Threat Alarms Overview
Overview
SA can aggregate alarms reported by other security products. All those alarms are centrally displayed in the Threat Alarms module. In this module, you can learn of threats and security events discovered in your cloud resources in a timely manner.
Beyond that, this module sorts threats by attack source and attacked asset so that you can quickly learn of vulnerable assets and learn the security posture of your assets in real time.
The threat alarms module includes the following functions:
- Alarms
SA monitors threat events on the cloud in real time, provides alarm notifications using linked services HSS and WAF, and displays details about alarms for the last 180 days.
- Threat Analysis
Allows you to query threats or attacks by Attack source or Attacked asset.
Alarm Types
Currently, SA includes eight categories of check items, including more than 200 event types.
DDoS Alarm Events
SA can protect all your hosts from DDoS attacks no matter where your hosts are deployed.
More than 100 types of DDoS threats can be detected.
Brute-force Attack Alarms
SA detects intrusion behaviors and internal risks to your host assets in real time. It checks whether accounts, such as SSH, RDP, FTP, SQL Server and MySQL accounts, are experiencing password cracking attacks, and detects whether asset accounts have been cracked for abnormal logins.
Currently, 22 types of brute-force attacks can be detected.
- Brute-force attacks that can be detected by SA
SSH brute force attacks (2 types), RDP brute force attacks, Microsoft SQL brute force attacks, MySQL brute force attacks, FTP brute force attacks, SMB brute force attacks (3 types), HTTP brute force attacks (4 types), and Telnet brute force attacks.
- Alarms from the linked HSS service
SSH, RDP, FTP, MySQL, IRC, and Webmin brute force attacks, brute force attacks on other ports, and brute force attacks on OSs
Web Attack Alarms
SA detects web threats such as malicious web scanners, malicious IP addresses, and web Trojans in real time.
Currently, 38 types of web threats can be detected.
- Web attacks that can be detected by SA
Web shell attacks (3 types), cross-site scripting (XSS) attacks, code injection attacks (7 types), SQL injection attacks (9 types), and command injection attacks.
- Alarms from the linked HSS service
Web shells, Linux web page tampering, and Windows web page tampering.
- Alarms from the linked WAF service
Cross-site scripting (XSS) attacks, command injection attacks, SQL injection attacks, directory traversal attacks, local file inclusion, remote file inclusion, remote code execution, Trojans, website information leakage, exploits, IP reputation database, malicious crawlers, web page anti-tampering, and web page anti-crawler.
Trojan Attack Alarms
SA detects Trojans and malicious requests to compromised hosts in real time.
Currently, 5 types of Trojans can be detected.
Zombie Alarms
SA detects threats initiated by zombie hosts in real time. The following 7 types of zombie attacks can be detected:
- SSH brute-force attacks
- RDP brute-force attacks
- Web brute-force attacks
- MySQL brute-force attacks
- SQL Server brute-force attacks
- DDoS attacks
- Mining software
Abnormal Behavior Alarms
SA detects abnormal changes and operations of the operating systems (OSs) on assets in real time. The following 21 types of abnormal behavior can be scanned for:
- Abnormal behavior that can be scanned for by SA
Unauthorized scanning over the file system, CMS V1.0 vulnerabilities, and unauthorized sensitive file access.
- Alarms reported by HSS
Abnormal logins, critical file changes, network interface cards (NIC) in promiscuous mode, unsafe accounts, reverse shells, abnormal shells, high-risk command execution, abnormal automatic startups, file privilege escalation, process privilege escalation, and Rootkits
Exploit Alarms
In real time, SA scans the potentially compromised assets that may be used to initiate attacks. The following 2 types of vulnerabilities can be detected:
- Web-CMS vulnerability attacks
C&C Alarms
SA detects command and control (C&C) servers in real time. A C&C server may remotely control the hosts to access or establish links with malware.
The following 3 types of C&C threats can be detected:
- Access to Domain Generation Algorithm (DGA) domain names
- Access to malicious C&C domain names
- Malicious communication channels between C&C servers and host assets
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot