How to configure alert scan scope and alert handling rules - Security Center

The alert settings feature lets you manage web directories on your assets and configure alert whitelist rules. This helps you create more fine-grained threat protection rules and manage them centrally. This lets you promptly detect security threats on your assets and monitor their security status in real time. This topic describes how to configure custom web directories and alert handling rules.

Configure alert generation rules

Some alerts depend on system feature settings. You can manage the rules for these features on their respective pages:

Host Protection: Features such as Malicious Behavior Defense, Approved Logon Management, and Antivirus generate alerts of types such as Precise Defense, Unusual Logon, Account Errors, and Malicious Software.
Container Protection: Features such as Proactive Defense for Containers and Container File Protection generate alerts of types such as Container Escape Prevention, Proactive Defense for Containers, and Container Cluster Anomaly.
Feature Settings: Features such as Host Protection Settings and Container Protection Settings generate alerts of types such as Precise Defense, Webshell, Container Escape Prevention, Container Cluster Anomaly, and Suspicious Process Behavior.

Manage custom web directories

Security Center automatically detects the web directories on your servers and performs dynamic detection and static scans. This feature not only automatically discovers and monitors standard web directories on your servers but also lets you manually add custom web directories to include them in the comprehensive security scanning and protection system.

When a hacker attempts an abnormal connection using a known web shell, Security Center actively blocks the connection and generates an alert. The alert is then displayed in the alert list on the Alerts page.

Benefits

Eliminate security blind spots: Web applications, website source code, or project files may be deployed in non-standard custom paths, such as /data/wwwroot/my_project or /opt/app. These paths might be missed by regular automatic scans, which creates security blind spots. By manually adding custom directories, you can bring all your web assets under the monitoring of Security Center, regardless of their deployment location.
Improve detection precision: Focusing scans on actual web directories reduces unnecessary scanning of non-web files. This improves detection efficiency and accuracy.
Flexibly adapt to your business architecture: This feature fully supports your custom server deployment and Operations and Maintenance (O&M) practices. This ensures that your security policies align closely with your business architecture.

Notes

Do not add root directories: To ensure server performance and scanning efficiency, do not add a server's root directory, such as / for Linux or C:\ for Windows, as a web directory.
Note
To ensure performance and efficiency, you cannot add the root directory as a web directory.
Add specific web paths: Add only the specific paths where your web applications are stored. Adding irrelevant directories may lead to false positives or unnecessary performance overhead.

Procedure

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are deployed: Chinese Mainland or Outside Chinese Mainland.
In the navigation pane on the left, choose Detection and Response > Alert.
Note
If you have activated Cloud Threat Detection and Response (CTDR), the path in the navigation pane on the left changes to CTDR > Alert.
On the Alert page, click Cloud Workload Alert Management > Alert Settings in the upper-right corner.
In the Alert Settings panel, click Manage in the Custom Web Directory section.
In the Custom Web Directory panel, configure the path and server information.
- Enter the absolute path of the web directory that you want to monitor, such as /home/www/my_app.
- Select the servers on which the path takes effect.
Click OK to add the directory.

Manage alert handling rules

The alert handling rule management feature provides a centralized management interface. The system automatically generates a handling rule when you handle a security alert and select Add to Whitelist or Defense Without Notification. You can use this feature to centrally view, edit, and delete these rules to ensure that your security policies remain effective and precise.

Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are deployed: Chinese Mainland or Outside Chinese Mainland.
In the navigation pane on the left, choose Detection and Response > Alerts.
Note
If you have activated Cloud Threat Detection and Response (CTDR), the path in the navigation pane on the left changes to CTDR > Alert.
On the Alert page, click Cloud Workload Alert Management > Alert Settings in the upper-right corner.
In the Alert Settings panel, click the Alert Handling Rule tab.
In the Alert Handling Rule section, you can Edit or Delete a destination rule.
- Edit an alert handling rule
  1. Find the rule that you want to edit and click Edit in the Actions column.
  2. In the Edit Rule panel, modify the servers on which the alert handling rule takes effect.
  3. Click OK to save the changes.
- Delete an alert handling rule
  Important
  Deleting a rule resumes the default detection and alerting behavior. For example, after you delete a whitelist rule, similar alerts that were previously ignored will be generated again. Before you delete a rule, make sure that you understand the impact.
  1. Find the rule that you want to delete and click Delete in the Actions column.
  2. Click OK to delete the rule.