El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Enabling Alarm Notifications

Updated on 2024-08-14 GMT+08:00
After alarm notification is enabled, you can receive alarm notifications sent by to learn about security risks facing your servers and web pages. Without this function, you have to log in to the management console to view alarms.
  • Alarm notification settings are effective only for the current region. To receive notifications from another region, switch to that region and configure alarm notification.
  • Alarm notifications may be mistakenly blocked. If you have enabled notifications but not received any, check whether they have been blocked as spasms.

Enabling Alarm Notifications

  1. Log in to the management console.
  2. Click in the upper left corner of the page, select a region, and choose Security > Host Security Service.
  3. In the navigation pane, choose Installation & Configuration, and click Alarm Notifications. Table 1 describes the parameters.

    Table 1 Alarm configurations

    Notification Item

    Description

    Suggestion

    Daily alarm notification

    scans the accounts, web directories, vulnerabilities, malicious programs, and key configurations in the server system at 00:00 every day, and sends the summarized detection results to the recipients you set in SMN, depending on which one you chose.

    To view notification items, click View Default Daily Notification Events.

    • It is recommended that you receive and periodically check all the content in the daily alarm notification to eliminate risks in a timely manner.
    • Daily alarm notifications contain a lot of check items. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to Email.

    Real-time alarm notification

    When an attacker intrudes a server, alarms are sent to the recipients you set in SMN, depending on which one you chose.

    To view notification items, click View Default Real-time Notification Events.

    • It is recommended that you receive all the content in the real-time alarm notification and view them in time. The HSS system monitors the security of servers in real time, detects the attacker's intrusion, and sends real-time alarm notifications for you to quickly handle the problem.
    • Real-time alarm notifications are about urgent issues. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to SMS.

    Severity

    Select the severities of alarms that you want to be notified of.

    All

    Masked Events

    Select the events that you do not wish to be notified of.

    Select events to be masked from the drop-down list box.

    Determine the events to be masked based on the description in Alarm Notifications.

  4. Select the alarm notification mode.

    • Use SMN topic settings

      Select an available topic from the drop-down list or click View Topics and create a topic.

      You can create multiple notification topics based on the O&M plan and alarm notification type to receive different types of alarm notifications. For details about topics and subscriptions, see the Simple Message Notification User Guide.

  5. Click Apply. A message will be displayed indicating that the alarm notification is set successfully.

Alarm Notifications

  • Daily Alarm Notifications

    The service checks risks in your servers in the early morning every day, summarizes and collects detection results, and sends the results to your mobile phone or email box at 10:00 every day.

    Table 2 Daily alarm notification

    Type

    Item

    Description

    Assets

    Dangerous ports

    Check for high-risk open ports and unnecessary ports.

    Agent not installed

    Check for servers with no agent installed, and remind you to install the agent on these servers in a timely manner.

    Vulnerabilities

    Critical vulnerabilities

    Detect critical vulnerabilities and fix them in a timely manner.

    Unsafe settings

    Unsafe configurations

    Detect unsafe settings of key applications that will probably be exploited by hackers to intrude servers.

    Common weak passwords

    Detect weak passwords in MySQL, FTP, and system accounts.

    Intrusions

    Unclassified malware

    Check and handle detected malicious programs all in one place, including web shells, Trojan, mining software, worms, and viruses.

    Rootkits

    Detect server assets and report alarms for suspicious kernel modules, files, and folders.

    Ransomware

    Check for ransomware in media such as web pages, software, emails, and storage media.

    Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.

    Web shells

    Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.

    • Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
    • You can use the manual detection function to detect web shells on servers.

    Reverse shells

    Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

    Reverse shells can be detected for protocols including TCP, UDP, and ICMP.

    Redis vulnerability exploits

    Detect the modifications made by the Redis process on key directories in real time and report alarms.

    Hadoop vulnerability exploits

    Detect the modifications made by the Hadoop process on key directories in real time and report alarms.

    MySQL vulnerability exploits

    Detect the modifications made by the MySQL process on key directories in real time and report alarms.

    File privilege escalations

    Check the file privilege escalations in your system.

    Process privilege escalations

    The following process privilege escalation operations can be detected:
    • Root privilege escalation by exploiting SUID program vulnerabilities
    • Root privilege escalation by exploiting kernel vulnerabilities

    Important file changes

    Receive alarms when critical system files are modified.

    File/Directory changes

    System files and directories are monitored. If a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.

    Abnormal process behaviors

    Check the processes on servers, including their IDs, command lines, process paths, and behavior.

    Send alarms on unauthorized process operations and intrusions.

    The following abnormal process behavior can be detected:

    • Abnormal CPU usage
    • Processes accessing malicious IP addresses
    • Abnormal increase in concurrent process connections

    High-risk command executions

    Check executed commands in real time and generate alarms if high-risk commands are detected.

    Abnormal shells

    Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

    Suspicious crontab tasks

    Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

    You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.

    Container image blocking

    If a container contains insecure images specified in suspicious image behaviors, an alarm will be generated and the insecure images will be blocked before a container is started in Docker.

    Brute-force attacks

    Check for brute-force attack attempts and successful brute-force attacks.

    • Detect password cracking attacks on accounts and block attacking IP addresses to prevent server intrusion.
    • Trigger an alarm if a user logs in to the server by a brute-force attack.

    Abnormal logins

    Check and handle remote logins.

    If a user's login location is not any common login location, an alarm will be triggered.

    Invalid accounts

    Scan accounts on servers and list suspicious accounts in a timely manner.

    Vulnerability escapes

    The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).

    File escapes

    The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.

    Abnormal container processes

    Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container.

    The service reports an alarm if it detects that a process not in the whitelist is running in the container.

    Abnormal container startups

    Check for unsafe parameter settings used during container startup.

    Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.

    High-risk system calls

    Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.

    Sensitive file access

    Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.

    Web page tampering prevention for Windows servers

    Protect the static web page files on your Windows website servers from malicious modification.

    Web page tampering prevention for Linux servers

    Protect the static web page files on your Linux website servers from malicious modification.

    Dynamic WTP

    Protect the static web page files on your Windows and Linux website servers from malicious modification.

    Application protection

    Protect running applications. You simply need to add probes to applications, without having to modify application files.

    Currently, only Linux servers are supported, and only Java applications can be connected.

    Virus scan

    Generates alarms for detected virus-infected files.

  • Real-Time Alarm Notifications

    When an event occurs, an alarm notification is immediately sent.

    Table 3 Real-time alarm notification

    Notification Item

    Item

    Description

    Intrusions

    Unclassified malware

    Check and handle detected malicious programs all in one place, including web shells, Trojans, mining software, worms, and viruses.

    Rootkits

    Detect server assets and report alarms for suspicious kernel modules, files, and folders.

    Ransomware

    Check for ransomware in media such as web pages, software, emails, and storage media.

    Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.

    Web shells

    Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.

    • Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files.
    • You can use the manual detection function to detect web shells on servers.

    Reverse shells

    Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

    Reverse shells can be detected for protocols including TCP, UDP, and ICMP.

    Redis vulnerability exploits

    Detect the modifications made by the Redis process on key directories in real time and report alarms.

    Hadoop vulnerability exploits

    Detect the modifications made by the Hadoop process on key directories in real time and report alarms.

    MySQL vulnerability exploits

    Detect the modifications made by the MySQL process on key directories in real time and report alarms.

    File privilege escalations

    Check the file privilege escalations in your system.

    Process privilege escalations

    The following process privilege escalation operations can be detected:
    • Root privilege escalation by exploiting SUID program vulnerabilities
    • Root privilege escalation by exploiting kernel vulnerabilities

    Critical file changes

    Receive alarms when critical system files are modified.

    File/Directory changes

    System files and directories are monitored. When a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.

    Abnormal process behavior detection

    Check the processes on servers, including their IDs, command lines, process paths, and behavior.

    Send alarms on unauthorized process operations and intrusions.

    The following abnormal process behavior can be detected:

    • Abnormal CPU usage
    • Processes accessing malicious IP addresses
    • Abnormal increase in concurrent process connections

    Detecting High-Risk Command Execution

    Check executed commands in real time and generate alarms if high-risk commands are detected.

    Abnormal shell detection

    Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

    Suspicious crontab tasks

    Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

    You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.

    Container image blocking

    If a container contains insecure images specified in suspicious image behaviors, an alarm will be generated and the insecure images will be blocked before a container is started in Docker.

    Exception Stat

    Check and handle remote logins.

    If a user's login location is not any common login location you set, an alarm will be triggered.

    Invalid account

    Scan accounts on servers and list suspicious accounts in a timely manner.

    Vulnerability escapes

    The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).

    File escapes

    The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.

    Abnormal container processes

    Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container.

    The service reports an alarm if it detects that a process not in the whitelist is running in the container.

    Abnormal container startups

    Check for unsafe parameter settings used during container startup.

    Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.

    High-risk system calls

    Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.

    Sensitive file access

    Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.

    Web page tampering prevention for Windows servers

    Protect the static web page files on your Windows website servers from malicious modification.

    Web page tampering prevention for Linux servers

    Protect the static web page files on your Linux website servers from malicious modification.

    Dynamic WTP

    Protect the static web page files on your Windows and Linux website servers from malicious modification.

    Application protection

    Protect running applications. You simply need to add probes to applications, without having to modify application files.

    Currently, only Linux servers are supported, and only Java applications can be connected.

    Brute-force attacks

    Check for brute-force attack attempts and successful brute-force attacks.

    • Detect password cracking attacks on accounts and block attacking IP addresses to prevent server intrusion.
    • Trigger an alarm if a user logs in to the server by a brute-force attack.

    Auto Blocking

    Notify users of successful automatic isolation and killing of malicious programs, automatic blocking of ransomware, and automatic blocking of WTP.

    Login

    Success login

    Notifications are sent to accounts that have successfully logged in.

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback