After a honeypot captures an attack launched within and outside the cloud, Security Center dynamically analyzes the attacker's behavior and generates attacker profiles and analysis reports for each source IP address — covering attack history, behavioral patterns, and identity details. Use the Attack Source Analysis page to review these profiles and assess the threat level of each attacker.
Prerequisites
Before you begin, ensure that you have:
Purchased the cloud honeypot feature. See Purchase the cloud honeypot feature
Configured a honeypot. See Configure a honeypot
View attack source tracing results
Log on to the Security Center console. In the top navigation bar, select the region of the asset you want to manage: China or Outside China.
In the left-side navigation pane, choose Risk Governance > Cloud Honeypot > Attack Source Analysis.
On the Attack Source Analysis page, review the list of source IP addresses that attacked your honeypots.
Find a source IP address, then click Details in the Actions column.
The details panel shows three tabs, each covering a different dimension of the attacker:
Tab What it shows Basic information Attack history of the source IP: Last Attack Target, Last Attack Time, Intrusion Logs, and Last Attack Details Behavior Analysis Visual analytics: an attack trend chart, column charts of attacked IP addresses and probes, and distribution charts by intrusion event types and attacked honeypot types Attacker Profile Identity details of the attacker: attacker ID, total number of attacks, and last attack event To drill down further:
On the Basic information tab, click the number next to Intrusion Logs to open the Event Log page and review the full event-level breakdown for that IP address.
On the Attacker Profile tab, click Details in the Actions column to view additional identity context, including the operating system and time zone used by the attacker.