Viewing Model Templates
Scenario
SecMaster uses models to scan logs in pipelines. If SecMaster detects data that hits the trigger in a model, SecMaster generates an alert. Models are created based on templates. So you need to use available model templates to create models.
SecMaster provides multiple preconfigured model templates based on common scenarios. You can view scenario description, model principles, handling suggestions, and usage restrictions for these templates in this section.
Viewing Model Templates
- Log in to the SecMaster console.
- Click
in the upper left corner of the management console and select a region or project.
- Click
in the upper left corner of the page and choose Security & Compliance > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose Model Templates tab.
, and select the Figure 2 Model Templates tab
- On the Model Templates tab, view available model templates.
Table 1 Template information Parameter
Description
Model Template Statistics
This area displays how many Available templates and how many Active templates you have.
- Available templates: total number of available templates.
- Active templates: templates that have been used to create models. For details about how to use a template to create a model, see Creating and Editing a Model.
Severity
This area shows available templates by severity of alerts associated with the templates. Severity levels include Critical, High, Medium, Low, and Informational.
- Critical: A critical alert indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alerts are generated if ransomware encryption behaviors or malware is detected. You need to handle them immediately to avoid severe system damage.
- High: A high-risk alert indicates that the system may be under an attack that has not caused serious damage. For example, such alerts are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You need to investigate and take measures in a timely manner to prevent attacks from spreading.
- Medium: A medium-risk alert indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You need to further analyze and take proper preventive measures to enhance system security.
- Low: A low-risk alert indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alerts are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alerts do not require immediate emergency measures. If you have high requirements for asset security, you should also pay attention to alerts at this level.
- Informational: A potential error exists and may affect services. If you have high requirements for asset security, you should also pay attention to alerts at this level.
Template list
- The template list displays the severity, name, and model type of each template as well as when the template is created and upgraded.
- To view details about a model template, locate the row that contains the template, click Details in the Operation column. The template details page is displayed on the right.
On the details page, you can view the description, query rules, triggering conditions, and query plans of the current model template.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot