Viewing Server Alarms

Constraints and Limitations

• To skip the checks on high-risk command execution, privilege escalations, reverse shells, abnormal shells, or web shells, manually disable the corresponding policies in the policy groups on the Policies page. HSS will not check the servers associated with disabled policies. For details, see Viewing a Policy Group.
• Other detection items cannot be manually disabled.
• Servers that are not protected by HSS do not support operations related to alarms and events.

Procedure

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
3. In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
   

   If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

   Table 1 Alarm statistics

   Parameter	Description
   Enterprise Project	Select an enterprise project and view alarm details by enterprise project.
   Time range	You can select a fixed period or customize a time range to search for alarms. Only alarms generated within 30 days can be queried. The options are as follows: Last 24 hours Last 3 days Last 7 days Last 30 days
   Urgent Alarms	Number of urgent alarms that need to be handled.
   Total Alarms	Total number of alarms on your assets.
   Affected Servers	Number of servers for which alarms are generated. When checking alarms generated in the last 24 hours, you can click the number of servers to go to the Servers & Quota page and check the corresponding servers.
   Handled Alarms	Number of handled alarms.
   Blocked IP Addresses	Number of blocked IP addresses. You can click the number to check blocked IP address list. The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time. If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks. NOTICE: The agent of Linux 3.2.10 or later supports IPv6 interception. The agent of a version earlier than Linux 3.2.10 supports TCP Wrapper interception, but does not support IPv6 interception using IPTables. After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address. A maximum of 10,000 IP addresses can be blocked for each type of software. If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp. If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
   Isolated Files	HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them. You can recover isolated files. For details, see Managing Isolated Files.

4. Check alarms on your assets.

   In the Alarms to Be Handled area, you can select an alarm type and an ATT&CK phase to view the alarms of the selected type.

   ATT&CK attack phase tags are also displayed below alarm names. For more information, see Table 2.

   

   Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a framework that helps organizations understand the cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle.

   Table 2 ATT&CK phases

   ATT&CK Phase	Description
   Reconnaissance	Attackers seek vulnerabilities in your system or network.
   Initial Access	Attacker try to enter your system or network.
   Execution	Attackers try to run malicious code.
   Persistence	Attackers try to maintain their foothold.
   Privilege Escalation	Attackers try to obtain higher permissions.
   Defense Evasion	Attackers try to avoid being detected.
   Credential Access	Attackers try to steal account names and passwords.
   Command and Control	Attackers try to communicate with compromised machines to control them.
   Impact	Attackers try to manipulate, interrupt, or destroy your system or data.

5. Click an alarm name to view its details. Table 3 describes the alarm parameters.
   

   For some HSS alarms that have been determined as malware alarms, the alarm source files are saved in the cloud center and you can download them. You can download the alarm source files to your local PC for analysis. The password for decompressing the files is unlock.

   For unacknowledged malware alarms, alarm source files cannot be downloaded. Check the actual service conditions and determine whether the files are malicious files.

   Figure 1 Alarm details
   

   Table 3 Alarm detail parameters

   Parameter	Description
   Protection Engine	Detection engines used by HSS, including the virus detection engine, AI detection engine, and malicious intelligence detection engine.
   Attack Status	Status of the current threat.
   First Occurred	Time when an attack alarm was first generated
   Alarm ID	Unique ID of an alarm
   ATT&CK Phase	For details about the attack technology models used by attackers in each phase, see Table 2.
   Last Occurred	Time when an attack alarm was last generated
   Alarm Information	Detailed information about an alarm, including the alarm description, alarm summary, affected assets, and handling suggestions.
   Forensics	HSS investigates information such as the attack triggering path or virus type based on the alarm type, helping you quickly trace and locate the attack source. Process Tree: If an alarm event contains process information, you can check the process ID, process file path, process command line, process startup time, and process file hash on the Forensics tab page. You can locate malicious processes based on such information. File Forensics: If an alarm event contains file information, you can check the file path and file hash on the Forensics tab page. You can locate the files based on the such information. Network Forensics: If an alarm event contains file information, the network forensics information is displayed on the Forensics tab page. Network forensics information includes the local IP address, local port, remote IP address, remote port, and protocol. You can determine whether the access is unauthorized based on such information. User Forensics: If an alarm event contains user behavior information, the user forensics information is displayed on the Forensics tab page. User forensics information includes the username, login IP address, login service type, login service port, last login event, and number of login failures. You can determine whether the access is unauthorized based on such information. Registry Forensics: If an alarm event contains registry information, you can check the registry keys and values on the Forensics tab page. You can locate registry risks based on such information. Abnormal Login Forensics: If an alarm event contains abnormal login information, you can check the login IP address and port number on the Forensics tab page. You can determine whether the login is trusted based on such information. Malware Forensics: If an alarm event contains malware information, you can check the malware family, virus name, virus type, and confidence level on the Forensics tab page. Auto-started Item Forensics: If an alarm event contains self-startup item information, you can check the user, command, self-startup item information, and process file command line information on the Forensics tab page. You can locate the auto-boot item based on the auto-started item forensics information. Kernel Forensics: If an alarm event contains kernel information, you can check system functions and kernel functions on the Forensics tab page. You can locate kernel risks based on the information.
   Similar Alarms	Alarm whose server and event type are the same as those of this alarm. You can handle the alarm according to the handling method of the similar alarms.