After you deploy a honeypot on your server, Cloud Honeypot captures attacks from inside and outside the cloud. Each detected attack appears as an alert event on the Alert Event page. Review and handle these events promptly to keep your servers secure.
Prerequisites
Before you begin, make sure that you have:
Deployed a honeypot on your server
Access to the Security Center consoleSecurity Center consoleLog on to the Security Center console.
View alert events
Log in to the Security Center consoleSecurity Center console. In the top navigation bar, select the region of the asset you want to manage — either China or Outside China.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event.
At the top of the Alert Event page, review the honeypot statistics: If you need more probes, click Upgrade Configuration to purchase additional probes.
Statistic Description Manage Node Status Status of your honeypot management nodes Authorized Probes Number of probes you are licensed to use Available Probes Number of probes available for deployment Deployed Host Probes Number of probes currently deployed on hosts In the alert event list, review detected attacks. Each event shows the Risk Level, Risk Overview, and Attack Source.
To investigate a specific event:
Find the event and click View Logs in the Actions column. The Event Log page lists all logs related to the event.
Find a log entry and click Details in the Actions column. The Log Details page shows Basic Information and the Attack Timeline for that log entry.
Handle alert events
Log in to the Security Center consoleSecurity Center console. In the top navigation bar, select the region of the asset you want to manage — either China or Outside China.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event.
Find the alert event you want to handle and click Handle in the Actions column.
In the Handle Alert dialog box, set Solution based on the nature of the event:
Solution When to use What happens Add to Whitelist The event is generated by a known, legitimate workload — not an actual attack Alert events with the same attack information are no longer displayed in the alert event list and no longer trigger alerts Mark as Handled The event is a confirmed attack and you have already remediated it on the server or Virtual Private Cloud (VPC) The event is marked as resolved Click OK.
After you add an alert event to the whitelist, other alert events with the same attack information are no longer displayed in the alert event list, and the attack no longer triggers alert events. To ensure the security of your asset, we recommend that you do not add alert events to the whitelist unless necessary. To reverse the action, find the event in the handled alert event list, click Handle, set Solution to Remove from Whitelist, and click OK.