View and handle security alerts - Security Center - Alibaba Cloud Documentation Center

To ensure the security of your assets, we recommend that you view the security alerts that are generated by Security Center on your assets and handle the security alerts at the earliest opportunity. This topic describes how to view and handle security alerts.

View security alerts

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.
On the Alerts page, view security alerts.
Filter security alerts
You can filter security alerts in an efficient manner by using various filters that are provided in the Security Center console.
- Filter security alerts by asset type
  You can perform this operation only if you use the Ultimate edition of Security Center. Above the security alert list, click the All, Host, Container, K8S, or Cloud Product tab to view the security alerts that are generated for each type of asset.
- Filter security alerts by using the Severity filter or Handled or Not filter above the security alert list
  For example, you can set Handled or Not to Handled and Status to Successful Interception. The system displays the security alerts on common viruses that are automatically blocked by Security Center.
- Filter security alerts by option in the Alert Type section or Attack Phase section to the left of the security alert list
  The Attack Phase section displays the phases of virus attacks. You can view attack phases that are indicated by icons in the Alert Name column to obtain the phases of virus attacks on your servers. This helps you quickly understand the security status of your assets.
View the details of a security alert
Click the name of a security alert or click Details in the Actions column of a security alert. The detail panel of the security alert appears. In the details panel of the security alert, you can view the basic information about the security alert, affected assets, and description of the security alert. You can also handle the exceptions that are related to the security alert.
Note
The information that is displayed in the details panel of a security alert varies. The information that is displayed in the panel shall prevail.
- View affected assets
  Click the name of an Affected Asset to view the details of the asset. The details include alerts, vulnerabilities, baseline risks, and asset fingerprints.
- View security alert causes
  In the Description of events section, view the causes and handling suggestions of the security alert. You can click Handle to handle vulnerabilities and baseline risks in an efficient manner.
Use the feature of attack source tracing
Security Center provides the feature of attack source tracing. This feature automatically traces the sources of attacks and provides original data previews. The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.
Note
Only the Enterprise and Ultimate editions support the feature of attack source tracing.
Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after a security alert is generated.
Three months after a security alert is generated, the information about attack source tracing for the security alert is automatically deleted. We recommend that you view the information about attack source tracing for security alerts at the earliest opportunity.
In the security alert list, find the security alert that you want to manage and click the icon in the Alert Name column. Alternatively, in the Advanced Details panel, click the Diagnosis tab to go to the Diagnosis page.
On the Diagnosis tab, you can view the alert name, alert type, affected resources, attack source IP address, HTTP request details, and attack request details. You can also view the information about each node in the chain diagram of the attack source tracing event. You can click a node to view details of the node.
View sandbox check results
Security Center provides the feature of cloud sandbox check, which allows files to run in a secure and isolated environment and analyzes dynamic and static data of file behavior. This helps you run suspicious applications in a secure manner and identify suspicious behavior of files. If security alerts are generated, you can handle malicious applications based on sandbox check results.
Note
The feature of cloud sandbox check can detect only some malware. The supported malware that is displayed on the page shall prevail.
1. In the security alert list, find the security alert that you want to manage and click Details in the Actions column.
2. Click the Sandbox inspection tab or click Cloud sandbox detection in the Description of events section.
3. On the Sandbox inspection tab, view the sandbox check results.
  If no data is displayed on the tab, the feature of cloud sandbox check does not detect the file for which alerts are generated. In this case, click Go to Cloud Sandbox to upload and check the file.
Sandbox inspection
Use the investigation feature
The investigation feature provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the causes of intrusions. This feature helps you locate the attacked assets and reinforce your asset security.
You can click the icon in the Alert Name column to go to the Investigation page.
Note
- If Blocked is displayed in the Alert Name column, Security Center terminates the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.
- If Strict Mode is displayed in the Alert Name column, the alert detection mode of a server is Strict Mode. After Strict Mode is enabled, Security Center detects more suspicious behavior and generates alerts. However, the false positive rate is higher in this mode. For more information, see Enable features on the Host Protection Settings tab.

Handle security alerts

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.

On the Alerts page, find the security alert that you want to manage and click Handle in the Actions column. In the dialog box that appears, select a processing method to handle the security alert and click Process Now.

Note

Different types of security alerts support different processing methods. The processing methods displayed in the Security Center console shall prevail.
You can add a note based on your business requirements. For example, you can enter the reason for handling the security alert and the user who handles the security alert. This helps manage security alerts that are handled.

Method	Description
Virus Detection and Removal	If you select Virus Detection and Removal, you can terminate the malicious process for which the security alert is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services. If you confirm that the security alert is a positive, you can use one of the following methods to manually handle the security alert: End the process.: terminates the malicious process. End the process file and isolate the source file: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see View and restore quarantined files. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the security alert generated for the file is displayed in the security alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Add to Whitelist	If the security alert is a false positive, you can add the security alert to the whitelist. You can also specify a whitelist rule to add security alerts that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the security alert Exploit Kit Behavior and specify a rule to add the security alerts generated for commands that contain aa to the whitelist. After the configuration, the status of the security alert changes to Handled. Security Center no longer generates security alerts for the commands that contain aa. In the handled security alert list, you can remove the security alert from the whitelist. Note If you select this method, the security alert that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same security alert as the selected security alert if the condition in the rule is met. For more information about the security alerts that can be added to the whitelist of Security Center, see What security alerts can I add to the whitelist? If Security Center generates a security alert on a normal process, the security alert is considered a false positive. Common false positives include a security alert generated for Unusual TCP Packets. The security alert notifies you that your server initiated suspicious scans on other devices.
Ignore	If you select Ignore, the status of the security alert changes to Ignored. Security Center still generates this security alert in the subsequent detection. Note If one or more security alerts can be ignored or are false positives, you can select the security alerts and click Ignore Once or Add to Whitelist below the security alert list of the Alerts page.
Deep cleanup	After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the Deep cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.
Isolation	If you select Isolation, Security Center quarantines webshell files. The quarantined files can no longer threaten your services. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the security alert generated for the file is displayed in the security alert list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Block	If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.
End process	If you select End process, Security Center terminates the process for which the security alert is generated.
Troubleshooting	If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed. You can select one of the following modes for troubleshooting: Standard In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis. Strict In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.
Handled manually	If you select this method, it indicates that you have handled the risks for which the security alert is generated.
Batch unhandled (combine the alert triggered by the same rule or type)	If you select this method, you can select multiple security alerts to handle at a time. Before you handle multiple security alerts at a time, we recommend that you view the details of the security alerts.
Do Not Intercept Rule	If you do not want Security Center to block requests whose URI matches blocking rules, select Do Not Intercept Rule. After you select Do Not Intercept Rule, Security Center no longer blocks requests that use the URI or generates security alerts.
Defense Without Notification	If you select this method, the same security alerts are automatically added to the handled security alert list. Security Center no longer notifies you of the security alerts. Proceed with caution.
Disable Alerting Defense Rule	If you select this method, the system disables the automatic defense rule. Proceed with caution.

After you handle the security alert, the status of the security alert changes from Unhandled to Handled.

View statistics about security alerts

Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the security alerts on your assets and on the enabled and disabled alert types. You can view the statistics about security alerts and the enabled alert types.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.

In the upper part of the Alerts page, view the statistics about security alerts.

Parameter	Description	Operation
Alerting Server(s)	The number of servers for which security alerts are generated.	Click the number below Alerting Server(s) to go to the Server tab of the Host page. On the Server tab, view the details of servers for which security alerts are generated.
Urgent Alerts	The number of unhandled Urgent security alerts.	Click the number below Urgent Alerts. The system displays the urgent security alerts on the Alerts page. You can view and handle the Urgent security alerts. Note We recommend that you handle the Urgent security alerts at the earliest opportunity.
All Alerts	The total number of unhandled security alerts.	View the details of all unhandled security alerts on the Alerts page. For more information, see View and handle security alerts.
Precise Defense	The number of viruses that are automatically quarantined by the Malicious Behavior Defense feature.	Click the number below Precise Defense. The system displays the related security alerts on the Alerts page. You can view all the viruses that are automatically quarantined by the Malicious Behavior Defense feature. Note You can ignore the security alerts for the viruses that are quarantined by Security Center.
IP blocking / All	IP blocking: the number of blocked IP addresses after the defense policies against brute-force attacks are enabled. All: the number of IP addresses blocked by all the defense policies against brute-force attacks that are created.	Click a number below IP blocking / All. In the IP Policy Library panel, you can view the enabled IP address blocking policies or the IP address blocking policies that are created. For more information about IP address blocking policies, see Configure alert settings.
Number Of Quarantined Files	The number of files that are quarantined by Security Center based on handled security alerts.	Click the number below Number Of Quarantined Files. In the Quarantine panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see View and restore quarantined files.

View the statistics about archived security alerts

If more than 100 security alerts exist, Security Center automatically archives only the security alerts that were handled prior to 30 days ago. Archived security alerts are no longer displayed in the Security Center console. If you want to view the statistics about archived security alerts, you can download the file of archived security alerts to your computer.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.
In the upper-right corner of the Alerts page, click Archive data.
In the Archive data dialog box, view the file of archived security alerts.
Click Download in the Download link column to download the file of archived security alerts to your computer.
The file of archived security alerts is in the XLSX format. It takes 2 to 5 minutes to download a file of archived security alerts. The time required by a download operation varies based on the network bandwidth and the file size.
After you download the file, you can view the information about security alerts in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of security alerts. It also provides information about affected assets, names of the affected assets, suggestions for handling the security alerts, and points in time at which security alerts were generated.
Note
If a security alert is in the Expired state, the security alert has been generated within the last 30 days but you have not handled the security alert. We recommend that you handle the security alerts generated by Security Center at the earliest opportunity.

View and restore quarantined files

Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. If you confirm that the quarantined file is not exposed to security risks, you can restore the quarantined file with a few clicks within 30 days after the file is quarantined.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.
In the upper-right corner of the Alerts page, click Quarantine.
In the Quarantine panel, view information about quarantined files or restore the quarantined files.
- You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.
- You can also restore a quarantined file: Find the file and click Restore in the Actions column. The restored file is displayed in the security alert list again.