enterprise Project
Select an enterprise project and view alarm details by enterprise project.
Time range
You can select a fixed period or customize a time range to search for alarms. Only alarms generated within 30 days can be queried.
The options are as follows:
- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
Urgent Alarms
Number of urgent alarms that need to be handled.
Total Alarms
Total number of alarms on your assets.
Affected Servers
Number of servers for which alarms are generated.
When checking alarms generated in the last 24 hours, you can click the number of servers to go to the Servers & Quota page and check the corresponding servers.
Handled Alarms
Number of handled alarms.
Blocked IP Addresses
Number of blocked IP addresses. You can click the number to check blocked IP address list.
The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time.
If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
NOTICE:- After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address.
- A maximum of 10,000 IP addresses can be blocked for each type of software.
If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp.
If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
Isolated Files
HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them.
You can recover isolated files. For details, see Managing Isolated Files.
- Check alarms on your assets.
In the Alarms to Be Handled area, you can select an alarm type and an ATT&CK phase to view the alarms of the selected type.
ATT&CK attack phase tags are also displayed below alarm names. For more information, see Table 2.
Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a framework that helps organizations understand the cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle.
Table 2 ATT&CK phases ATT&CK Phase
Description
Reconnaissance
Attackers seek vulnerabilities in your system or network.
Initial Access
Attacker try to enter your system or network.
Execution
Attackers try to run malicious code.
Persistence
Attackers try to maintain their foothold.
Privilege Escalation
Attackers try to obtain higher permissions.
Defense Evasion
Attackers try to avoid being detected.
Credential Access
Attackers try to steal account names and passwords.
Command and Control
Attackers try to communicate with compromised machines to control them.
Impact
Attackers try to manipulate, interrupt, or destroy your system or data.
- Click an alarm name to view its details. Table 3 describes the alarm parameters.
You can download the alarm source files of certain malware to your local PC for analysis. The password for decompressing the files is unlock.
Figure 1 Alarm details
Table 3 Alarm detail parameters Parameter
Description
Intelligence Engine
Detection engines used by HSS, including the virus detection engine, AI detection engine, and malicious intelligence detection engine.
Attack Status
Status of the current threat.
First Occurred
Time when an attack alarm is generated for the first time
Alarm ID
Unique ID of an alarm
ATT&CK Phase
For details about the attack technology models used by attackers in each phase, see Table 2.
Last Occurred
Time when an attack alarm is generated for the last time
Alarm Information
Detailed information about an alarm, including the alarm description, alarm summary, affected assets, and handling suggestions.
Forensics
HSS investigates information such as the attack triggering path or virus type based on the alarm type, helping you quickly trace and locate the attack source.
- Process Tree: If an alarm event contains process information, you can check the process ID, process file path, process command line, process startup time, and process file hash on the Forensics tab page. You can locate malicious processes based on such information.
- File Forensics: If an alarm event contains file information, you can check the file path and file hash on the Forensics tab page. You can locate the files based on the such information.
- Network Forensics: If an alarm event contains network-related information, you can check the user name, login IP address, login service type, login service port, last login event, and number of login failures on the Forensics tab page. You can determine whether a user is unauthorized based on such information.
- User Forensics: If an alarm event contains user behavior information, you can check the local IP address, local port, remote IP address, remote port, and protocol on the Forensics tab page. You can determine whether the access is unauthorized based on such information.
- Registry Forensics: If an alarm event contains registry information, you can check the registry keys and values on the Forensics tab page. You can locate registry risks based on such information.
- Abnormal Login Forensics: If an alarm event contains abnormal login information, you can check the login IP address and port number on the Forensics tab page. You can determine whether the login is trusted based on such information.
- Malware Forensics: If an alarm event contains malware information, you can check the malware family, virus name, virus type, and confidence level on the Forensics tab page.
- Auto-started Item Forensics: If an alarm event contains self-startup item information, you can check the malware family, virus name, virus type, and confidence level on the Forensics tab page. You can locate the auto-boot item based on the auto-started item forensics information.
- Kernel Forensics: If an alarm event contains kernel information, you can check system functions and kernel functions on the Forensics tab page. You can locate kernel risks based on the information.
Similar Alarms
Alarm that are similar to the current alarm event. You can handle the alarm according to the handling method of the similar alarms.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.