Security Center allows you to configure alert settings. You can configure logon settings, including approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts. You can also configure defense rules against brute-force attacks, specify custom web directories to scan, and manage whitelist rules. This way, you can create fine-grained protection rules and manage the rules in a centralized manner. The rules are used to detect threats to your assets and monitor the security status of your assets in real time.

Limits

Security Center Anti-virus, Advanced, and Enterprise editions support advanced logon settings and alerting. For example, you can set common logon IP addresses, common logon time, and common logon accounts. This enables fine-grained logon detection.

Configure logon settings

You can configure approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts in the Settings panel of the Alerts page. After you complete the configuration, Security Center generates alerts for unauthorized logon requests.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click Settings in the upper-right corner.
  4. In the Settings panel, configure approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts.
    The procedures of configuring logon settings are similar. This example describes how to specify approved logon locations.
    • Manage approved logon locations
      1. Click the Usual logon location tab.
      2. On the right of the Usual logon location section, click Management.
      3. In the Usual logon location panel, select an approved logon location that you want to specify and select the servers that allow logons from the specified location.
        Note Global regions are available. You can select a region based on your business requirements.
      4. Click OK. The approved logon location is specified.
      Security Center allows you to change the servers that allow logons from the specified logon location and delete the specified logon location.
      • To change the servers that allow logons from the specified logon location, find the location and click Edit on the right.
      • To delete the specified logon location, find the location and click Delete on the right.
    • Manage approved logon IP addresses

      To specify approved logon IP addresses, refer to the procedure of specifying approved logon locations. After you specify approved logon IP addresses, turn on or turn off Unusual logon IP alert(s) on the right of the Approved logon IP section. If you turn on Unusual logon IP alert(s) and your servers receive logon requests from unapproved IP addresses, alerts are triggered. You can view alerts on the Alerts page.

    • Manage approved logon time ranges

      To specify approved logon time ranges, refer to the procedure of specifying approved logon locations. After you specify approved logon time ranges, turn on or turn off Unusual logon time alert(s) on the right of the Common logon time section. If you turn on Unusual logon time alert(s) and your servers receive logon requests during unapproved time ranges, alerts are triggered. You can view alerts on the Alerts page.

    • Manage approved logon accounts

      To specify approved logon accounts, refer to the procedure of specifying approved logon locations. After you specify approved logon accounts, turn on or turn off Unusual Account logon alert(s) on the right of the Approved logon accounts section. If you turn on Unusual Account logon alert(s) and your servers receive logon requests from unapproved accounts, alerts are triggered. You can view alerts on the Alerts page.

Configure defense rules against brute-force attacks

Security Center allows you to configure defense rules to protect your servers against brute-force attacks.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click Settings in the upper-right corner.
  4. In the Settings panel, click the brute-force attacks protection tab.
  5. Obtain the permissions that are required to configure a defense rule against brute-force attacks.
    1. On the right of the Anti-brute Force Cracking section, move the pointer over the dimmed Management button. In the message that appears, click Authorize Now.
    2. Click Confirm Authorization Policy.
  6. On the right of the Anti-brute Force Cracking section, click Management.
  7. In the brute-force attacks protection panel, configure the parameters.
    Security Center provides a default defense rule. If the number of logon failures reaches 80 for the same server within 10 minutes from an IP address, the default defense rule blocks the IP address for 6 hours. You can select servers to which you want to apply the default defense rule. You can also create a custom defense rule. The following table describes the parameters.
    Parameter Description
    Defense Rule Name Enter the name of the defense rule.
    Defense Rule Specify the measurement duration, number of logon failures, and disablement duration. If the actual number of logon failures from an IP address exceeds the specified number during the specified measurement duration, the system blocks logon requests that are initiated from the IP address to the server involved in measurement for the disablement duration. You can set the measurement duration to 1 minute, 2 minutes, 5 minutes, 10 minutes, or15 minutes. You can set the number of logon failures to 2, 3, 4, 5, 10, 50, 80, or 100. You can set the disablement duration to 5 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 6 hours, 12 hours, 24 hours, 7 days, or permanent. For example, if the number of logon failures exceeds 3 within 1 minute from an IP address, the IP address is blocked for 30 minutes.
    Set As Default Policy Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all the servers that are not protected by defense rules, regardless of whether you select servers in the Select Server(s) section.
    Select Server(s) Select the servers to which the defense rule is applied. You can select servers from the server list, or search for servers by using the server names or server IP addresses.
  8. Click OK.
    Notice You can create only one defense rule against brute-force attacks for each server.
    • If a server is not protected by a defense rule, the defense rule that you create takes effect on the server.
    • If a server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.
    • You can view the defense rules that you create and the number of servers to which each rule is applied on the Settings page.
      Note
      • If you create a rule for a server that applies to an existing defense rule, the number of servers to which the existing defense rule is applied decreases.
      • Security Center allows you to modify and delete defense rules that you create.
      • You can modify the defense rule that is created for a server on the Assets page. For more information, see View the details of an asset.
    • In the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates.
      After you configure a defense rule on the brute-force attacks protection tab of the Settings panel, IP blocking can be triggered based on the rule. In this case, Security Center generates an IP blocking policy. To view the IP blocking rules, perform the following steps:
      1. On the Alerts page, click the number below IP blocking / All.

        If you click the number below IP blocking, the IP Policy Library panel appears. You can view the enabled system policies. If you click the number below All, you are redirected to the panel that displays both enabled and disabled system policies.

      2. On the System Rules tab of the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates.

        For more information about IP blocking rules, see Configure blocking policies based on IP addresses.

Specify custom web directories to scan

Security Center automatically scans web directories of your servers and runs dynamic and static scan tasks. You can also manually add specific web directories to scan.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click Settings in the upper-right corner.
  4. In the Settings panel, click the Web Directory Definition tab.
  5. On the right of the Add Scan Targets section, click Management.
  6. Specify a commonly used web directory and select the servers on which the specified web directory is scanned.
    Note To ensure the scan performance and efficiency, we recommend that you do not specify a root directory.
  7. Click OK.

Manage whitelist rules

If you add an alert to the whitelist, a whitelist rule is created. You can modify or delete the whitelist rule.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click Settings in the upper-right corner.
  4. In the Settings panel, click the Whitelist Rules tab.
  5. In the Whitelist Rules section, modify or delete a whitelist rule.
    • Modify a whitelist rule
      1. Find the whitelist rule that you want to modify and click Edit on the right.
      2. In the Edit dialog box, modify the Whitelist Field, Wildcard, and Rules parameters.
      3. Click OK. The whitelist rule is modified.
    • Delete a whitelist rule
      1. Find the whitelist rule that you want to delete and click Delete on the right.
      2. In the message that appears, click OK. The whitelist rule is deleted.