Enabling a Security Model
On the Intelligent Modeling page, SecMaster provides preconfigured security analysis models based on application, network, and host security data to automatically aggregate, analyze, and report alerts.
You are advised to use a preconfigured template to create and enable an alert model.
Aggregating and analyzing alerts through models cut the false positive rate and make on-duty personnel respond more efficiently. You can also adjust models in different scenarios to filter out false alerts as many as possible.
Enabling a Security Model
- Log in to the SecMaster console.
- Go to the target workspace.
- In the navigation pane on the left, choose and select the Model Templates tab. Figure 1 Model Templates tab
- In the template list, select a template with no models created, and click Details in the Operation column of the target template. The template details page is displayed on the right.
- On the details page, click Create Model in the lower right corner to go to the page for creating an alert model.
- On the Create Threat Model page, configure model information.
- Pipeline Name: Select a pipeline for the alert model. Only the pipeline specified in the Restrictions field in the Description area can be selected. You can also refer to Pipelines to set the pipeline.Figure 2 Basic Settings
- Retain default settings for other parameters.
- Pipeline Name: Select a pipeline for the alert model.
- After the configuration is complete, click OK.
- Repeat 4 to 7 to create alert models with other templates.
Pipelines
| Model Name | Pipeline | Enabled/Disabled | Status | Remarks |
|---|---|---|---|---|
| Application-Distributed URL Traversal Attack | sec-waf-access | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application-Source IP Brute-Forcing Domain Names | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Source IP Conducting URL Traversal | sec-waf-access | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - WAF Key Attack Alert | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host-Virtual Machine Lateral Connection | sec-hss-log | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - High-Risk Port Exposed to the Outside | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Login Brute-Force Alert | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Abnormal Network Connection | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Source IP Attacking Multiple Targets | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| IPS Alarm Deduplication | sec-nip-attack | Enabled on demand | -- | -- |
| Network - Command Injection Alert | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Malicious External Communication | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Rootkit Events | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Reverse Shell | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | Upgraded. Model update required. |
| Host-Abnormal Location Login | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Abnormal Shell | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Weak Password | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Malware | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Brute Force Crack Success | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - High-risk Command Detection | sec-hss-alarm | Enabled (recommended) | Enabled and ready out of the box | Upgraded. Model update required. |
| Network - Abnormal connection detection | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Hacking tool detection | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Malware (worms, viruses, Trojans) detection | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Botnets | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Backdoors | sec-nip-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Possible source code leakage risks | sec-waf-access | Enabled (recommended) | Enabled and ready out of the box | -- |
| Identity - IAM account brute-force cracking | sec-iam-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Possible Log4j 2 vulnerabilities | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Identity - Creating an IAM agency | sec-iam-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| Identity - Creating a federated user | sec-iam-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| Identity - Creating an IAM user | sec-iam-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| O&M - Attaching a NIC | sec-cts-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| O&M - Creating a VPC peering connection | sec-cts-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| O&M - Binding EIPs to resources | sec-cts-audit | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Possible Fastjson vulnerabilities | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Possible Java framework common code execution vulnerabilities | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Application - Possible Apache Shiro vulnerabilities | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Abnormal CFW external connections | sec-cfw-risk | Enabled (recommended) | Enabled and ready out of the box | -- |
| Network - Suspicious DoS attacks | sec-cfw-block | Enabled on demand | Enabled and ready out of the box | -- |
| Application - Login Brute Force Attack | sec-waf-attack | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Abnormal file attribute modifications | sec-hss-log | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Malicious scheduled tasks | sec-hss-log | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Hidden processes and ports | sec-hss-log | Enabled (recommended) | Enabled and ready out of the box | -- |
| Host - Abnormal file permission modifications | sec-hss-log | Enabled (recommended) | Enabled and ready out of the box | -- |
| CSB_MODEL_Network_SuspectedRemoteCodeExecutionVulnerability | sec-nip-attack | Enabled (recommended) | -- | -- |
| CSB_MODEL_Network_Sensitivefileleakage/directorytraversalvulnerabilitypresent | sec-nip-attack | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SuspectedOpenfireAuthenticationBypassVulnerability | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SuspectednginxWebUIRemoteCommandExecutionVulnerability | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SuspectedofMinIOinformationleakage | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SuspectedF5BIG-IPCommandExecutionVulnerability | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SpringActorinformationleakagepresent | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_scheduledtaskexception | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Suspectedregistrationstartupinformationmodification | sec-hss-log | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_SuspecteddiscoveryofwebshellTrojan | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Suspectedofusinginternalnetworkscanningtool | sec-hss-log | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Miningbehaviordetection | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_ExceptionScriptCall | sec-hss-log | Enabled (recommended) | -- | -- |
| CSB_MODEL_Hostransomware | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_SuspectedofhumanmaliciousWEBintrusionattacks | sec-waf-attack | Enabled (recommended) | -- | -- |
| CSB_MODEL_Network_directory traversal attack | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_File Read/Write Execution | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_Bypass | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_Code Execution | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_Detect Backdoors | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_log4j vulnerability attack | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_Privilege Escalation | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Network_Detection of Malicious Outreach | sec-ndr-risk | Enabled on demand | -- | -- |
| CSB_MODEL_Host_Exceptional Privilege Escalation | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_App_Suspected Panmicro e_cology9 Login Vulnerability | sec-waf-access | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Information Corruption | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Network Anomaly Behavior | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host Abnormal user behavior | sec-hss-alarm | Enabled (recommended) | -- | Upgraded. Model update required. |
| CSB_MODEL_Host_Container Exception | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Application_waf Alarm Malicious IP Address Attack | sec-waf-attack | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_System Abnormal Change | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Container Exception | sec-hss-alarm | Enabled (recommended) | -- | Upgraded. Model update required. |
| CSB_MODEL_Host_Cluster Abnormal Behavior | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Abnormal Process | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_Host_Hacker Tool Detection | sec-hss-alarm | Enabled (recommended) | -- | -- |
| CSB_MODEL_HOST_ScanningInvestigation | sec-hss-alarm | Enabled (recommended) | -- | -- |
| Host - Key file path change | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - Abnormal Network Connection | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - File/Directory changes | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - Brute force cracking attempt | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - File accessed by suspicious process | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - Container Startup Exception | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - Untrusted Process Execution | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - Suspicious Crontab Task | sec-hss-alarm | Enabled (recommended) | -- | New |
| Host - User Account Change | sec-hss-alarm | Enabled (recommended) | -- | New |
| Network - CFW Malicious External Attacks | sec-cfw-risk | Enabled (recommended) | -- | New |
| CSB_MODEL_Application_Suspecteddirectoryexplosion | sec-nginx-access | Enabled on demand | -- | -- |
| CSB_MODEL_Application_SuspectedofDOSattackrisk | sec-nginx-access | Enabled on demand | -- | -- |
| CSB_MODEL_ApplicationPythonMaliciousCrawler | sec-nginx-access | Enabled on demand | -- | -- |
| CSB_MODEL_Application_Userabnormalloginsuspectedtoexplode | sec-nginx-access | Enabled on demand | -- | -- |
| CSB_MODEL_Application_SuspectedDatabaseCollisionAttack | sec-nginx-access | Enabled on demand | -- | -- |
| Network - Illegal server access attempt detection | sec-vpc-flow | Enabled on demand | -- | -- |
| Network - Illegal port scanning | sec-vpc-flow | Enabled on demand | -- | -- |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
