tencent cloud

Feedback

Alert Analysis and Handling

Last updated: 2024-01-24 15:48:25
    This topic describes the operations in Alert Management. Log in to the Cloud Firewall console and open the Alert Management page, and then click Attack alerts to go to the Attack alerts page. On this page, you can view the trend chart of security events and the number of recent security events, and then adjust your defense policies to prevent attacks.

    Filtering alert events

    This section describes how to locate the alert events you want to view through filtering. ① Select the assets for which you want to view the alert events; ② Select the type of alert events. ③ Select whether to view unresolved events or resolved events; ④ Sort events in the order of occurrence time and the number of occurrences, or filter events by attack event type, severity, protocol, and source.
    
    Note
    To view all critical or high-risk events, select the level from the ④Severity column and then view the events by clicking different types of ②alert events.
    You can also enter keywords in the search bar on the right to search for the events you need.

    Resolving alert events

    This section describes how to resolve alert events. For more information about how to filter alert events, please see "Filtering alert events".
    
    ① You can click Block, Allow, or Ignore to resolve an alert.
    Note
    To modify your operation, undo the operation in Intrusion defense -> Blocklist.
    Block: For security events with a higher severity or a larger number of alerts, click Block to add the IP to the blocklist in Intrusion defense. CFW automatically blocks access from this IP to all your assets within the specified period.
    
    Allow: For repeated or possible false alerts, you can click Allow to add the IP to the allowlist in Intrusion defense. CFW allows traffic from the IP by skipping attack detection for the IP in Intrusion defense within the specified period.
    
    Ignore: If you do not want to take action on an alert, click Ignore. The log is not deleted. You can view the log in the list of ignored alerts.
    Caution
    "Ignore" operation is irreversible.
    
    ② Select multiple alert events in the area marked "②" on the left.
    Note
    To select alert events across pages, select the target events on the current page and then go to another page to select more events.
    This applies to all multi-selection scenarios.
    ③ You can click Block all, Allow, or Ignore to batch resolve multiple events.

    Searching for security events of an IP

    This section describes how to search for all security events of an IP. Locate a security event of the IP of your interest, and click
    
    to the right of the IP to list all security events of the IP.
    
    Note
    This applies to all the scenarios where you need to filter security events of IPs, regardless of the IP types.

    Searching for security events of an asset

    This section describes how to search for all security events of an asset.
    Method 1: In the drop-down list in the upper-left corner of the view, select the target asset.
    
    Method 2: Locate a security event of your interest, and click
    
    to the right of the asset.
    
    Note
    This applies to all scenarios where you need to view events by asset.

    Viewing recent security events

    To view the recent security events, select all assets and all sources, and then click the arrow to the right of Occurrence time to sort the security events in reverse chronological order. You can switch between different alert types by clicking the tabs on the top. For more information, see Filtering alert events.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support