When a server is compromised, the Breach Detection feature of Cloud Firewall helps you promptly detect and identify intrusion events to prevent significant business losses. This topic describes how to check for security threats on your servers and configure protection modes.
Prerequisites
The internet firewall is enabled. For more information, see Enable the firewall switch.
The Block mode of the threat engine is enabled. For more information, see IPS Configuration.
Procedure
Log in to the Cloud Firewall console.
-
In the left-side navigation pane, select .
On the Breach Detection page, view the details of intrusion events.
On the Breach Detection page, you can perform the following operations:
View the event list
In the intrusion event list, view details such as Risk Level, the affected asset IP address and UID, and Handling Status.
Find a target event
In the top menu bar, filter events by Risk Level, time type, Handling Status, or detection time range. You can also search for an intrusion event by its instance IP address, ID, name, or UID.
Enable Block Mode for the threat engine
After you enable the internet firewall, the threat engine uses Block Mode by default. If you disable Block Mode, the Breach Detection page can detect risk events but cannot block them. In the Actions column, click Quick Blocking to enable Block Mode for the threat engine.
ImportantThe Quick Blocking switch does not control individual events. Enabling or disabling Quick Blocking toggles the intrusion prevention system (IPS) feature for the entire Cloud Firewall.
Ignore an intrusion event
If you determine that an intrusion event is normal activity, find the event and click Ignore in the Actions column.
NoteAn event marked as Ignore is removed from the intrusion event list, and Cloud Firewall will no longer generate alerts for it.
View event details
Find the event that you want to inspect, and click Details in the Actions column to view its details and security recommendations.
Analyze an event with AI assistance: Click the
icon in the AI Analysis column to use the Security AI Assistant for a quick analysis of the breach alert.The analysis includes:
Payload content analysis: A brief description of the selected alert and the results of the AI analysis.
Attacker intent: A prediction of the attacker's behavior based on the AI analysis.
Defense recommendations: Recommendations for Cloud Firewall protection configurations (such as ACL policies and IPS Configuration) and asset investigation.
References
Use the IPS Configuration feature to set the running mode for the threat engine and configure threat intelligence, basic defense, intelligent defense, and virtual patching. This helps you identify and block intrusion risks with greater precision. For more information, see IPS Configuration.
The intrusion prevention system (IPS) provides real-time detection and blocking of malicious traffic, including hacker attacks, vulnerability exploits, brute-force attacks, worms, mining programs, trojan attacks, and DoS attacks. It safeguards your cloud-based information systems and network architecture. For more information, see IPS overview and Intrusion Prevention.
Cloud Firewall can synchronize with Security Center to identify vulnerabilities exploited by network attacks and defend against them. For more information, see Vulnerability Prevention.