Overview
An alert is a notification of abnormal signals in O&M. It is usually automatically generated by a monitoring system or security device when detecting an exception in the system or networks. For example, when the CPU usage of a server exceeds 90%, the system may generate an alert. These exceptions may include system faults, security threats, or performance bottlenecks.
Generally, an alert can clearly indicate the location, type, and impact of an exception. Alerts can be classified by severity, such as critical, major, and minor, so that O&M personnel can determine which alerts need to be handled first based on their severity.
The purpose of an alert is to notify related personnel in a timely manner so that they can make a quick response and take measures to fix the problem.
When SecMaster detects an exception (for example, a malicious IP address attacks an asset or an asset has been hacked into) in cloud resources, it generates an alert and displays the threat information on the Alerts page in SecMaster. For details about preset alert types, see Preset Alert Types.
Managing Alerts
On SecMaster Alerts page, you can:
- Check alert details. You can check alerts generated over the last 360 days as well as their details, including the alert name, type, severity, and time it was generated. You can customize filters to quickly search for a specific alert by its name, risk severity, occurrence time, and other attributes.
- Convert an alert into an incident or associate an alert with incidents. During the alert analysis, if SecMaster detects attacks or serious threats, it converts such alerts into incidents or associates such alerts with certain incidents.
- Start or stop one-click blocking by using an emergency policy. You can quickly contain a certain type of attacks from malicious IP addresses based on attack sources identified in an alert.
- Disable or delete an alert. Deleted alerts cannot be restored. Exercise caution when performing this operation.
Differences Between Alarms and Attacks
Security alerts are classified into alarms and attacks.
- Alarms: Alarms are generated by threat detection models in SecMaster, or customized or imported by users.
- Attacks: Attacks are alarms reported by other security services configured for each defense layer in SecMaster. For details about the seven defense layers, see Overview.
Attacks are alarms reported by other security services configured for each defense layer in SecMaster. For details about the seven defense layers, see Overview. Their differences are as follows:
|
Name |
Data Source |
Supported Operation |
|---|---|---|
|
Alerts |
|
|
|
Attacks |
Attacks are reported by the security products configured at the seven defense layers. For details, see Overview. |
Alert Severity Levels
|
Severity |
Description |
|---|---|
|
Critical |
A critical alert indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alerts are generated if ransomware encryption behaviors or malware is detected. You need to handle them immediately to avoid severe system damage. |
|
High |
A high-risk alert indicates that the system may be under an attack that has not caused serious damage. For example, such alerts are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You need to investigate and take measures in a timely manner to prevent attacks from spreading. |
|
Medium |
A medium-risk alert indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You need to further analyze and take proper preventive measures to enhance system security. |
|
Low |
A low-risk alert indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alerts are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alerts do not require immediate emergency measures. If you have high requirements for asset security, you should also pay attention to alerts at this level. |
|
Informational |
The resource has potential errors, which might affect services. If you have high requirements for asset security, you should also pay attention to alerts at this level. |
Alert Handling Methods
You can handle alerts based on the actual situation. You can block, unblock, close, and delete alerts, convert alerts into incidents, and associate alerts with incidents. You can also add, edit, import, and export alerts.
|
Handling Method |
Application Scenario |
|---|---|
|
One-Click Blocking or Unblocking |
One-Click Blocking: You can configure a one-click blocking policy to block access from malicious IP addresses or unauthorized IAM users. One-Click Unblocking: You can unblock IP addresses or IAM users that were blocked by one-click blocking policies with just a single click. This action only applies to alerts for which one-click blocking was successfully executed. |
|
Closing an alert |
If an alert has been handled and the issue introduced has been resolved, you can close the alert. |
|
Deleting an alert |
|
|
Converting an alert into an incident or associating an alert with an incident |
SecMaster analyzes alerts it aggregates from other services. During the analysis, if SecMaster detects attacks or serious threats, it converts such alerts into incidents or associates such alerts with certain incidents. |
|
Adding an alert |
SecMaster can manage cloud and off-cloud assets. For details about asset management, see Overview. Alerts for cloud assets can be automatically synchronized to SecMaster. For details, see Enabling Log Access. Alerts for off-cloud assets need to be connected to SecMaster manually. For details, see Adding an Alert or Importing Alerts. |
|
Editing an alert |
If the alert status or basic information changes, you can edit alert parameters. |
|
Importing and exporting alerts |
Importing alerts: You need to add or import alerts for assets outside the cloud to SecMaster. Exporting alerts: You can export an alert list to a local PC to view alert information or share alert information with your team. |
Attack Handling Methods
For attacks reported by the security products of seven layers of defense, you can handle, disable, or ignore alerts on SecMaster. For details, see Handling Attacks.
- Closing an alert: If an alert has been manually handled, you can close it.
- Ignoring an alert: If the risk of an alert is controllable, you can ignore the alert. The next time this type of alert is triggered, a new alert will be generated.
Limitations and Constraints
- Deleting an alert: Only alerts defined or imported by you can be deleted.
- Importing an alert: Only files in .xlsx can be imported. Each time you can import a file no larger than 5 MB with a maximum of 100 records.
- Exporting an alert: A maximum of 9,999 alerts can be exported.
- One-click blocking or unblocking: For details, see Limitations and Constraints.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
