On the Intrusion detection page, you can view the real-time detection alarm of the container with protection enabled and process the alarm.
Viewing Running Status Alarm Information
1. Log in to the CSG Console.
2. On the left navigation bar, select Alarm > Intrusion detection to go to the Intrusion detection page.
3. The ATT&CK alarm view adopts the ATT&CK threat analysis framework, allowing you to conduct a comprehensive analysis from the initial access of the attacker to the final impact.
4. The Common Intrusion Behavior alarm view supports the common invasion behaviors such as rebound shell, local privilege escalation, brute force cracking, malicious command execution, virus killing, and container escape.
5. Click the Put it away button in the upper right corner of the view or swipe down the page to view the running status alarm list. By default, the system filters out alarms in the not processed status.
6. In the running status alarm list, you can filter and query items by alarm level, alarm type, alarm name, cluster name, affected node, affected namespace, affected container, affected service, status, destination IP, destination port, source IP, source port, MD5, and image name. In addition, the items of alarm type and alarm name support fuzzy matching.
7. Description of Running Status Alarm Information Parameters:
Parameter | Description |
Alarm name | Click alarm name to go to the details page to view the specific alarm reason. |
Alarm level | Divided into three levels:Emergency, Abnormal, and Hint. |
Alarm type | Divided into command execution, file reading and writing, network activity, container security, cluster exception, host exception, and file content. |
Cluster name | The name of the cluster where the alarm occurred. |
Affected Nodes | The name of the affected node. |
Affected Namespaces | The name of the affected namespace. |
Affected Container | The name of the affected container or service. |
First trigger time | The time when the alarm event was first detected. |
Last trigger time | The time of the last alarm event was detected. |
Status | Divided into processed and Not processed. |
Processing Alarms
1. Log in to the CSG Console.
2. On the left navigation bar, select Alarm > Intrusion detection alarm to go to the Intrusion detection alarm page.
3. Select the ATT&CK alarm view or the Common Intrusion Behavior alarm view as needed.
4. Click handle in the alarm list operation column or click alarm name to go to the details page. Click the handle button to go to the handle page, and process this alarm.
Selecting the processing method:
− If it is determined that the current alarm is a false alarm, you can select join the whitelist or Mark as resolved.
− If the alarm is not a false alarm, you can select "Isolate the Pod" , Restart the Pod, or
− Paused container.
5. Select the processing method and click "save" to complete the alarm processing.