Help Center> Host Security Service (New)> User Guide> Intrusion Detection> Whitelist Management> Managing the Alarm Whitelist
Updated on 2024-05-16 GMT+08:00
View PDF

Managing the Alarm Whitelist

You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.

Whitelisted events will not trigger alarms.

On the Alarms page, you can add falsely reported alarms to the alarm whitelist. After an alarm is added to the whitelist, HSS will not generate alarms or collect statistics on it.

Adding Events to the Alarm Whitelist

Table 1 Configuring the alarm whitelist

Method

Description

Add to alarm whitelist

Choose to add the alarm to the whitelist when handling it.

The following types of events can be added to the alarm whitelist:

  • Reverse shells
  • Ransomware
  • Malicious programs
  • Web shell
  • Abnormal process behaviors
  • Process privilege escalations
  • File privilege escalations
  • High-risk command executions
  • Malicious programs
  • Important file changes
  • File/Directory changes
  • Abnormal shells
  • Suspicious crontab tasks
  • Invalid accounts
  • Common vulnerability exploits
  • Redis vulnerability exploits
  • Hadoop vulnerability exploits
  • MySQL vulnerability exploits

Checking the Alarm Whitelist

Perform the following steps to check the alarm whitelist:

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane on the left, choose Detection > Whitelists.

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  4. Click Alarm Whitelist to view the added alarm whitelist. For more information, see Table 2.

    Figure 1 Alarm whitelist
    Table 2 Parameter description

    Parameter Name

    Description

    Alarm Type

    Name of the alarm whitelist type.

    Whitelist Field

    Whitelisted file field

    Wildcard

    Logic used by a whitelisted rule, which can be equal or include.

    Whitelist Rule

    Whitelisted rule ID

    Description

    Description of the target whitelist.

    Data Source

    Source of the target whitelist.

    Added

    Time when an alarm is added to the whitelist.

    Enterprise Project

    Enterprise project

Related Operations

Removing alarms from the whitelist

To remove an alarm from the whitelist, select it and click Delete.

  • Exercise caution when performing this operation. Whitelisted alarms cannot be restored after removal, and will be reported once triggered.
  • After an alarm is deleted from the whitelist, the handling status of the events associated with the alarm is not updated. To change the status, choose Detection > Alarms, click Handle in the Operation column of an event, and select Remove from whitelist.
Parent Topic: Whitelist Management