- What's New
- Function Overview
-
Technology Poster
-
Infographics
- Getting to Know Huawei Cloud SecMaster: A Next-Generation Cloud Security Operations Center
- SecMaster: Enjoy Out-of-the-Box Security Operations
- SecMaster Core Functions: Asset Management and Log Collection
- Struggling with Security Compliance? SecMaster Baseline Inspection: One-Click Security Compliance and Custom Compliance Packs, Making It Easy to Win
-
Infographics
- Service Overview
-
Billing
- Billing Overview
- Billing Modes
- Billing Items
- Billing Examples
- Changing the Billing Mode
- Renewing Your Subscription
- Bills
- About Arrears
- Billing Termination
- Cost Management
-
Billing FAQs
- How Is SecMaster Billed?
- Can I Use SecMaster for Free?
- How Do I Change or Disable Auto Renewal for SecMaster?
- Will SecMaster Be Billed After It Expires?
- How Do I Renew SecMaster?
- Where Can I Unsubscribe from SecMaster?
- Where Can I View the Remaining Quotas of Security Data Collection and Security Data Packages?
- Can I Change the Billing Mode for SecMaster?
- Getting Started
-
User Guide
- Buying SecMaster
- Authorizing SecMaster
- Checking Security Overview
- Workspaces
- Viewing Purchased Resources
-
Security Governance
- Security Governance Overview
- Security Compliance Pack Description
- Authorizing SecMaster to Access Cloud Service Resources
- Subscribing to or Unsubscribing from a Compliance Pack
- Starting a Self-Assessment
- Viewing Security Compliance Overview
- Viewing Evaluation Results
- Viewing Policy Scanning Results
- Downloading a Compliance Report
- Security Situation
- Resource Manager
- Risk Prevention
- Threats
- Security Orchestration
-
Playbook Overview
- Ransomware Incident Response Solution
- Attack Link Analysis Alert Notification
- HSS Isolation and Killing of Malware
- Automatic Renaming of Alert Names
- Auto High-Risk Vulnerability Notification
- Automatic Notification of High-Risk Alerts
- Auto Blocking for High-risk Alerts
- Real-time Notification of Critical Organization and Management Operations
-
Settings
- Data Integration
-
Log Data Collection
- Data Collection Overview
- Data Collection Process
- Adding a Node
- Configuring a Component
- Adding a Connection
- Creating and Editing a Parser
- Adding and Editing a Collection Channel
- Verifying Log Collection
- Managing Connections
- Managing Parsers
- Managing Collection Channels
- Viewing Collection Nodes
- Managing Nodes and Components
- Partitioning a Disk
- Logstash Configuration Description
- Connector Rules
- Parser Rules
- Upgrading the Component Controller
- Customizing Directories
- Permissions Management
- Key Operations Recorded by CTS
-
Best Practices
-
Log Access and Transfer Operation Guide
- Solution Overview
- Resource Planning
- Process Flow
-
Procedure
- (Optional) Step 1: Buy an ECS
- (Optional) Step 2: Buy a Data Disk
- (Optional) Step 3: Attach a Data Disk
- Step 4: Create a Non-administrator IAM User
- Step 5: Configure Network Connection
- Step 6: Install the Component Controller (isap-agent)
- Step 7: Install the Log Collection Component (Logstash)
- (Optional) Step 8: Creating a Log Storage Pipeline
- Step 9: Configure a Connector
- (Optional) Step 10: Configure a Log Parser
- Step 11: Configure a Log Collection Channel
- Step 12: Verify Log Access and Transfer
- Credential Leakage Response Solution
-
Log Access and Transfer Operation Guide
-
API Reference
- Before You Start
- API Overview
- Calling APIs
-
API
- Alert Management
- Incident Management
- Indicator Management
- Playbook Management
- Alert Rule Management
- Playbook Version Management
- Playbook Rule Management
- Playbook Instance Management
- Playbook Approval Management
- Playbook Action Management
- Incident Relationship Management
- Data Class Management
- Workflow Management
- Data Space Management
- Pipelines
- Workspace Management
- Metering and Billing
- Metric Query
- Baseline Inspection
- Appendix
- FAQs
-
More Documents
-
User Guide (ME-Abu Dhabi Region)
- Service Overview
- Buying SecMaster
- Authorizing SecMaster
- Viewing Security Overview
- Workspaces
- Viewing Purchased Resources
-
Security Governance
- Security Governance Overview
- Security Compliance Pack Description
- Authorizing SecMaster to Access Cloud Service Resources
- Subscribing to or Unsubscribing from a Compliance Pack
- Starting a Self-Assessment
- Viewing Security Compliance Overview
- Viewing Evaluation Results
- Viewing Policy Scanning Results
- Downloading a Compliance Report
- Security Situation
- Resource Manager
- Risk Prevention
- Threat Operations
- Security Orchestration
-
Settings
- Data Integration
-
Log Data Collection
- Data Collection Overview
- Adding a Node
- Configuring a Component
- Adding a Connection
- Creating and Editing a Parser
- Adding and Editing a Collection Channel
- Managing Connections
- Managing Parsers
- Managing Collection Channels
- Viewing Collection Nodes
- Managing Nodes and Components
- Partitioning a Disk
- Logstash Configuration Description
- Connector Rules
- Parser Rules
- Upgrading the Component Controller
- Customizing Directories
- Permissions Management
- FAQs
- Change History
-
User Guide (ME-Abu Dhabi Region)
- General Reference
Copied.
Overview
An alert is a notification of abnormal signals in O&M. It is usually automatically generated by a monitoring system or security device when detecting an exception in the system or networks. For example, when the CPU usage of a server exceeds 90%, the system may generate an alert. These exceptions may include system faults, security threats, or performance bottlenecks.
Generally, an alert can clearly indicate the location, type, and impact of an exception. In addition, alerts can be classified by severity, such as critical, major, and minor, so that O&M personnel can determine which alerts need to be handled first based on their severity.
The purpose of an alert is to notify related personnel in a timely manner so that they can make a quick response and take measures to fix the problem.
When SecMaster detects an exception (for example, a malicious IP address attacks an asset or an asset has been hacked into) in cloud resources, it generates an alert and displays the threat information on the Alerts page in SecMaster. For details about preset alert types, see Preset Alert Types.
On SecMaster Alerts page, you can:
- Check alert details. You can check alerts generated over the last 360 days as well as their details, including the alert name, type, severity, and time it was generated. You can customize filters to quickly search for a specific alert by its name, risk severity, occurrence time, and other attributes.
- Convert an alert into an incident or associate an alert with incidents. During the alert analysis, if SecMaster detects attacks or serious threats, it converts such alerts into incidents or associates such alerts with certain incidents.
- Start or stop one-click blocking by using an emergency policy. You can quickly contain a certain type of attacks from malicious IP addresses based on attack sources identified in an alert.
- Disable or delete an alert. Deleted alerts cannot be restored. Exercise caution when performing this operation.
Alerts and attacks are different. The following table lists their differences.
|
Name |
Data Source |
Supported Operation |
|---|---|---|
|
Alerts |
|
|
|
Attacks |
Attacks are reported by the layer-7 security products. For details, see Overview. |
Alert Severity Levels
|
Severity |
Description |
|---|---|
|
Critical |
A critical alert indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alerts are generated if ransomware encryption behaviors or malware is detected. You need to handle them immediately to avoid severe system damage. |
|
High |
A high-risk alert indicates that the system may be under an attack that has not caused serious damage. For example, such alerts are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You need to investigate and take measures in a timely manner to prevent attacks from spreading. |
|
Medium |
A medium-risk alert indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You need to further analyze and take proper preventive measures to enhance system security. |
|
Low |
A low-risk alert indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alerts are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alerts do not require immediate emergency measures. If you have high requirements for asset security, you should also pay attention to alerts at this level. |
|
Informational |
The resource has potential errors, which might affect services. If you have high requirements for asset security, you should also pay attention to alerts at this level. |
Attack Handling Methods
For attacks reported by the security products of seven layers of defense, you can handle, disable, or ignore alerts on SecMaster. For details, see Handling Attacks.
- Closing an alert: If an alert has been manually handled, you can close it.
- Ignoring an alert: If the risk of an alert is controllable, you can ignore the alert. The next time this type of alert is triggered, a new alert will be generated.
Limitations and Constraints
- Deleting an alert: Only alerts defined or imported by you can be deleted.
- Importing an alert: Only files in .xlsx can be imported. Each time you can import a file no larger than 5 MB with a maximum of 100 records.
- Exporting an alert: A maximum of 9,999 alerts can be exported.
- One-click blocking or unblocking: For details, see Limitations and Constraints.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
