View and handle alert events - Security Center - Alibaba Cloud Documentation Center

To ensure the security of your assets, we recommend that you view the alert events that are generated by Security Center on your assets and handle the alert events at the earliest opportunity. This topic describes how to view and handle alert events.

View alert events

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.

On the Alerts page, view alert events.

Switch between asset types
You can perform this operation only if you use the Ultimate edition of Security Center. Click the All, Host, Container, or K8S tab to view the alert events that are generated for each type of asset.
Search for alert events
Use the filters above the alert event list. The filters include Emergency level and Handled or Not.
Click an alert type in the Alert Type section or an attack phase in the Attack Phase section to the left of the alert event list.

View the details about an alert event

On the Alerts page, click the name of the alert event whose details you want to view. In the panel that appears, you can view the details about the alert event and the exceptions related to the alert event. This allows you to analyze the alert event, trace attack sources, and identify the path of the attack in an efficient and comprehensive manner. For more information about the exceptions that are related to an alert event, see View exceptions related to an alert event. For more information about how to trace attack sources, see Use attack source tracing.

Move the pointer over the icon to the right of an alert event name to view the attack sources or the exceptions related to the alert event.

The following table describes the icons to the right of alert event names.

Icon	Name	Description
	Attack Source Tracing	The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can click the icon to go to the Diagnosis tab. For more information, see Use attack source tracing.
	Investigation	The investigation feature provides visualized information about attacks. You can view the source IP addresses from which attacks are launched and analyze the causes of intrusions. This feature helps you locate the attacked assets and reinforce your asset security. You can click the icon to go to the Investigation page.
	Related Exceptions	You can move the pointer over this icon to view the number of exceptions that are related to the alert event.
	Safeguard Mode For Major Activities	The safeguard mode for major activities is a protection mode supported by the Security Center agent. You can enable the mode to protect major activities. After the mode is enabled, Security Center generates alert events for suspicious intrusions and potential threats. If this icon is displayed next to the name of an alert event that is generated on your asset, the safeguard mode for major activities is enabled for the asset. For more information, see Use proactive defense.
	Attack Phase	An attack includes the following phases: Attack Portal, Load Delivery, Privilege Escalation, Escape Detection, Permission Maintenance, Lateral Movement, Remote Control, Data Breach, Trace Cleaning, and Damage. You can click the Attack Phase icon to view the phase of an attack on your assets and the security status of your assets.
	Blocked	The Blocked icon indicates that Security Center terminated the malicious process of a virus file. The file can no longer threaten your services. We recommend that you quarantine the file at the earliest opportunity.

View the alert events that are automatically handled by Security Center
On the Alerts page, set Handled or Not to Handled and Status to Successful Interception. This way, you can view all alert events generated for common viruses that are automatically quarantined by Security Center.
View exceptions related to an alert event
On the Alerts page, find the required alert event and click Details in the Actions column. In the details panel of the alert event, you can view the details of the alert event and exceptions related to the alert event. You can also handle the exceptions.
- View the details about the alert event
  You can view the following information: Affected Assets, First Occurrence, Latest Occurrence, Alert Reason, and Related Exceptions.
- View affected assets
  Click the name of an affected asset to view the details of the asset. The details include alerts, vulnerabilities, baseline risks, and asset fingerprints.
- View alert event causes
  To view the causes and handling suggestions of the alert event, click Go Now to go to the Vulnerabilities or Baseline Check page. On the Vulnerabilities page, you can view and handle the vulnerabilities. On the Baseline Check page, you can view and manage baseline risks.
- View and handle related exceptions
  In the Related Exceptions section, view the details about all exceptions that are related to the alert event. You can also view suggestions on how to handle the exceptions. To handle the exceptions, you can perform the following operations:
  - Click Process to the right of an exception. In the dialog box that appears, select a processing method to handle the exception.
    For more information about how to select a processing method, see Handle alert events.
  - Click Note to the right of an exception to add a note for the exception.
    Click the icon to the right of a note to delete the note.
- View tracing results of the alert event on the Diagnosis tab
  Click the Diagnosis tab to view the tracing results of the alert event.
- View sandbox check results
  
  Security Center provides the feature of cloud sandbox check to detect malware. If malware is detected, the feature generates alert events. To view the check results, click Cloud sandbox detection to go to the Sandbox inspection tab. If no data is displayed on the tab, the feature of cloud sandbox check does not detect the file for which alerts are generated. In this case, click Go to Cloud Sandbox to upload and check the file.
Use the feature of attack source tracing
Security Center provides the feature of attack source tracing. This feature automatically traces the sources of attacks and provides original data previews. The feature of attack source tracing processes, aggregates, and visualizes logs from various Alibaba Cloud services by using a big data analytics engine. Then, the feature generates an event chain diagram of intrusions based on the analysis result. This way, you can identify the causes of intrusions and make informed decisions at the earliest opportunity. You can use the feature in scenarios where urgent response and source tracing of threats are required, such as web intrusions, worm events, ransomware, and unauthorized communications to suspicious sources in the cloud.
Note
- Only the Enterprise and Ultimate editions support the feature of attack source tracing. If you use the Basic, Anti-virus, or Advanced edition of Security Center, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use the feature.
- Three months after an alert event is generated, the information about attack source tracing for the alert event is automatically deleted. We recommend that you view the information about attack source tracing for alert events at the earliest opportunity.
- Security Center generates a chain of automated attack source tracing 10 minutes after a threat is detected. We recommend that you view the information about attack source tracing 10 minutes after an alert event is generated.
On the Alerts page, you can find the alert event for which the icon is displayed and click the icon. In the panel that appears, you can view the alert name, alert type, affected resources, attack source IP address, HTTP request details, and attack request details.
On the Diagnosis tab, you can also view the information about each node in the chain diagram of the attack source tracing event. You can click a node to view details about the node on the Node Attributes page.

Handle alert events

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.

On the Alerts page, find the alert event that you want to handle and click Process in the Actions column. In the dialog box that appears, select a processing method to handle the alert event and click Process Now.

Note

If the alert event is related to multiple exceptions, the details panel of the alert event appears after you click Process. You can separately handle the exceptions in the panel. For more information, see View exceptions related to an alert event.

Method	Description
Anti-Virus	If you select Anti-Virus, you can terminate the malicious process for which the alert event is generated and quarantine the source file of the malicious process. The quarantined file can no longer threaten your services. If you confirm that the alert event is a positive, you can use one of the following methods to manually handle the alert event: End the process.: terminates the malicious process. Isolate the source file of the process: quarantines the virus file. After the virus file is quarantined, the file can no longer threaten your servers. For more information, see Quarantine. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the alert event generated for the file is displayed in the alert event list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Add To Whitelist	If the alert event is a false positive, you can add the alert event to the whitelist. You can also specify a whitelist rule to add alert events that meet the condition in the rule to the whitelist. For example, you select Add To Whitelist for the alert event Exploit Kit Behavior and specify a rule to add the alert events generated for commands that contain aa to the whitelist. After the configuration, the status of the alert event changes to Handled. Security Center no longer generates alert events for the commands that contain aa. In the Handled alert event list, you can click Remove whitelist to remove the alert event from the whitelist. Note If you select this method, the alert event that you select is added to the whitelist. You can also specify a whitelist rule. After you specify a whitelist rule, Security Center no longer generates the same alert event as the selected alert event if the condition in the rule is met. For more information about the alert events that can be added to the whitelist of Security Center, see What alert events can I add to the whitelist? If Security Center generates an alert event on a normal process, the alert event is considered a false positive. Common false positives include an alert event generated for suspicious processes that send TCP packets. The alert event notifies you that your server initiated suspicious scans on other devices.
Ignore	If you select Ignore, the status of the alert event changes to Ignored. Security Center still generates this alert event in the subsequent detection. Note If one or more alert events can be ignored or are false positives, you can select the alert events and click Ignore Once or Add whitelist below the alert event list of the Alerts page.
Deep cleanup	After the security experts of Security Center conduct tests and analysis on persistent viruses, the experts develop the Deep cleanup method based on the test and analysis results to detect and remove persistent viruses. If you use this method, risks may occur. You can click Details to view the information about the viruses that you want to remove. This method supports snapshots. You can create snapshots to restore data that is deleted during deep cleanup.
Isolation	If you select Isolation, Security Center quarantines webshell files. The quarantined files can no longer threaten your services. Warning If malicious code snippets are written to a business-related file, your business may fail to run as expected after you quarantine the file. Before you quarantine a file, make sure that the impact on your business is controllable. A quarantined file can be restored within 30 days. After the restoration, the alert event generated for the file is displayed in the alert event list, and the file is monitored by Security Center. Security Center automatically deletes a file 30 days after it is quarantined.
Block	If you select Block, Security Center generates security group rules to defend against attacks. You must specify the validity period for the rules. This way, Security Center blocks access requests from malicious IP addresses within the specified period.
End process	If you select End process, Security Center terminates the process for which the alert event is generated.
Troubleshooting	If you select Troubleshooting, the diagnostic program of Security Center collects information about the Security Center agent that is installed on your server and reports the information to Security Center for analysis. The information includes the network status, the processes of the Security Center agent, and logs. During the diagnosis, CPU and memory resources are consumed. You can select one of the following modes for troubleshooting: Standard In Standard mode, logs of the Security Center agent are collected and then reported to Security Center for analysis. Strict In Strict mode, the information about the Security Center agent is collected and then reported to Security Center for analysis. The information includes network status, processes, and logs.
Handled manually	If you select this method, it indicates that you have handled the risks for which the alert event is generated.
Batch unhandled (combine the alert triggered by the same rule or type)	If you select this method, you can select multiple alert events to handle at a time. Before you handle multiple alert events at a time, we recommend that you view the details about the alert events.
Do Not Intercept Rule	If you do not want Security Center to block requests whose URI matches blocking rules, select Do Not Intercept Rule. After you select Do Not Intercept Rule, Security Center no longer blocks requests that use the URI or generates alerts.
Defense Without Notification	If you select this method, the same alert events are automatically added to the Handled alert event list. Security Center no longer notifies you of the alert events. Proceed with caution.
Disable Alerting Defense Rule	If you select this method, the system disables the automatic defense rule. Proceed with caution.

After you handle the alert event, the status of the alert event changes from Unhandled to Handled.

View the statistics about archived alert events

If more than 100 alert events exist, Security Center automatically archives only the alert events that are handled prior to 30 days ago. Archived alert events are no longer displayed in the Security Center console. If you want to view the statistics about archived alert events, you must download the file of archived alert events to your computer.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.
In the upper-right corner of the Alerts page, click Archive data.
In the Archive data dialog box, view the file of archived alert events.
Click Download in the Download link column to download the file of archived alert events to your computer. Then, click OK.
The file of archived alert events is in the XLSX format. It takes 2 to 5 minutes to download a file of archived alert events. The time required by a download operation varies based on the network bandwidth and the file size.
After you download the file, you can view the information about alert events in the file. The information includes the alert IDs, alert names, alert details, risk levels, and status of alert events. It also provides information about affected assets, names of the affected assets, suggestions for handling the alert events, and points in time at which alert events were generated.
Note
If an alert event is in the Expired state, the alert event has been generated within the last 30 days but you have not handled the alert event. We recommend that you handle the alerts generated by Security Center at the earliest opportunity.

Quarantine

Security Center can quarantine malicious files. Quarantined files are listed in the Quarantine panel of the Alerts page. The system automatically deletes a quarantined file 30 days after the file is quarantined. You can restore a quarantined file with a few clicks before the file is deleted.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Detection and Response > Alerts.
In the upper-right corner of the Alerts page, click Quarantine to go to the Quarantine panel. You can view or restore quarantined files in the panel.
- You can view information about quarantined files. The information includes server IP addresses, directories that store the files, file status, and time of the last modification.
- You can also perform the following operations to restore a quarantined file: Find the file and click Restore in the Actions column. In the Note message, click OK. After the restoration, the alert event generated for the file is displayed in the alert event list.
  Important
  You can restore files within 30 days after they are quarantined. Security Center deletes the files that have been quarantined for more than 30 days.