Abnormal Behavior
Overview
Abnormal behavior refers to the events that should not occur on hosts. For example, a user logs in to the system during an unauthorized time period, some file directories are changed unexpected, or an error occurs in the process. Many of these events are caused by malware. We should keep alert for abnormal behavior. Abnormal behavior data in SA mainly comes from linked services Host Security Service (HSS) and Web Application Firewall (WAF).
SA can detect 21 types of abnormal behavior threats. The professional edition can detect them all. Note that you need to buy Web Application Firewall (WAF) to detect 7 types of them and buy Host Security Service (HSS) to detect 11 types of them. The basic edition does not support abnormal behavior detection.
Suggestion
If an abnormal behavior threat is detected, handle the threat by following the instructions in Table 1.
|
Threat Alarm |
Severity |
Threat Description |
Suggestion |
|---|---|---|---|
|
File directory change monitoring event |
Informational |
Malicious modifications on key file of ECS instances. |
Log in to the HSS console and perform the processing. |
|
System login audit event |
Informational |
Abnormal logins to ECS instances. |
Log in to the HSS console and perform the processing. |
|
Abnormal process behavior |
Low |
Process exceptions on ECS instances, which may be a malicious program. |
Log in to the HSS console and perform the processing. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
