tencent cloud

Feedback

Event List

Last updated: 2024-01-23 15:44:44
    The high-risk syscall feature provides the lists of risky syscall events and allowlist policies. The event list module displays the high-risk syscall check results.

    Filtering and Refreshing Events

    1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
    2. On the Event list page, click the search box and search for high-risk syscall events by keyword such as process path, syscall name, or container name.
    
    
    3. On the Event list page, click
    
    on the right of the Operation column to refresh the event list.

    Exporting the Event List

    1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
    2. On the Event list page, click
    
    to select the target high-risk syscall event and click
    
    to export it.
    Note:
    Click
    
    in the Operation column to select multiple ones.
    

    Changing the Event Status

    Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.

    Method 1

    On the Event list page, you can mark a high-risk syscall event as processed or ignore or delete it.
    Mark as processed: Click
    
    to select the target high-risk syscall event and click Mark as processed > OK.
    Note:
    It's recommended to handle the event by following "Solution" in the event details and mark it as processed.
    Ignore: Click
    
    to select the target high-risk syscall event and click Ignore > OK.
    Note:
    Only the selected events are ignored. Alerts will be triggered when the same events occur again.
    Delete: Click
    
    to select the target high-risk syscall event and click Delete > OK.
    Note:
    The selected event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

    Method 2

    1. On the Event list page, click Process now to add events in the Pending resolved status to the allowlist, mark them as processed, or ignore them.
    
    
    2. Click OK or Cancel.
    
    
    3. On the Event list page, click Unignore or Delete to unignore or delete events in the Ignored status.
    Note:
    As an event will be in the Pending resolved status once unignored, you need to click OK for confirmation.
    The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.
    4. On the Event list page, click Delete to delete events in the Processed status.
    Note:
    The event record will no longer be displayed in the console and cannot be recovered once deleted. Proceed with caution.

    Viewing Event Details

    1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
    2. On the Event list page, click
    
    on the left of the Process path to view the event description.
    
    
    3. On the Event list page, click View details.
    
    
    4. The Event details page displays the event details, process information, parent process information, and event description. You can mark the event as processed, ignore it, or add it to the allowlist.
    Note:
    For detailed directions on how to mark an event as processed or ignore or delete it, see Changing the Event Status.
    5. On the Event details page, click Add to allowlist and confirm the conditions (process path and syscall name) and the scope.
    
    
    Conditions: Process path and Syscall name, which cannot be changed.
    
    
    Scope: All images or Specified images. Click
    
    or
    
    to select or delete the target specified image.
    Note:
    You can press Shift to select multiple ones.
    
    6. After selecting the target content, click Set or Cancel.

    Custom List Management

    1. Log in to the TCSS console and click Advanced Prevention > High-risk Syscalls > Event list on the left sidebar.
    2. On the Event list page, click
    
    to pop up the Custom List Management window.
    3. In the pop-up window, select the target type and click OK.
    
    

    Key fields in the list

    1. First occurred: The time when an alert is first triggered by the syscall event. By default, the system aggregates the same alert events not processed.
    2. Last occurred: The time when an alert is last triggered by the aggregated alert events. You can click the sort button on the right to sort the events in the list in chronological or reverse chronological order.
    3. Events: Total number of alerts triggered by the syscall event within the aggregation period.
    4. Execution result: Blocked successfully, Failed to block, Allowed, or Alert. You can quickly filter events in the list by action execution result.
    5. Status: Processed, Ignored, Pending resolved, or Allowed. You can quickly filter events in the list by status.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support