This document will introduce how to view and operate the alarm list of high risk commands.
Overview
Based on Tencent Cloud's security technologies and multidimensional approaches, CWPP can monitor commands in the system in real time. If a high risk command is detected, the system will provide you with real-time alarm notifications. Additionally, you can configure policies to mark the risk level of threat commands and perform corresponding actions.
Prerequisites
High risk command feature is available only for hosts of Pro Edition and Ultimate Edition. Basic Edition and unprotected hosts need to upgrade to the Pro edition or Ultimate edition to use this feature.
Alert List
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > High Risk Commands to enter the alarm list tab for high risk commands.
2. In the Alert list tab for high risk commands, you can view the alarm list of high risk commands and perform operations. The list interface displays 14 fields including server name/instance ID, IP address, policy type hit, hit policy, risk level, command content, log-in user, PID, process, data source, occurrence time, processed time, status, and operation. The displayed list fields can be user-defined.
Filtering: The event list of high risk commands supports choosing dates to view corresponding alarm information, and supports searching for events by keywords and tags (multiple keywords separated by a vertical bar (|), and multiple filter tags separated by hitting the Enter key). It also allows filtering alarm information by hit policy type, risk level, data source, and status.
Custom List Fields: Above the alarm list of high risk commands, click
to set the fields displayed in the list. After selection, click OK to apply the settings.
Exporting Alert List: Above the alarm list of high risk commands, click
to export the list information.
Details > Alert details: Click Details to view the alarm details page of high risk commands.
Details > Process tree: On the alarm details page of high risk commands, select the Process tree tab to view the details of the three processes arranged in reverse chronological order.
Details > Event investigation: In the right action bar of the alarm list of high risk commands, click Details to choose the Event Investigation tab to enter the corresponding host list for event investigation.
Note
Windows machines do not support the event investigation feature.
Only the Ultimate Edition supports the event investigation feature.
Mark as Processed: Click Process > Mark as processed. If the user has manually handled the current high risk command alarm, they can mark this alarm as processed.
Add to allowlist: Click Process > Add to allowlist to add trusted commands to the allowlist, preventing future alarms or interceptions when the command is executed again.
Create Custom Interception Policy: Click Process > Create Custom Interception Policy to automatically intercept threat commands and generate interception records.
Note
Interception policy is supported only for hosts of Ultimate Edition. Basic and Pro Edition hosts need to upgrade to the Ultimate edition first.
Ignore: Supports single or multiple selections of high risk command alarm information. Only the selected alarms are ignored. If the same issue occurs again, alarms will still be triggered.
Delete Log: Supports single or multiple selections of high risk command alarm information. The selected alarm records are deleted.
Policy Configuration
Create a Custom Policy
The high risk command feature supports creating a custom policy. Set the policy to handle threat commands accordingly.
1. Log in to the CWPP console. In the left sidebar, choose Intrusion Detection > High Risk Commands to enter the high risk commands page.
2. Select Policy configuration > Create policy to enter the create policy page.
3. On the create policy page, fill in the basic information of the policy, including policy name, policy description, and enable status.
4. Fill in the policy details, including choosing blocklist/allowlist and their corresponding actions. Fill in the regular expression, select risk level, and select the effective host range.
The blocklist rule means that an alarm notification will be generated when a threat command is found on the host.
Note
Interception policy refers to automatically intercepting and sending alarms when a threat command is found on the host.
Interception policy is supported only for Ultimate Edition machines. Basic and Pro Edition hosts need to upgrade to the Ultimate edition to use this feature.
The allowlist rule means allowing threat commands without generating alarms or interception actions.
Note
If all Pro Edition and Ultimate Edition hosts are selected for the effective host range, newly added Pro/Ultimate Edition hosts will be automatically included in the policy's effective range.
You can check to apply this policy rule's actions to historical Pending alarms that match this policy rule.
5. After settings, you can view it in the policy list. Policies applied to the blocklist will be marked with the corresponding threat level.
6. You can filter, edit, and delete policies in the policy list.
Field Description:
Filtering: Configured policies support searching by keywords and tags (multiple keywords separated by a vertical bar (|), and multiple filter tags separated by hitting the Enter key). They can also be filtered by risk level (all/high-risk/medium-risk/low-risk/none), by executed action (alarm/block/allow), and by effective status (effective/ineffective).
Custom List Fields: At the top of the policy list, click
to set display fields in the list. After selection, click Confirm to complete the settings.
Enable status: The list supports setting the enable status of policies. In the enable status column, click Enable Switch to decide whether to enable the policy.
Edit: In the action bar on the right side of the policy list, click Edit to edit the created policies.
Delete: In the policy list, configured policies can be deleted.
System Policies
The high risk command feature now includes system automatic interception rules. Once enabled, the system automatically intercepts detected high risk system commands. However, some configurations still require your manual policy settings.
High Risk System Commands: High risk system commands are refined by CWPP operation experts and algorithm experts. The commands in this list can be used for auto-interception.
Interception Principle Description: The automatic interception of high risk commands is performed as the process of detecting and killing hit rules. For example, if process A attempts to create a /bin/bash -i process (assuming bash -i is on the blocklist), then the attempted creation of the /bin/bash process will be terminated (or fail to create), while process A itself will not be affected.
Yes
No
Was this page helpful?