Viewing Alerts

Scenario

An alert is a notification of abnormal signals in O&M. It is usually automatically generated by a monitoring system or security device when detecting an exception in the system or networks. For example, when the CPU usage of the server exceeds 90%, the system may generate an alert. These exceptions may include system faults, security threats, or performance bottlenecks.

Generally, an alert can clearly indicate the location, type, and impact of an exception. In addition, alerts can be classified by severity, such as critical, major, and minor, so that O&M personnel can determine which alerts need to be handled first based on their severity.

The purpose of an alert is to notify related personnel in a timely manner so that they can make a quick response and take measures to fix the problem.

When SecMaster detects an exception (for example, a malicious IP address attacks an asset or an asset has been hacked into) in cloud resources, it generates an alert and displays the threat information on the Alerts page in SecMaster.

On the Alerts page in SecMaster, you can check the alert list for the last 360 days. The list contains alert names, types, severity levels, and occurrence time. By customizing filtering conditions, such as the alert name, risk severity, and time, you can quickly query information about the specific alerts.

This section describes how to view alert information.

Prerequisites

To check alerts from other cloud services, you need to enable the function of automatically converting logs to alerts on the Data Integration page. If this function is disabled, logs that meet certain alert rules will not be converted to alerts or displayed on the Alerts page. For details, see Enabling Log Access.

Procedure

1. Log in to the management console.
2. Click in the upper part of the page and choose Security > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
4. In the navigation pane on the left, choose Threat Operations > Alerts.
5. View alert information.

   Table 1 Viewing Alerts

   Parameter	Description
   Time ranges (Today, This week, This month, or Customize)	In the upper right corner on the page, you can select a time range to view alerts generated during this period. By default, alerts generated in the current week are displayed.
   Unhandled Alerts	This area displays how many alerts that are not handled within the specified time range in the current workspace. The unhandled alerts are displayed by severity.
   Alerts Handled Automatically (Auto)	This area displays how many alerts that are handled automatically by playbooks within the specified time range in the current workspace.
   Alerts Handled Manually (Manual)	This area displays how many alerts that are handled manually within the specified time range in the current workspace.
   Alerts	This area displays how many alerts that are reported within the specified time range in the current workspace.
   Alarm list	The list displays more details about each alert. You can view the total number of alerts below the alert list. You can view a maximum of 10,000 alert records page by page. To view more than 10,000 records, optimize the filter criteria. In the alert list, you can view the alert type, summary, severity, source, and handling status. To view details about an alert, click its name. On the alert details page displayed: You can comment on, block, unblock, close, and delete the alert, convert the alert to an incident, and refresh the alert status. You can view the security overview, context, relationship, and comments about the alert. Security Overview: On this tab, you can view the summary, handling suggestions, basic information, and request details of the alert. Context: On this tab, you can view the key and full context information of the alert in JSON format or in a table. Relationship: On this tab, you can view associated information, such as associated alerts, incidents, indicator, and affected assets, about the alert. Comment: On this tab, you can view historical comments on the alert and make your comments.