Viewing and Handling Honeypot Protection Events

Scenario

By default, the servers that proactively connect to the dynamic honeypot port are compromised intranet servers. Once a suspicious connection behavior is detected, an alarm is reported.

This chapter describes how to view and handle these alarms and events.

Procedure

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
Choose Prevention > Dynamic Port Honeypot. The Dynamic Port Honeypot page is displayed.
(Optional) If you have enabled the enterprise project, select the enterprise project where the target server resides from the drop-down list.
Under the introductions, view the protection overview.
- You can view the number of protection policies, protected servers, and protection events.
- You can enable the Automatically apply default policies to newly add servers. If is displayed, the function is enabled.
Figure 1 Protection information overview

Click the Protection Events tab to view honeypot protection events. For details about the parameters in the event list, see Table 1.

**Table 1** Parameters in the event list
Parameter	Description
Alarm Name	The name of an alarm event. Click an alarm name to view the details. For details, see Table 3.
Alert Severity	Alarm threat level. Honeypot protection events are classified into the following two levels: High risk: The remote server connects to the honeypot port for multiple times. Medium risk: The remote server is connected to the honeypot port.
Alarm Summary	Summary of alarm events. Based on the information, you can learn about the server that may be compromised and the connection between the server and the port.
Affected Asset	Dynamic port server connected to the compromised server.
Alarm Reported	Time when an alarm occurred.
Status	Alarm handling status, which can be Handled or To be handled.
Operation	You can handle alarm events.

After confirming the alarm information, click Handle in the Operation column of the event whose Status is To be handled. The Handle Alarm dialog box is displayed.
If you need to handle multiple alarm events in batches, click Batch Handle in the upper left corner of the list.

Select a solution. For details about the solution, see Table 2.

**Table 2** Parameters for handling alarm events
Parameter	Description
Action	Ignore: Ignore the alarm event. The alarm is still generated when the next threat event occurs. Manually handling: You can manually isolate ports for the compromised server. Add to alarm whitelist: Add the trusted server that triggers an alarm to the whitelist so that no alarm will be generated when similar threat events occur.
Batch handling	If you need to handle the same alarm event at the same time, you can select the parameter.
Remarks (Optional)	To facilitate identification of the current processing, supplementary description can be provided.

Click OK.

Alarm Details Parameters

For details about the parameters on the alarm details, see Table 3.

**Table 3** Alarm details parameters
Parameter	Description
Intelligence Engine	Detection engines used by HSS, including the virus detection engine, AI detection engine, and malicious intelligence detection engine.
Attack Status	Status of the current threat.
First Occurred	Time when an attack alarm is generated for the first time
Alarm ID	Unique ID of an alarm
ATT&CK Phase	Attack model used by attackers in each phase.
Last Occurred	Time when an attack alarm is generated for the last time
Alarm Information	Detailed information about an alarm, including the alarm description, alarm summary, affected assets, and handling suggestions.
Forensics	The dynamic port honeypot function checks the network forensics information of the attack source.
Similar Alarms	Alarms that are similar to the current alarm event. You can handle the alarm according to the handling method of the similar alarms.