To ensure the security of your assets, we recommend that you view the alert events that are generated by Security Center on your assets and handle the alert events at the earliest opportunity. This topic describes how to view and handle alert events.

View alert events

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, view alert events.
    • Switch between asset types

      You can perform this operation only if you use the Ultimate edition of Security Center. Click the All, Host, Container, or K8s tab to view the alert events that are generated for each type of asset.

    • Search for alert events

      Use the filters above the alert list. The filters include Emergency level and Handled or Not.

      Click an alert type in the Alert Type section or an attack phase in the Attack Phase section on the left side of the alert event list.

    • View the details about an alert event

      On the Alerts page, click the name of the alert event whose details you want to view. In the panel that appears, you can view the details about the alert event and the exceptions related to the alert event. This allows you to analyze the alert event, trace attack sources, and identify the path of the attack in an efficient and comprehensive manner. For more information about the exceptions related to an alert event, see View exceptions related to an alert. For more information about how to trace attack sources, see Use attack source tracing.

      Move the pointer over the icon on the right side of an alert event name to view the attack sources or the exceptions related to the alert event. Icon
      The following table describes the icons on the right side of alert event names.
      Icon Name Description
      Attack Source Tracing icon Attack Source Tracing The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can click the Attack Source Tracing icon icon to go to the Diagnosis tab. For more information, see Use attack source tracing.
      Investigation icon Investigation The investigation feature provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the causes of intrusions. This feature helps you locate the attacked assets and reinforce your asset security. You can click the Investigation icon icon to go to the Investigation page.
      Related Exceptions icon Related Exceptions You can move the pointer over this icon to view the number of exceptions that are related to the alert event.
      Safeguard Mode For Major Activities The safeguard mode for major activities is a protection mode supported by the Security Center agent. You can enable the mode to protect major activities. After the mode is enabled, Security Center generates alert events for suspicious intrusions and potential threats. If this icon is displayed next to the name of an alert event that is generated on your asset, the safeguard mode for major activities is enabled for the asset. For more information, see Use proactive defense.
      Attack Phase icon Attack Phase An attack includes the following phases: Attack Portal, Load Delivery, Privilege Escalation, Escape Detection, Permission Maintenance, Lateral Movement, Remote Control, Data Breach, Trace Cleaning, and Damage. You can click the Attack Phase icon to view the phase of an attack on your assets and the security status of your assets.
      Blocked icon Blocked The Blocked icon indicates that Security Center terminated the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.
    • View the alert events that are automatically handled by Security Center

      On the Alerts page, set Handled or Not to Handled and Status to Successful Interception. This way, you can view all alert events generated for common viruses that are automatically quarantined by Security Center.

    • View exceptions related to an alert event
      On the Alerts page, find the required alert event and click Details in the Actions column. In the details panel of the alert event, you can view the details of the alert event and exceptions related to the alert event. You can also handle the exceptions.
      • View details about the alert event

        You can view the following information: Affected Assets, First Occurrence, Latest Occurrence, Alert Reason, and Related Exceptions.

      • View affected assets

        Click the name of an affected asset to view the details of the asset. The details include alerts, vulnerabilities, baseline risks, and asset fingerprints.

      • View alert event causes

        To view the causes and handling suggestions of the alert event, click Go Now to go to the Vulnerabilities or Baseline Check page. On the Vulnerabilities page, you can view and handle the vulnerabilities. On the Baseline Check page, you can view and manage baseline risks.

      • View and handle related exceptions

        In the Related Exceptions section, view the details about all exceptions that are related to the alert event. You can also view suggestions on how to handle the exceptions. To handle the exceptions, you can perform the following operations:

        • Click Process on the right side of an exception. In the dialog box that appears, select a processing method to handle the exception.

          For more information about how to select a processing method, see Handle alert events.

        • Click Note on the right side of an exception to add a note for the exception.

          Click the Delete icon icon on the right side of a note to delete the note.

      • View tracing results of the alert event on the Diagnosis tab

        Click the Diagnosis tab to view the tracing results of the alert event.

    • Use the feature of attack source tracing

      Security Center provides the feature of attack source tracing. This feature automatically traces the sources of attacks and provides original data previews. The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.

      Note
      • Only the Enterprise and Ultimate editions support the feature of attack source tracing. If you use the Basic, Anti-virus, or Advanced edition of Security Center, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use the feature.
      • Three months after an alert event is generated, the information about attack source tracing for the alert event is automatically deleted. We recommend that you view the information about attack source tracing for alert events at the earliest opportunity.
      • Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after an alert event is generated.

      On the Alerts page, you can find the alert event for which the Attack Source Tracing icon icon is displayed and click the icon. In the panel that appears, you can view the alert name, alert type, affected resources, attack source IP address, HTTP request details, and attack request details.

      Diagnosis tab

      On the Diagnosis tab, you can also view the information about each node in the chain diagram of the attack source tracing event. You can click a node to view details about the node on the Node Attributes page.

      Node details

Handle alert events

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, find the alert event that you want to handle and click Process in the Actions column. In the dialog box that appears, select a processing method to handle the alert event and click Process Now.
    Note If the alert event is related to multiple exceptions, the details panel of the alert event appears after you click Process. You can separately handle the exceptions in the panel. For more information, see View exceptions related to an alert.
    Method Description
    Anti-Virus If you select Anti-Virus, you can terminate the malicious process for which the alert event is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services.
    If you confirm that the alert event is a positive, you can use one of the following methods to manually handle the alert event:
    • End the process.: terminates the malicious process.
    • End the process and isolate the source file: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see Quarantine.
      Important A quarantined file can be restored within 30 days. After the restoration, the alert event generated for the file is displayed in the alert event list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
    Add To Whitelist If the alert event is a false positive, you can add the alert event to the whitelist. You can also specify a whitelist rule to add alert events that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the alert event Exploit Kit Behavior and specify a rule to add the alert events generated for commands that contain aa to the whitelist. After the configuration, the status of the alert event changes to Handled. Security Center no longer generates alert events for the commands that contain aa. In the Handled alert event list, you can click Remove whitelist to remove the alert event from the whitelist.
    Note
    • If you select this method, the alert event that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same alert event as the selected alert event if the condition in the rule is met. For more information about the alert events that can be added to the whitelist of Security Center, see What alert events can I add to the whitelist?
    • If Security Center generates an alert event on a normal process, the alert event is considered a false positive. Common false positives include an alert event generated for suspicious processes that send TCP packets. The alert event notifies you that your server initiated suspicious scans on other devices.
    Ignore If you select Ignore, the status of the alert event changes to Ignored. Security Center still generates this alert event in the subsequent detection.
    Note If one or more alert events can be ignored or are false positives, you can select the alert events and click Ignore Once or Add whitelist below the alert event list of the Alerts page.
    Deep cleanup After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the Deep cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.
    Isolation If you select Isolation, Security Center quarantines webshell files. The quarantined files can no longer threaten your services.
    Important A quarantined file can be restored within 30 days. After the restoration, the alert event generated for the file is displayed in the alert event list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
    Block If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.
    End process If you select End process, Security Center terminates the process for which the alert event is generated.
    Troubleshooting If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed.
    You can select one of the following modes for troubleshooting:
    • Standard

      In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis.

    • Strict

      In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.

    Handled manually If you select this method, it indicates that you have handled the risks for which the alert event is generated.
    Batch unhandled (combine the alert triggered by the same rule or type) If you select this method, you can select multiple alert events to handle at a time. Before you handle multiple alert events at a time, we recommend that you view the details about the alert events.
    Defense Without Notification If you select this method, the same alert events are automatically added to the Handled alert event list. Security Center no longer notifies you of the alert events. Proceed with caution.
    Disable Alerting Defense Rule If you select this method, the system disables the automatic defense rule. Proceed with caution.

    After you handle the alert event, the status of the alert event changes from Unhandled to Handled.

Archived alert events

Security Center allows you to archive the alert events generated prior to 30 days ago. You can download archived alert events. We recommend that you archive historical alert events on a regular basis so that you can view and manage the latest alert events in an efficient manner.

You can archive alert events only once within a 24-hour period. The number of times allowed to download archived alert events is unlimited.

After you click Archive data on the Alerts page, Security Center archives all alert events generated prior to 30 days ago. Then, you can download the archived alert events. Archived alert events are no longer displayed in the Security Center console. To view archived alert events, you must download the archived alert events to your computer. If you have never archived alert events, you can view all alert events in the Security Center console.

Note If no alert events were generated prior to 30 days ago within your account, Security Center generates an empty file named suspiciousExport_Date of the archive operation_Timestamp of the archive operation.zip after you click Archive data on the Alerts page.
  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. In the upper-right corner of the Alerts page, click Archive data.
    The following list provides more information about this operation:
    • If this is the first time that you click Archive data, Security Center archives alert events generated prior to 30 days ago and provides a download link.
    • If this is not the first time that you click Archive data, Security Center archives alert events generated within a specific time range and provides a download link. The start of the specific time range is the day that follows the day alert events were last archived and the end is 30 days before the current day.

    For example, if you clicked Archive data on August 13, 2020 for the first time, Security Center archives all alert events generated before and on July 14, 2020 and generates a file named suspiciousExport_20200813_1597282822.zip. If you clicked Archive data again on August 15, 2020, Security Center archives the alert events generated from July 15, 2020 to July 16, 2020 and generates a file named suspiciousExport_20200815_1597455622.zip.

    Note Security Center archives alert events only once within a 24-hour period. When you click Archive data for the first time within a 24-hour period, Security Center archives alert events and generates an archive file. When you click Archive data again within the 24-hour period, Security Center does not archive alert events. However, the Archive data dialog box appears, and you can view the alert events that have been archived.
  3. In the Archive data dialog box, view the file of archived alert events.
  4. Click Download in the Download link column to download the file of archived alert events to your computer. Then, click OK.
    The file of archived alert events is in the XLSX format. It takes 2 to 5 minutes to download a file of archived alert events. The time required by a download operation varies based on the network bandwidth and the file size.
    After you download the file, you can view the information about alert events in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of alert events. It also provides information about affected assets, names of the affected assets, suggestions for handling the alert events, and points in time at which alert events were generated.
    Note If an alert event is in the Expired state, the alert event has been generated within the last 30 days but you have not handled the alert event. We recommend that you handle the alert events generated by Security Center at the earliest opportunity.

Quarantine

Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. You can restore a quarantined file with a few clicks before the file is deleted.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. In the upper-right corner of the Alerts page, click Quarantine to go to the Quarantine panel. You can view or restore quarantined files in the panel.
    • You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.
    • You can also perform the following operations to restore a quarantined file: Find the file and click Restore in the Actions column. In the Note message, click OK. After the restoration, the alert event generated for the file is displayed in the alert event list.
      Important You can restore files within 30 days after they are quarantined. Security Center deletes the files that have been quarantined for more than 30 days.