tencent cloud

All product documents
Tencent Container Security Service
DocumentationTencent Container Security ServiceOperation GuideAdvanced DefenseHigh-Risk SyscallEvent List
Event List
Download PDF
Last updated: 2024-01-23 15:44:44
Event List
Last updated: 2024-01-23 15:44:44
Download PDF
The high-risk syscall feature provides the lists of risky syscall events and allowlist policies. The event list module displays the high-risk syscall check results.

Filtering and Refreshing Events

1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
2. On the Event list page, click the search box and search for high-risk syscall events by keyword such as process path, syscall name, or container name.


3. On the Event list page, click

on the right of the Operation column to refresh the event list.

Exporting the Event List

1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
2. On the Event list page, click

to select the target high-risk syscall event and click

to export it.
Note:
Click

in the Operation column to select multiple ones.


Changing the Event Status

Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.

Method 1

On the Event list page, you can mark a high-risk syscall event as processed or ignore or delete it.
Mark as processed: Click

to select the target high-risk syscall event and click Mark as processed > OK.
Note:
It's recommended to handle the event by following "Solution" in the event details and mark it as processed.
Ignore: Click

to select the target high-risk syscall event and click Ignore > OK.
Note:
Only the selected events are ignored. Alerts will be triggered when the same events occur again.
Delete: Click

to select the target high-risk syscall event and click Delete > OK.
Note:
The selected event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

Method 2

1. On the Event list page, click Process now to add events in the Pending resolved status to the allowlist, mark them as processed, or ignore them.


2. Click OK or Cancel.


3. On the Event list page, click Unignore or Delete to unignore or delete events in the Ignored status.
Note:
As an event will be in the Pending resolved status once unignored, you need to click OK for confirmation.
The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
4. On the Event list page, click Delete to delete events in the Processed status.
Note:
The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

Viewing Event Details

1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
2. On the Event list page, click

on the left of the Process path to view the event description.


3. On the Event list page, click View details.


4. The Event details page displays the event details, process information, parent process information, and event description. You can mark the event as processed, ignore it, or add it to the allowlist.
Note:
For detailed directions on how to mark an event as processed or ignore or delete it, see Changing the Event Status.
5. On the Event details page, click Add to allowlist and confirm the conditions (process path and syscall name) and the scope.


Conditions: Process path and Syscall name, which cannot be changed.


Scope: All images or Specified images. Click

or

to select or delete the target specified image.
Note:
You can press Shift to select multiple ones.

6. After selecting the target content, click Set or Cancel.

Custom List Management

1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
2. On the Event list page, click

to pop up the Custom List Management window.
3. In the pop-up window, select the target type and click OK.



Key fields in the list

1. First occurred: The time when an alert is first triggered by the syscall event. By default, the system aggregates the same alert events not processed.
2. Last occurred: The time when an alert is last triggered by the aggregated alert events. You can click the sort button on the right to sort the events in the list in chronological or reverse chronological order.
3. Events: Total number of alerts triggered by the syscall event within the aggregation period.
4. Execution result: Blocked successfully, Failed to block, Allowed, or Alert. You can quickly filter events in the list by action execution result.
5. Status: Processed, Ignored, Pending resolved, or Allowed. You can quickly filter events in the list by status.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon