The Blocked attacks module presents all the security events blocked by CFW based on configured rules and threat intelligence, and allows you to analyze and resolve all blocked attacks.
Visual representation of blocked attacks
1. Log in to the Cloud Firewall console. In the left navigation pane, click Alert Management -> Blocked attacks to open the Blocked attacks page. 2. In this module, you can analyze existing security alert events by ① personal assets, ② region, and ③ time range (24 hours, 7 days, or a custom time range) with a graph. The left section displays the trend curve of recently blocked events, with the x-axis indicating time and the y-axis indicating the number of blocked attacks at each point in time. In addition, you can view the statistics about blocked malicious outgoing access, attacks blocked by blocklist, blocked brute-force attacks, and exploit attacks. On the right, you can view the ranking of blocked events by blocked IP, geographic location, and destination port.
Note
This page is automatically refreshed at an interval. You can set ④Auto refresh rate to 30s or 60s.
List of blocked attacks
Blocked events are divided into Inbound, Lateral movements, and Outbound based on the traffic direction.
② Filter events by conditions
You can click Block all, Block, or Ignore for selected events.
Note
These buttons are only available when one or more events are selected.
Select values from the drop-down lists marked "②" to filter blocked events. The following capabilities are supported:
Display blocked events by intrusion defense policy and resolution status.
Sort blocked events by blocking time, blocking statistics, and average blocking frequency.
Record blocked events at a frequency of minutes, hours, or days.
Filter events by keywords.
Click to switch to the full-screen display mode. Click to switch back to the original display mode. Click Asset view or Event view to switch between the two views.
Asset view
In this view, the blocked events from the same access source are displayed based on attacker assets.
You can click the IP of the access source on the left to view the threat profile.
Click Pin to top or Allow, or click More -> Quarantine/Block/Ignore on the right to pin, allow, quarantine, block, or ignore an IP.
Note
The available buttons on the right vary depending on the state of the assets.
The following operations also apply to batch processing and event view.
Pin to top/Unpin: You can pin or unpin assets. Note: A maximum of 5 items can be pinned for Outbound or Inbound.
Allow: Click Allow for an IP that does not need to be blocked. Then, select Reason and Validity. Within the selected validity period, the IP is in the access control allowlist and is not blocked. If you are not certain about whether the reason is "false positive", you can select Allow for emergency, and modify it later if necessary.
Quarantine: Click Quarantine. When an asset instance is quarantined, the system automatically publishes the blocking rule for enterprise security groups to block network access to the selected asset in the specified blocking direction. This makes the subsequent troubleshooting easy and prevents the asset from being attacked.
Block: For assets with a high threat level, click Block. Then, specify a validity period to add the IP to the blocklist in Intrusion defense. CFW automatically blocks that IP from accessing all of your assets within the specified period.
Ignore: For repeated or possible false alerts, you can click Ignore. The ignored alert events are not included in the alert list and statistics, but their logs are retained. You are no longer notified of the ignored alert events when they trigger alerts again. You can select Ignored in the list to view all the ignored events. The "Ignore" operation is irreversible. Event view
Was this page helpful?