This topic describes how to view and handle detected alert events on the Alerts page.

Background information

After Security Center has detected alert events, relevant information is displayed on the Alerts page in the Security Center console.

If the alert events are not handled, they are displayed in the Unhandled Alerts list on the Alerts page. After the alert events have been handled, the status changes from Unhandled Alerts to Handled.

Note Security Center retains the records of Handled and Unhandled Alerts on the Alerts page. By default, the records of Unhandled Alerts are displayed.
The list of unhandled alerts

View alert events

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the Alerts list, you can view or search for detected intrusions, alert events, and relevant details.
    The alert list
    • You can use the search bar and tags to search for target events. For example, you can specify alert or asset names, severity levels, event statuses, or alert types to search for relevant alert events. For more information about alert types, see Alert types.
    • On the Alerts page, click the name of the target alert event and the details page appears. On the details page, you can view the details of the target alert event and automatic alert correlation. This helps you quickly and comprehensively analyze the alert events, trace the attack sources, and analyze the paths of the attack activities. For more information about automatic alert correlation, see Automatic alert correlation analysis. For more information about tracing attack sources, see Trace attack sources.

Handle alert events

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, find the target alert event and click Processing in the Actions column to handle the alert event as needed.
    Note If the alert event contains multiple related exceptions, click Processing and the details page appears. You can handle different exception events respectively. For more information, see Automatic alert correlation analysis.
    The Alerts page
    • Anti-virus: You can quarantine only Webshell files and terminate or block only Malicious Process. After you have confirmed the threat, click Anti-virus to quarantine the webshell files. Quarantined files no longer threaten your assets. For more information about quarantined files, see Quarantine.
      Notice Files quarantined within 30 days can be restored. Restored files are displayed in the alert list and monitored by Security Center. Security Center automatically removes files that have been quarantined for more than 30 days.
    • Deep cleanup: You can perform the deep virus removal action only on Malicious Process files. You can click Details in the Deep cleanup section to view the list of the files to be removed.
    • Block: You can block only Malicious Process.
      You can view the details of the block action and set the Rule validity period.Block
    • Whitelist: If the alert is a false positive, you can add the alert event to the whitelist. After you have added the alert event to the whitelist, the status of the alert changes to Handled. This event no longer triggers alerts when Security Center detects it. In the Handled alert list, you can click Cancel whitelist to remove the target alert event from the whitelist.
      Note

      When you add an alert event to the whitelist, only the malicious source of the event is added to the whitelist. In the preceding figure, after you add the alert event to the whitelist, the source IP address is added to the whitelist. When other servers access this IP address, Security Center no longer generate alerts.

      A false positive represents that Security Center has generated a false alert on a normal process. Common false positives include suspicious processes that send Transmission Control Protocol (TCP) packets, which notify you that suspicious scan activities on other devices have been detected on your servers.

    • Ignore: If you ignore this alert, the status of this alert changes to Handled. This alert event no longer triggers alerts when Security Center detects it.
    • Batch unhandled: You can handle multiple alert events simultaneously. Before you handle multiple alert events simultaneously, we recommend that you learn about the details of the alert events.
  4. Optional:If you have confirmed that one or more alert events are false positives or need to be ignored, go to the Alerts page, select the target alert events, and then click Ignore or Whitelist.
    Ignore or add an alert to the whitelist

Threat detection limits

When Security Center detects risks, it sends security alerts to you without delay. You can process security alerts, scan for vulnerabilities, analyze attacks, and check security settings in the Security Center console. Security Center can analyze alerts and automatically trace attacks. This helps you protect your assets. Security Center supports a wide array of protection features. We recommend that you also install the latest system patches on your server, and use multiple security services, such as Cloud Firewall and Web Application Firewall (WAF), to better protect your assets against attacks.

Note Due to the rapid adaption of attacks, viruses, and the variation of the workload environments, security breaches may occur. We recommend that you use the alerting, vulnerability detection, baseline check, and configuration assessment features provided by Security Center to better protect your assets against attacks.