After security protection is enabled, the system scans for security alert events in your cloud desktops, including suspicious processes, webshells, suspicious logons, and malicious processes. This topic describes how to handle security alerts.

Background information

Security alert events are threats detected by the system in cloud desktops. The threats may be attacks from malicious IP addresses or invasions to the cloud desktops, such as executions of malicious scripts in the cloud desktops or access to malicious download sources.

Statistics on detected security alerts are collected by emergency and status of handling. You can filter security alerts by emergency and handle urgent ones with priority. Security alerts have the following emergency levels:
  • Emergency: high-risk alerts. If high-risk alerts are generated, intrusion events such as reverse shells are detected in your cloud desktop. We recommend that you review the alert details and handle the alerts in a timely manner.
  • Suspicious: medium-risk alerts. If medium-risk alerts are generated, exceptions such as suspicious command sequences are detected in your cloud desktop. We recommend that you review the alert details, check whether your cloud desktop is at risk, and handle the alerts.
  • Reminder: low-risk alerts. If low-risk alerts are generated, low-risk exceptions such as suspicious port listening are detected in your cloud desktop. We recommend that you review the alert details in a timely manner.

Procedure

  1. Log on to the EDS console.
  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, choose Security Center > Alerts.
  4. On the Alerts page, filter alerts by selecting required options from the Emergency level, Has it been processed, and Workspace drop-down lists.
  5. Find the alert that you want to handle and click Process in the Actions column.
    You can also click Details in the Actions column to view more information about the alert.
  6. In the dialog box that appears, select a processing method and select whether to batch handle alerts. Then, click Immediate processing.
    The following table describes the processing methods.
    Processing method Description
    Add whitelist Click Add whitelist to add the alert to the whitelist. After the alert is added to the whitelist, the system no longer generates the alert when the alert event reoccurs.
    Notice After an alert is added to the whitelist, the alert is automatically moved to the list of handled alerts and not generated when the alert event reoccurs. Proceed with caution.
    Ignore Click Ignore to ignore the alert. After you ignore the alert, the status of the alert changes to Ignored. If the alert event reoccurs, the system still generates the alert.
    Handled manually If you have manually handled the alert, select Handled manually. After you select Handled manually, the status of the alert changes to Handled.
    Note If you want to handle multiple alerts at a time, select multiple alerts in the alert list and click Ignore this time or Add whitelist in the lower part of the page.