Network attacks are automatically monitored for malicious traffic based on technical support from the Tencent Cloud security offensive and defensive team. It combines malicious behavior generated during intrusions. Real-time automated correlation analysis of attacks and alarms is performed, outputting attack traffic data and notifying attack events. This document will introduce how to view and handle network attack alarms.
Explanation
Detection object: Only supports Linux hosts in the Professional Version/flagship edition.
Detection range: Only detects some Hotspot vulnerabilities with EXP and successful attack cases in the cloud.
Vulnerability defense: Only supports Linux hosts in the flagship edition.
Defense Status Description
Supports vulnerability defense (not enabled): Cloud Workload Protection Platform supports defending against this vulnerability, but the host has not enabled defense for it.
Supports vulnerability defense (enabled): Cloud Workload Protection Platform supports defending against this vulnerability, and the host has enabled defense for it.
Vulnerability defense not supported: Host Security does not support defending against this vulnerability.
Note:
Possible reasons for vulnerability defense not being enabled: the defense switch is not turned on, the host is not the flagship edition, or it is not within the bastion host range.
The presence of attack events indicates that hackers are using attack methods to exploit the vulnerability, but it does not mean that the current machine has this vulnerability.
Alarm Statistics
1. Log in to the CWPP Console, and in the left sidebar, select Advanced Defense > Network Attack.
2. On the Network Attack page, you can view the vulnerability defense status in network attacks, data statistics of pending alarms, and the Top 5 situation.

Field Description:
Vulnerability defense status: Reflects the status of the vulnerability defense switch.
Processing network alarms: The number of current processing alarms.
Attacked asset: The number of attacked assets involved in the current processing alarms.
Attacked port: The number of attacked ports involved in the current processing alarms.
Attack source IP: The number of attack source IPs in the current processing alarms.
Viewing Alarms
On the Network Attack page, you can view network attack details, including hostname/instance ID, IP address, template port, and other information.

Field Description:
Hostname/Instance ID: The name and Instance ID of the attacked host.
IP Address: The public/private IP of the attacked host.
Target port: Attacked port.
Attack source IP/Address: The source IP and location of the attacker.
Vulnerability name: Refers to the attack method used by the attacker to exploit a vulnerability and the current status of the vulnerability defense.
Attack status: Refers to the result after the attacker’s action, including attempted attack (attacked but not successful) and successful attack (confirmed attack).
Last attack time: The most recent time an attack was detected.
Number of attacks: The cumulative number of times the same attack was detected.
Processing status: Pending, processed, whitened, ignored.
Details: Supports viewing alarm details, severity description, and solution.

Handle Alarms
1. On the Network Attack page, select the required alarm and click process in the action column.
Note:
Select one or more alarms, and you can click Mark as Processed, Ignore, or Delete Record in the upper left corner to perform batch operations.

2. You can tag pending alarms as processed, enable vulnerability defense, add to the allowlist, ignore, or delete records.
Tag as processed: Manually handle the alarm and tag it as "processed" after handling.
Enable vulnerability defense: After operation, the processing status automatically changes to "processed". You can select to mark all pending alarms related to the affected hosts as "processed".
Add to allowlist: You can allowlist the attack source IP and edit the effective host range. After processing, the status automatically changes to "whitened". Supports batch allowlisting of historical alarms.

Ignore: After selecting this option, the processing status changes from "pending" to "ignored". Subsequent identical attacks will still trigger alarms.
Delete Record: Delete the current alarm record, which cannot be recovered.