Help Center/ SecMaster/ User Guide/ Threat Operations/ Alert Management/ One-click Blocking or Unblocking
Updated on 2024-11-21 GMT+08:00

One-click Blocking or Unblocking

Scenario

An emergency policy is used to quickly prevent attacks. You can select a block type based on the alert source to block attackers. Table 1 lists recommended settings. You can also block a single attack source based on the comprehensive investigation of multiple alerts.

Table 1 Recommended blocking policies

Alert Type

Defense Layer

Recommended Policy

HSS alerts

Server protection

VPC policies are recommended to block traffic.

WAF alerts

Application protection

WAF policies are recommended to block traffic.

CFW alerts

Network protection

CFW policies are recommended to block traffic.

IAM alerts

Identity authentication

IAM policies are recommended to block traffic.

OBS and DBSS alerts

Data protection

You can use VPC or CFW policies based on actual attack scenarios and investigation results to disconnect attack sources from protected resources.

This topic describes how to block or unblock attack sources quickly.

One-click Blocking

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  5. In the navigation pane on the left, choose Threat Operations > Alerts.

    Figure 2 Alerts

  6. In the alert list, locate the row that contains the target alert and choose Operation > One-Click Block in the Operation column. The One-Click Block panel is displayed on the right.

    You can also go to the details page of the target alert and click One-Click Block in the upper right corner of the page.

  7. On the displayed page, configure the blocking policy.

    Table 2 One-click blocking

    Parameter

    Description

    Block Object

    • If you select IP for Blocked Object Type, enter one or more IP addresses or IP address ranges you want to block. If there are multiple IP addresses or IP address ranges, separate them with commas (,).
    • If you select IAM for Blocked Object Type, enter IAM user names.
    • There are some restrictions on delivery of blocked objects:
      • When a policy needs to be delivered to CFW, each time a maximum of 50 IP addresses can be added as blocked objects for each account.
      • When a policy needs to be delivered to WAF, each time a maximum of 50 IP addresses can be added as blocked objects for each account.
      • When a policy needs to be delivered to VPC, each time a maximum of 20 IP addresses can be added as blocked objects within 1 minute for each account.
      • When a policy needs to be delivered to IAM, each time a maximum of 50 IAM users can be added as blocked objects for each account.

    Label

    Label of the custom emergency policy.

    Operation Connection

    Select the operation connections for the policy.

    Block Aging

    Check whether the policy needs to be stopped.

    • If you select Yes, set the aging time of the policy. For example, if you set the aging time to 180 days, the policy is valid within 180 days after the setting. After 180 days, the IP address or IP address range will not be blocked.
    • If you select No, the policy is always valid and blocks the specified IP address or IP address range.

    Policy Description

    Description of the custom policy.

  8. Click OK. In the dialog box displayed, confirm the information and click OK.

One-click Unblocking

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 3 Workspace management page

  5. In the navigation pane on the left, choose Threat Operations > Alerts.

    Figure 4 Alerts

  6. In the alert list, locate the row that contains the target alert, click Operation > One-Click Unblock in the Operation column.

    You can also go to the details page of the target alert and click One-Click Unblock in the upper right corner of the page.

  7. In the displayed dialog box, enter the reason and click OK.