Security Center provides the malicious behavior defense feature. You can enable or disable system defense rules, and manage the assets to which each system defense rule is applied based on your business requirements. This topic describes how to use the malicious behavior defense feature.

Limits

Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Scenarios

  • Use system defense rules that are suitable for your business scenarios

    If a system defense rule is not suitable for your business scenarios and affects the security score of your assets, you can disable the rule. For more information, see Manage a system defense rule.

  • Handle alerts that are false positives

    If you handle an alert whose alert type is Precise Defense and you determine that the processes detected and reported by Security Center based on a system defense rule are normal processes that are required in your workloads, you can disable the rule on the Host defense rules tab of the Malicious behavior Defense page. You can also remove the affected servers from the list of assets to which the rule is applied. For more information, see Handle alerts that are false positives.

Manage a system defense rule

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Malicious behavior Defense.
  3. On the Malicious behavior Defense page, click the Host defense rules tab.
  4. In the list of system defense rules, search for the system defense rule that you want to manage.
    • On the Host defense rules tab, enter the name of the system defense rule in the search box.
    • In the left-side navigation pane of the Host defense rules tab, select a value in the ATT & CK attack phase section.
  5. Manage a system defense rule.
    • Enable or disable a rule
      Notice After you disable a system defense rule, Security Center no longer detects risks or generates alerts based on the rule. The alerts that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
      1. Select one or more system defense rules based on your business requirements.
      2. In the lower-left corner of the rule list, click Enabled or Deactivation.
    • Manage assets in a rule
      Notice After you remove an asset from a rule, Security Center no longer detects or reports risks on the asset based on the rule. Proceed with caution.
      1. Select the system defense rule that you want to manage.
      2. Click Management host in the Actions column.
      3. In the Management host panel, add the assets to the rule or remove the assets from the rule.
      4. Click OK.

Handle alerts that are false positives

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number that is displayed below Precise Defense.
  4. In the alert list, find the alert that is a false positive and click Details in the Actions column to view the alert details.

    The following section provides an example on how to handle an alert that is a false positive. In this example, the alert named Suspicious worm script behavior is handled.

    On the Alert Details panel, obtain and record the following information for subsequent use.
    • The name of the system defense rule that detects risks and generates alerts. In this example, the system defense rule is Suspicious worm script behavior.
    • The value of ATT & CK attack phase of the alert. In this example, the value is Impact.
    • The names and IP addresses of the assets that are affected by the alert.
  5. In the left-side navigation pane, click Malicious behavior Defense.
  6. On the Host defense rules tab, search for the system defense rule that detects risks and generates alerts.
    • You can enter Suspicious worm script behavior in the search box.
    • You can also click Impact in the ATT & CK attack phase section on the left side of the Host defense rules tab.
  7. In the rule list, find and manage the system defense rule Suspicious worm script behavior.
    • If the system defense rule is not suitable for your business scenario and you no longer want Security Center to generate alerts for the risks that are detected by the system defense rule, you can click the Switch icon in the Switch column to disable the rule.
      Notice After you disable a system defense rule, Security Center no longer detects risks or generate alerts based on the rule. The alerts that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
    • If you want to handle only an alert that is a false positive, you can click Management host in the Actions column to remove the assets that are affected from the asset list of the rule.

      You can also go to the Alerts page and click Process in the Actions column of the alert. In the Handle dialog box, select Disable Malicious Behavior Prevention and click Process Now to handle the alert that is a false positive. After an alert is handled, the assets that are affected by the alert are removed from the asset list of the system defense rule.

      Notice If you want to handle only an alert that is generated based on the system defense rule and you want the system defense rule to continue to protect the asset, you can add the asset to the asset list on the Malicious behavior Defense page.