Different business applications have different security requirements. The application protection feature provides two protection modes (Monitor and Block), tiered detection rules, and multiple protection policy groups (such as Business First). This topic describes protection policies and how to configure them.
Protection modes
Application protection provides the following two protection modes:
Monitor: Detects attack behavior but does not block attacks. When an attack is detected, an alert is generated with the action set to Monitor.
Block: Detects and blocks attack behavior, and monitors high-risk operations. When an attack is blocked, an alert is generated with the action set to Block.
When you create an application group, the protection mode defaults to Monitor. We recommend running Monitor mode for 2 to 5 days. If no false positives occur, switch the protection mode to Block. If false positives occur, configure protection whitelist rules to suppress the detection types that cause false alerts. For more information, see Add an alert to a whitelist.
Protection policy groups
Built-in policy groups
To meet security requirements in different business scenarios, application protection provides tiered detection rules and built-in protection policy groups: Business First (default loose rule group), Normal Operations (default standard rule group), and Protection First (default strict rule group).
All rules within a built-in policy group share the same detection mode. For example, all attack rules in the Business First group (default loose rule group) use the Loose detection mode. You can use a built-in rule group as needed or create a custom rule group.
Detection modes
To balance false positive rates and protection strength across different business scenarios, application protection defines multiple detection modes: Loose, Standard, and Strict. These three modes provide increasing protection capability and increasing false positive rates.
Loose: Matches only known attack signatures. Very low false positive rate.
Standard (default): Matches common attack patterns and applies some generalized inference. Suitable for daily O&M.
Strict: Detects more hidden attack behaviors. Suitable for major event support scenarios, but has a certain risk of false positives.
Create a protection policy group
If none of the built-in policy groups fit your needs, create a custom one. To base a new group on an existing configuration, click Copy in the Actions column for that group.
Log on to the Security Center console.
In the navigation pane on the left, choose Protection Configuration > Application Protection. In the upper-left corner, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
On the Application Configurations tab, click Management Settings in the upper-right corner.
In the Management Settings panel, on the Manage Protection Policy tab, click Create Protection Policy Group.
In the Create Protection Policy Group panel, enter a name, select an application language, and click Select to the right of Threat Type to configure the detection types.
In the Select Threat Type panel, select the detection types to include, set the Detection Mode for each type, and click OK.
For example, if alerts for SQL injection contain many false positives, set the detection mode for that type to Loose.
Available detection types include Malicious Outbound Connection (medium risk), Expression Injection (high risk), Arbitrary File Deletion (low risk), JNI Injection (high risk), and more. Each type includes a description and risk level for reference.
Click OK.
Configure a protection whitelist
Add a whitelist rule from an alert
If an alert is confirmed as a false positive, add it to the protection whitelist to prevent similar alerts from being generated in the future. When you add an alert to the whitelist, a rule is automatically created from the alert details and applied to the application group that contains the affected process.
For steps, see Add an alert to a whitelist.
View and manage whitelist rules
Log on to the Security Center console.
In the navigation pane on the left, choose Protection Configuration > Application Protection. In the upper-left corner, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
On the Application Configurations tab, click Management Settings in the upper-right corner.
You can also click Protection Whitelist on the Attack Alerts tab to view the whitelist rule list.
In the Management Settings panel, on the Protection Whitelist tab of the Manage Protection Policy tab, view the list of whitelist rules.
You can manage whitelist rules by using the following operations:
Enable or disable: Toggle the switch in the Rule Switch column to enable or disable a whitelist rule.
Edit or delete: Click Edit or Delete in the Actions column to modify or delete a whitelist rule.
Create a whitelist rule manually
A manually created rule lets you configure whitelists for multiple detection types across multiple application groups.
Log on to the Security Center console.
In the navigation pane on the left, choose Protection Configuration > Application Protection. In the upper-left corner, select the region where your asset is located: Chinese Mainland or Outside Chinese Mainland.
On the Application Configurations tab, click Management Settings in the upper-right corner.
You can also click Protection Whitelist on the Attack Alerts tab.
In the Management Settings panel, on the Protection Whitelist tab of the Manage Protection Policy tab, click Create Whitelist.
In the Create Whitelist panel, configure the rule parameters and click OK.
The following describes some of the parameters. For other parameters, refer to the descriptions in the console.
Match Mode: Select the match method for the whitelist rule. Options:
Exact Match: Suppresses alerts when the transmitted content is identical to the match content.
Partial Match: Suppresses alerts when the transmitted content contains the match content.
Prefix Match: Suppresses alerts when the transmitted content starts with the match content.
Suffix Match: Suppresses alerts when the transmitted content ends with the match content.
Content to Match: Set the match content based on the selected match method. You can use the value of Malicious Characteristics, Specified Parameters, or Request URL from the alert details page as the match content.
Modify the protection policy for an application group
You can modify the protection policy for an application group by performing the following steps.
On the Application Protection page, on the Application Configurations tab, click Protection Policy in the Actions column for the target application group.
In the Protection Policy panel, modify Protection Status, Protection Mode, Protection Policy Group, Detection Policy, and Common Settings as needed.
Click OK.
(Optional) On the Application Configurations tab, perform batch operations as described below.
Switch to Block mode: Select the target application groups and click Protect All below the list to change the protection mode to Block.
Switch to Monitor mode: Select the target application groups and click Monitor All below the list to change the protection mode to Monitor.
Disable detection or protection: Select the target application groups and click Cancel Protection below the list. This disables the protection capability for the selected application groups. No attack behavior is detected or blocked.
Enable detection or protection: Select the target application groups and click Enable All below the list to re-enable the selected application groups.