Breach Detection

更新时间:
复制 MD 格式

When a server is compromised, the Breach Detection feature of Cloud Firewall helps you promptly detect and identify intrusion events to prevent significant business losses. This topic describes how to check for security threats on your servers and configure protection modes.

Prerequisites

Procedure

  1. Log in to the Cloud Firewall console.

  2. In the left-side navigation pane, select Detection and Response > Incidents > Breach Detection.

  3. On the Breach Detection page, view the details of intrusion events.

    On the Breach Detection page, you can perform the following operations:

    • View the event list

      In the intrusion event list, view details such as Risk Level, the affected asset IP address and UID, and Handling Status.

    • Find a target event

      In the top menu bar, filter events by Risk Level, time type, Handling Status, or detection time range. You can also search for an intrusion event by its instance IP address, ID, name, or UID.

    • Enable Block Mode for the threat engine

      After you enable the internet firewall, the threat engine uses Block Mode by default. If you disable Block Mode, the Breach Detection page can detect risk events but cannot block them. In the Actions column, click Quick Blocking to enable Block Mode for the threat engine.

      Important

      The Quick Blocking switch does not control individual events. Enabling or disabling Quick Blocking toggles the intrusion prevention system (IPS) feature for the entire Cloud Firewall.

    • Ignore an intrusion event

      If you determine that an intrusion event is normal activity, find the event and click Ignore in the Actions column.

      Note

      An event marked as Ignore is removed from the intrusion event list, and Cloud Firewall will no longer generate alerts for it.

    • View event details

      Find the event that you want to inspect, and click Details in the Actions column to view its details and security recommendations.

    • Analyze an event with AI assistance: Click the image icon in the AI Analysis column to use the Security AI Assistant for a quick analysis of the breach alert.

      The analysis includes:

      Payload content analysis: A brief description of the selected alert and the results of the AI analysis.

      Attacker intent: A prediction of the attacker's behavior based on the AI analysis.

      Defense recommendations: Recommendations for Cloud Firewall protection configurations (such as ACL policies and IPS Configuration) and asset investigation.

References