Security Center provides the malicious behavior defense feature. You can enable or
disable a system defense rule, manage the servers on which you want the system defense
rule to take effect, and configure custom defense rules based on your business requirements.
This topic describes how to use the malicious behavior defense feature.
Scenarios
The malicious behavior defense feature supports system defense rules and custom defense
rules. The following table describes the scenarios for which the two types of rules
are suitable.
Important Custom defense rules have a higher priority than system defense rules.
Rule type |
Scenario |
System defense rule |
- Use system defense rules that are suitable for your business scenarios
If a system defense rule is not suitable for your business scenarios and affects the
security score of your servers, you can disable the rule. For more information, see
Manage system defense rules.
- Handle alert events that are false positives
If you handle an alert event whose alert type is Precise defense and you determine that the processes detected and reported by Security Center based
on a system defense rule are normal processes that are required for your workloads,
you can disable the rule on the Host defense rules tab of the Malicious Behavior Defense page. You can also remove the affected servers from the list of servers on which
the rule takes effect. For more information, see Handle alert events that are false positives.
|
Custom defense rule |
If you want to allow some behavior after you enable or disable a system defense rule,
you can create a custom defense rule based on your business requirements.
|
Manage system defense rules
- Log on to the Security Center console. In the left-side navigation pane, choose .
- On the Host defense rules tab, find and manage a system defense rule in the list of system defense rules.
Search for a system defense rule
- On the Host defense rules tab, enter the name of the system defense rule in the search box to quickly search
for the rule.
- In the left-side navigation pane of the Host defense rules tab, click a value in the ATT&CK Phase section to filter for the rule.
Manage a system defense rule
- Enable or disable the system defense rule
Important After you disable a system defense rule, Security Center no longer detects risks or
triggers alerts based on the rule. The alert events that are generated based on the
rule are no longer displayed on the Alerts page. Proceed with caution.
- Select the system defense rule. You can also select multiple rules based on your business
requirements.
- In the lower-left corner of the rule list, click Enabled or Deactivation.
- Manage servers on which the system defense rule tasks effect
Important After you remove a server from a system defense rule, Security Center no longer detects
or reports risks on the server based on the rule. Proceed with caution.
- Find the system defense rule that you want to manage and click Management host in the Actions column.
- In the Management host panel, add servers to the rule or remove servers from the rule. Then, click OK.
Handle alert events that are false positives
- Log on to the Security Center console. In the left-side navigation pane, choose .
- On the Alerts page, click the number that is displayed below Precise Defense.
- In the alert event list, find the alert event that is a false positive and click Details in the Actions column to view the details about the alert event.
In this example, the alert event that is generated for the alert named Suspicious worm script behavior is handled.
In the alert details panel, obtain and record the following information for subsequent
use.
- The name of the system defense rule that detects risks. The alert event is generated
for the detected risks. In this example, the system defense rule is Suspicious worm script behavior.
- The value of ATT&CK Phase for the alert event. In this example, the value is Impact.
- The names and IP addresses of the servers that are affected by the alert event.
- In the left-side navigation pane, click Malicious Behavior Defense.
- On the Host defense rules tab, search for the system defense rule based on which the
alert event is generated.
- You can enter Suspicious worm script behavior in the search box.
- You can also click Impact in the ATT&CK Phase section in the left-side navigation pane of the Host defense rules tab.
- In the rule list, find and manage the system defense rule Suspicious worm script behavior.
Create a custom defense rule
- Log on to the Security Center console. In the left-side navigation pane, choose .
- On the Custom defense rules tab, click New rule.
- In the New rule panel, configure the Rule type parameter, the required parameters, and the Action parameter based on your business requirements. Then, click Next.
- In the server list of the panel, select the servers on which you want the rule to
take effect and click Finish.
By default, a newly created custom defense rule is enabled. You can modify the rule
and manage the servers on which the rule takes effect.