This topic describes how to view and handle detected alert events on the Alerts page.

Background information

After Security Center detects alert events, the detailed information about the alert events are displayed on the Alerts page in the Security Center console.

If an alert event is not handled, it is displayed in the Unhandled list on the Alerts page. After you handle an alert event, the status of the alert event changes from Unhandled to Handled.

Note Security Center retains the records of unhandled and handled alert events on the Alerts page. Unhandled alert events may pose significant threats to your assets. Therefore, Security Center displays the records of unhandled alert events on the Alerts page by default.

View alert events

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, you can view or search for all detected intrusions, alert events, and related details.
    List of alert events

    You can perform the following operations:

    • Search for alert events by using the search box and filter conditions. For example, you can search for alert events by using the following filter conditions: Handled or Not, Degree of urgency, Alert type, and Asset group. For more information about alert types, see Alert types.
    • View the alert events that are automatically handled by Security Center. To view the common viruses that are automatically quarantined by Security Center, set the filter condition Handled or Not to Handled and Status to Successful Interception.Automatically handled alert events
    • Move the pointer over the icon on the right side of an alert name to view the attack sources or related exceptions of the alert event.
      The following table describes the icons on the right side of alert names.
      Icon Name Description
      Attack Source Tracing icon Attack Source Tracing The attack source tracing feature processes, aggregates, and visualizes logs from various Alibaba Cloud services by using big data analysis engines. This feature generates a chain diagram of intrusions based on the analysis result. This way, you can identify the cause of intrusions and make contingency plans at the earliest opportunity. You can click the Attack Source Tracing icon icon to go to the Diagnosis page. For more information, see Trace attack sources.
      Investigation icon Investigation The investigation feature provides a platform for intrusion investigation and provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the cause of intrusions. This feature also helps you locate the attacked assets and reinforce your asset security. You can click the Investigation icon icon to go to the Investigation page.
      Related Exceptions icon Related Exceptions Move the pointer over this icon to view the number of exceptions that are related to the alert event.
      Safeguard Mode For Major Activities The safeguard mode for major activities is a protection mode of the Security Center agent. This mode generates alerts against suspicious intrusions and potential threats. It can be used to safeguard major activities. If this icon is displayed next to an alert name, it indicates that the assets that are affected by the alert event are in safeguard mode for major activities. For more information, see Protection mode.
      Attack Phase icon Attack Phase A virus attack includes the following phases: Attack Portal, Load Delivery, Privilege Escalation, Escape Detection, Permission Maintenance, Lateral Movement, Remote Control, Data Breach, Trace Cleaning, and Damage. You can click the Attack Phase icon to view the attack phase of the attacked assets and security status of your assets.
      Blocked icon Blocked The Blocked icon indicates that Security Center terminated the process of a malicious file. The process no longer threatens your servers. We recommend that you quarantine the file at the earliest opportunity.
    • On the Alerts page, click the name of the alert event that you want to view. In the panel that appears, you can view the details and related exceptions of the alert event. This allows you to analyze the alert event, trace the IP address from which the attack is launched, and find the path of the attack in an efficient and comprehensive manner. For more information about exceptions that are related to an alert event, see View exceptions related to an alert. For more information about how to trace attack sources, see Trace attack sources.

Handle alert events

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, find the alert event that you want to handle and click Processing in the Actions column.
    Note If the alert event is related to multiple exceptions, the panel that shows alert details appears after you click Processing. You can handle the exceptions separately. For more information, see View exceptions related to an alert.
  4. Select a method to handle the alert event.
    Alerts page

    You can use one of the following methods to handle the alert event:

    • Anti-Virus: In the note block, click Click Here to go to the Result page. On the Result page, use the deep cleanup method to handle the virus alerts. The deep cleanup method scans and removes persistent viruses. You can use this method to terminate malicious processes that are related to the viruses and quarantine the corresponding virus files. You can also remove attacker injections. This way, you can remove all the potential threats that are related to the viruses.
      Note You can use the antivirus feature to handle only the alert events that are related to viruses.
    • Anti-Virus: This method only terminates malicious processes and quarantines the source files of the malicious processes.
      If you confirm that the alert is positive, you can use one of the following methods to manually handle the alert:
      • End the process: This method terminates the malicious process.
      • Isolate the source file of the process: This method quarantines the source file of the malicious process by adding the file to Quarantine files. The quarantined file no longer threatens your servers.
        Notice The quarantined file can be restored within 30 days. The restored file is displayed in the alert list and is monitored by Security Center. Security Center automatically removes a file 30 days after it is quarantined.
    • Deep cleanup: This method only removes the source files of malicious processes. In the Deep cleanup section, click Details to view the files to be removed.
    • Isolation: This method only quarantines webshell files. If you use this method, Security Center quarantines webshell files. The quarantined files no longer threaten your servers.
    • Block: This method only blocks requests from malicious IP addresses.
      You can view the details of this method and set the Rule validity period parameter.Block
    • Whitelist: If the alert is a false positive, you can add the alert to the whitelist. You can also create a rule to specify conditions for alerts that can be added to the whitelist. If you select Whitelist and create a rule that all alerts on logon attempts from the IP address 10.XX.XX.198 can be added to the whitelist, the status of the alert changes to Handled. Security Center no longer generates alerts on logon attempts from the IP address 10.XX.XX.198. In the Handled list, find the alert and click Cancel whitelist to remove the alert from the whitelist. Whitelist
      Note

      In the preceding example, 10.XX.XX.198 is a masked IP address. You must specify a specific IP address when you create a rule.

      The Whitelist operation adds only the alert that you are handling and the alerts that meet the specified rule conditions to the whitelist. If you use this method, Security Center ignores the alert that you added to the whitelist and other alerts that meet the specified rule for the whitelist. For more information about the alerts that can be added to whitelists of Security Center, see Alerts that can be added to whitelists.

      A false positive indicates that Security Center has generated an alert on a normal process. Common false positives include suspicious processes that send TCP packets, which notify you that suspicious scan activities on other devices have been detected on your servers.

    • Ignore: This method ignores the alert. If you use this method, the status of the alert changes to Handled. Security Center no longer generates alerts on the event.
    • Batch unhandled: This method handles multiple alert events at a time. Before you handle multiple alert events at a time, familiarize yourself with the details of the alert events.
  5. Click Process Now.
  6. Optional:If one or more alerts can be ignored or are false positives, select Ignore Once or Whitelist on the Alerts page.
    Ignore or add an alert to the whitelist

Threat detection limits

When Security Center detects risks, it sends security alerts to you without delay. You can manage security alerts, scan for vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can also analyze alerts and automatically trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services along with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).

Note Due to the evolution of attacks and viruses, and the variation of workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to protect your assets against attacks.