Help Center/ SecMaster/ Best Practices/ Using SecMaster to Enable Efficient Security Operations/ Step 5: Enable Security Monitoring and Emergency Response/ Checking Monitoring Statistics
Updated on 2026-06-24 GMT+08:00
View PDF
Share

Checking Monitoring Statistics

Scenarios

SecMaster provides one overall situation screen and four mission-specific screens: monitoring statistics, asset security, threat situation, and vulnerable assets.

Before participating in cybersecurity drills, ensure that you have completed self-checks and rectifications and cleared all alerts.

If you are security personnel on duty during the drill, you need to focus on the data on the Monitoring Statistics screen. When an alert pops up, you need to handle it promptly and clear all alert data.

You can analyze alerts based on the data on the alert details page. If other log data is required, you can query and trace the source in the corresponding data pipeline through security analysis. You can close false alerts without taking any other actions, and block risky alerts in just one click.

Checking Monitoring Statistics

  1. Log in to the SecMaster console.
  2. Go to the target workspace.
  3. In the navigation pane on the left, choose Situation Awareness > Large Screen.

    Figure 1 Large Screen

  4. Click Play in the lower right corner of the Monitoring Statistics image to open the screen. In the Unhandled Alerts area, click the alert description for an alert to go to the Alarm Details page.
  5. Analyze the alert.

    On the alert details page, you can view the security overview, context, and comments about the alert.

    • On the Overview tab, you can view the alert summary, handling suggestions, basic information, and details.
    • On the Context page, you can view the key context information and full text of the alert.
    • On the Comment page, you can view historical handling actions taken and comments made for the alert.

    Different alerts can be analyzed with different information, such as alert correlation information, alert payload, and alert details.

    Figure 2 Alert details

    If you need historical or other logs for further analysis, you can go to the Security Analysis page.

    Figure 3 Security Analysis

  6. Handle emergent alerts.

    1. If you confirm that an alert is risky after analysis, click One-click blocking on the alert details page to block the attack source IP address.
    2. Configure blocking information.
      Figure 4 One-click blocking
      Table 1 Policy parameters

      Parameter

      Description

      Policy Type

      Type of the policy. You can select Block or Allow.

      • If Block is selected, the access from the policy object will be denied.
      • Allow: The access from the policy object will be allowed.

      Object Type

      If Policy Type is set to Block, Object Type can be set to IP, Account, or Domain name.

      If Policy Type is set to Allow, Object Type can be set to IP or Domain name.

      Select an object type based on your needs.

      • If IP is selected, the operation object of the policy is an IP address or IP address range.
      • If Domain name is selected, the operation object of the policy is a domain name.
      • If Account is selected, the policy is applied to a cloud service account (IAM user).

      Policy Object

      Enter one or more policy objects.

      • If Object Type is set to IP, enter IP addresses or IP address ranges. Enter one or more IP addresses or IP address ranges and separate them with commas (,).

        Example: IPv4: 192.168.0.0 or 192.168.0.0/12; IPv6: 0:0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0/128.

      • If Object Type is set to Domain name, enter domain names. Enter one or more domain names. If there are multiple domain names, separate them with commas (,). Enter a maximum of 63 characters. Only letters, digits, hyphens (-), underscores (_), and periods (.) are allowed.
      • If Policy type is set to Block and Object Type is set to Account, set Policy Object to the cloud service account (IAM user). Enter one or more cloud service accounts (IAM usernames). If there are multiple cloud service accounts (IAM usernames), separate them with commas (,).

      Execution Tool

      Select the execution tool, which is the operation connection of the policy.

      • If Policy Type is set to Block and Object Type is set to IP, you can select CFW, VPC, and WAF operation connections.
      • If Policy Type is set to Block and Object Type is set to Account, you can select IAM operation connections.
      • If Policy Type is set to Block and Object Type is set to Domain name, you can select CFW operation connections.
      • If Policy Type is set to Allow and Object Type is set to IP, you can select WAF operation connections.
      • If Policy Type is set to Allow and Object Type is set to Domain name, you can select CFW operation connections.

      Direction

      You can set the defense line direction only when Object Type is IP.

      • If Object Type is set to IP and Execution Tool is set to a CFW or VPC operation connection, you can set the defense line direction to Inbound or Outbound.
        • Inbound: access from the Internet to cloud assets (EIPs)
        • Outbound: access from cloud assets (EIPs) to the Internet
      • If Object Type is set to IP and Execution Tool is set to a WAF operation connection, you can set the defense line direction to Outbound.

      Account

      Select the account range where the new policy takes effect. Only the operations account of the primary workspace can set the account range.

      • All accounts: If you select All accounts, the policy is applied to the operations account and all service accounts managed by the operations account.
      • Specify account: If you select Specify account and select some accounts, the policy is applied to the selected service accounts managed by the operations account.

        The meanings of the operations account and service account are as follows:

      • Operations account: An operations account, or parent account, is an account that can manage member accounts. An operations account can manage multiple service accounts.
      • Service account: A service account is a member account, or child account, managed by an operations account. A service account (child account) can be managed by only one operations account.
      • Primary workspace: The first workspace created by SecMaster is the primary workspace by default. The workspace is pinned on top of the Workspaces > Management page. You can also change the primary workspace. On the Workspaces > Management page, click next to the target workspace. On the displayed workspace details page, toggle on Primary workspace.

      Region

      Select the region where the new policy takes effect.

      • Current region
      • All regions
      • Specify regional projects

      Enterprise Project

      Select the enterprise project where the new policy takes effect.

      • All enterprise projects
      • Specify enterprise projects

      Auto Expiration

      Auto expiration configured for the policy.

      • If you select Yes, set the policy expiration time.
      • If you select No, the policy is always valid.

      Tag (Optional)

      Tag of the custom emergency policy.

      Policy Description (Optional)

      Description of the custom policy.
      Table 2 Recommended blocking policies

      Alert Type

      Defense Layer

      Recommended Blocking Policy

      Blocking Result

      HSS alert

      Server protection

      VPC policies are recommended to block traffic.

      An HSS access control policy is executed to block attack IP addresses.

      WAF alert

      Application protection

      WAF policies are recommended to block traffic.

      A WAF blacklist policy is executed to block attack IP addresses.

      CFW alert

      Network protection

      CFW policies are recommended to block traffic.

      A CFW blacklist policy is executed to block attack IP addresses.

      IAM alert

      Identity authentication

      IAM policies are recommended to block traffic.

      An IAM policy is executed to disable the related IAM user.

      OBS and DBSS alerts

      Data protection

      You can use VPC or CFW policies based on actual attack scenarios and investigation results to disconnect attack sources from protected resources.

      An access control policy or a CFW blacklist policy is executed to block attack IP addresses.
    3. Click OK.

  7. Close the alert.

    1. If you confirm that an alert a false positive after analysis, click Closed in the upper right corner of the alert details page.
    2. In the displayed dialog box, select a closure reason, enter comments, and click OK to close the alert.
      Figure 5 Closing an alert

Troubleshooting Typical Alerts

Table 3 Troubleshooting typical alerts

Alert Type

Security Layer

Dependent Data Source

SecMaster Intelligent Model

Handling Suggestion

Typical alerts in the reconnaissance phase

Network protection

NIP attack logs

Network-High-Risk Port Exposure to the Outside

Check whether the source IP address is connected to high-risk ports in the system for service purposes. If the connection is necessary for services, modify the model script to ignore the source IP address. If the connection is not necessary for services, modify the inbound rules of the corresponding security group to prevent high-risk ports from being exposed to the public network, or block the source IP address. To ensure system security, disable unnecessary ports.

Typical alerts in the reconnaissance phase

Application protection

WAF attack logs

Application - Source IP Conducting URL Traversal

Emergency handling can record all access requests and responses, detect attacks in a timely manner, and restrict or block attack source IP addresses. You can configure a blacklist policy to block attack source IP addresses.

Typical alerts in the reconnaissance phase

Application protection

WAF access logs

Application - Possible source code leakage risks

Emergency handling can record all access requests and responses, detect attacks in a timely manner, and restrict or block attack source IP addresses. You can configure a blacklist policy to block attack source IP addresses.

Typical alerts for attack attempts

Application protection

WAF attack logs

Application - WAF Key Attack Alert, Application - Possible Apache Shiro vulnerabilities, Application - Possible Log4j 2 vulnerabilities, Application - Possible Java framework common code execution vulnerabilities, and Application - Possible Fastjson vulnerabilities

Contact the service owner to check whether the web server has related vulnerabilities and whether the attack is successful. If there are vulnerabilities, promptly fix them and harden the system. If the attack was successful, combine threat indicators to block attack IP addresses.

Typical alerts for attack attempts

Network protection

NIP attack logs

Network - Hacking tool detection and Network - Login Brute Force Alarm

Check whether the operation was performed by authorized personnel. If not, take the following steps:

  1. Disconnect the network connection for the attacked device or system immediately to prevent further attacks and data theft.
  2. Collect evidence for attack investigation and tracing, including recording the attack time, IP addresses used by the attacker, attack type, and affected system.

Typical alerts for attack attempts

Network protection

CFW access control logs

Network - Suspicious DoS attacks

Check whether the operation was performed by authorized personnel. If not, block the IP address on related network devices.

Typical alerts for successful intrusion

Network protection

NIP attack logs

Network - Command Injection Alert

If the source or destination port is an uncommon port, such as 4444, 8686, or 7778 (most suspicious ports are four digits), contact the owner to confirm the service scenario. If service behavior is abnormal, the system may have been injected with malicious commands. In that case, check service and host logs to identify whether the intrusion succeeded, and block attack IP addresses if necessary.

Typical alerts for successful intrusion

Network protection

NIP attack logs

Network - Malware (worms, viruses, Trojans) detection

Disconnect the network from the Internet immediately to prevent malware from spreading or stealing data. Then, use system restoration or antivirus software to scan and remove malware.

Typical alerts for successful intrusion

Server protection

HSS alert logs

Host - Brute Force Attack Success, Host - Abnormal Shell, and Host - Abnormal Location Login

Check whether the attack is successful. If the attack is successful, the server is compromised. In this case, isolate the server to prevent risks from spreading, and then harden the compromised server.

Typical alerts for successful intrusion

Server protection

HSS security logs

Host - Hidden processes and ports and Host - Abnormal file attribute modifications

Check whether the operation was performed by authorized personnel and if the operation was intentional. If the process is abnormal or the file contains malicious behavior, run the related command to stop the process.

Typical alerts for defense evasion

Server protection

HSS alert logs

Host - Rootkit Events

Immediately check whether the Rootkit installation is caused by normal service operations. If not, terminate the installation immediately and check the entire system based on HSS alerts.

Typical alerts for permission maintenance

Server protection

HSS alert logs

Host - Reverse shell and Host - Malware

If an intrusion is confirmed, contact the host owner, log in to the host, stop the malware, and delete malicious files. Then, check for suspicious processes, open ports, active connections, and startup items to eliminate any remnants. Additionally, use other methods for a comprehensive assessment.

Typical alerts for permission maintenance

Network protection

NIP attack logs

Network - Abnormal connection detection

Check whether the behavior is a real abnormal behavior instead of a false positive or misjudgment. To do so, you can view log records and use network monitoring tools. If an abnormal connection is confirmed, immediately disconnect it and eliminate the malware to prevent further security issues.

Typical alerts for lateral movement

Server protection

HSS security logs

Host-Virtual Machine Lateral Connection

Review audit logs in bastion hosts or other tools to check NICs. If NICs are attached manually by unauthorized users or ECSs are under attack risk, take measures in a timely manner.

Typical alerts for persistent control

Network protection

NIP attack logs

Network - Backdoors

Disconnect the network from the Internet immediately to prevent backdoors from spreading or stealing data. If needed, use antivirus software to scan for and remove backdoors, and search for and delete suspicious files to ensure system security.

Typical alerts for persistent control

Server protection

HSS security logs

Host - Malicious scheduled tasks

Check whether the task is a normal service task. If not, disable the scheduled task.