tencent cloud

Feedback

High-risk Commands

Last updated: 2024-08-13 16:29:50
    This document will introduce how to view and operate the alarm list of high risk commands.

    Overview

    Based on Tencent Cloud's security technologies and multidimensional approaches, CWPP can monitor commands in the system in real time. If a high risk command is detected, the system will provide you with real-time alarm notifications. Additionally, you can configure policies to mark the risk level of threat commands and perform corresponding actions.

    Prerequisites

    High risk command feature is available only for hosts of Pro Edition and Ultimate Edition. Basic Edition and unprotected hosts need to upgrade to the Pro edition or Ultimate edition to use this feature.

    Alert List

    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > High Risk Commands to enter the alarm list tab for high risk commands.
    2. In the Alert list tab for high risk commands, you can view the alarm list of high risk commands and perform operations. The list interface displays 14 fields including server name/instance ID, IP address, policy type hit, hit policy, risk level, command content, log-in user, PID, process, data source, occurrence time, processed time, status, and operation. The displayed list fields can be user-defined.
    Filtering: The event list of high risk commands supports choosing dates to view corresponding alarm information, and supports searching for events by keywords and tags (multiple keywords separated by a vertical bar (|), and multiple filter tags separated by hitting the Enter key). It also allows filtering alarm information by hit policy type, risk level, data source, and status.
    
    Custom List Fields: Above the alarm list of high risk commands, click
    img
    
    to set the fields displayed in the list. After selection, click OK to apply the settings.
    
    Exporting Alert List: Above the alarm list of high risk commands, click
    img
    
    to export the list information.
    Details > Alert details: Click Details to view the alarm details page of high risk commands.
    
    Details > Process tree: On the alarm details page of high risk commands, select the Process tree tab to view the details of the three processes arranged in reverse chronological order.
    
    Details > Event investigation: In the right action bar of the alarm list of high risk commands, click Details to choose the Event Investigation tab to enter the corresponding host list for event investigation.
    Note
    Windows machines do not support the event investigation feature.
    Only the Ultimate Edition supports the event investigation feature.
    Mark as Processed: Click Process > Mark as processed. If the user has manually handled the current high risk command alarm, they can mark this alarm as processed.
    
    Add to allowlist: Click Process > Add to allowlist to add trusted commands to the allowlist, preventing future alarms or interceptions when the command is executed again.
    
    Create Custom Interception Policy: Click Process > Create Custom Interception Policy to automatically intercept threat commands and generate interception records.
    Note
    Interception policy is supported only for hosts of Ultimate Edition. Basic and Pro Edition hosts need to upgrade to the Ultimate edition first.
    
    Ignore: Supports single or multiple selections of high risk command alarm information. Only the selected alarms are ignored. If the same issue occurs again, alarms will still be triggered.
    Delete Log: Supports single or multiple selections of high risk command alarm information. The selected alarm records are deleted.
    

    Policy Configuration

    Create a Custom Policy

    The high risk command feature supports creating a custom policy. Set the policy to handle threat commands accordingly.
    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > High Risk Commands to enter the high risk commands page.
    2. Select Policy configuration > Create policy to enter the create policy page.
    3. On the create policy page, fill in the basic information of the policy, including policy name, policy description, and enable status.
    
    4. Fill in the policy details, including choosing blocklist/allowlist and their corresponding actions. Fill in the regular expression, select risk level, and select the effective host range.
    The blocklist rule means that an alarm notification will be generated when a threat command is found on the host.
    Note
    Interception policy refers to automatically intercepting and sending alarms when a threat command is found on the host.
    Interception policy is supported only for Ultimate Edition machines. Basic and Pro Edition hosts need to upgrade to the Ultimate edition to use this feature.
    
    The allowlist rule means allowing threat commands without generating alarms or interception actions.
    Note
    If all Pro Edition and Ultimate Edition hosts are selected for the effective host range, newly added Pro/Ultimate Edition hosts will be automatically included in the policy's effective range.
    You can check to apply this policy rule's actions to historical Pending alarms that match this policy rule.
    
    5. After settings, you can view it in the policy list. Policies applied to the blocklist will be marked with the corresponding threat level.
    6. You can filter, edit, and delete policies in the policy list.
    
    Field Description:
    Filtering: Configured policies support searching by keywords and tags (multiple keywords separated by a vertical bar (|), and multiple filter tags separated by hitting the Enter key). They can also be filtered by risk level (all/high-risk/medium-risk/low-risk/none), by executed action (alarm/block/allow), and by effective status (effective/ineffective).
    Custom List Fields: At the top of the policy list, click
    img
    
    to set display fields in the list. After selection, click Confirm to complete the settings.
    Enable status: The list supports setting the enable status of policies. In the enable status column, click Enable Switch to decide whether to enable the policy.
    Edit: In the action bar on the right side of the policy list, click Edit to edit the created policies.
    Delete: In the policy list, configured policies can be deleted.

    System Policies

    The high risk command feature now includes system automatic interception rules. Once enabled, the system automatically intercepts detected high risk system commands. However, some configurations still require your manual policy settings.
    High Risk System Commands: High risk system commands are refined by CWPP operation experts and algorithm experts. The commands in this list can be used for auto-interception.
    Interception Principle Description: The automatic interception of high risk commands is performed as the process of detecting and killing hit rules. For example, if process A attempts to create a /bin/bash -i process (assuming bash -i is on the blocklist), then the attempted creation of the /bin/bash process will be terminated (or fail to create), while process A itself will not be affected.
    Note:
    If you find a false interception, you can create a custom policy for allowlist processing or contact us.
    System auto-interception rules are available only to Ultimate Users.
    1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > High Risk Commands.
    2. On the high risk commands page, the following two methods are supported to enable the system's automatic interception rules.
    On the policy configuration page, click the Implementation Switch next to the system automatic interception rules policy.
    
    On the alarm list page, click to enable the Automatic Interception of High-Risk Commands.
    
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support