View and handle alert events

更新时间:
复制 MD 格式

After Cloud Honeypot is deployed, it captures real attacks on your servers from inside and outside the cloud and displays the attack data as alert events on the Cloud Honeypot page. To keep your servers secure, we recommend that you view and handle alert events promptly. This topic describes how to view and handle alert events.

View alert events

  1. Log on to the Security Center console.

  2. In the left navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Alert Event page, view alert event statistics, including Manage Node Status, Authorized Probes, Available Probes, and Deployed Host Probes.

    If your honeypot probes are insufficient, click Upgrade Configuration to purchase more probes.

  4. In the alert list, view details of security alert events generated by attacks captured by Cloud Honeypot, including Risk Level, Risk Overview, and Attack Source.

    1. Click View Logs in the Actions column of the target alert event to go to the Event Log page, where you can view detailed log entries related to the alert event.

    2. Click Details in the Actions column of the target log to view log details, including Basic Information and Attack Timeline.

Handle alert events

  1. Log on to the Security Center console.

  2. In the left navigation pane, choose Risk Governance > Cloud Honeypot > Alert Event. In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.

  3. Handle alert events on the Alert Event page.

    Based on the alert event details, choose the appropriate handling method.

    • Add to whitelist

      Important

      After you set the handling method to Add to Whitelist, alert events with the same attack information are no longer displayed in the alert event list. To ensure the security of your assets, exercise caution when performing this operation.

      If the alert event is generated by a legitimate workload, click Handle in the Actions column of the alert event, and set the handling method to Add to Whitelist.

      Note

      After you add an alert event to the whitelist, if you want to report the alert event again, find the event in the handled alert event list, click Handle in the Actions column, and select Remove from Whitelist.

    • Mark as handled

      If the alert event is a confirmed attack, harden the security of your server or VPC to address the identified risks. After hardening is complete, click Handle in the Actions column, and set the handling method to Mark as Handled.