tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud Firewall
    Documentation
    Download PDF

    Blocked Attack Analysis and Handling

    Last updated: 2024-01-24 15:48:25
    Download PDF
      This topic describes the operations in Alert Management. Log in to the Cloud Firewall console. In the Alert Management page, click Blocked attacks to open the Blocked attacks page. This page displays a trend chart of blocked attacks, blocked IPs, regions, and destination ports to help you analyze and protect your assets.

      Filtering blocked attacks

      This section describes how to find the blocked attacks you want to view through filtering. ① Select the assets and regions for which you want to view the blocked attacks; ② Select Inbound, Lateral movement, or Outbound. ③ Select the intrusion defense policy and resolution status. You can filter the records by specifying Blocking history ranking, Page refresh frequency, and Blocking frequency statistics.
      
      Note
      The above describes the operations in the asset view. For more information about operations in the event view, please see Filtering alert events.

      Resolving blocked attacks

      1. This section describes how to resolve blocked attacks. For more information about how to filter blocked attacks, please see "Filtering blocked attacks".
      
      Note
      To modify your operation, undo the operation in Intrusion defense -> Blocklist, Allowlist, or Quarantined list.
      2. On the Blocked attacks page, you can search for different assets and IPs by selecting Inbound, Lateral movement, or Outbound.
      You can pin or allow the access source IPs that have been blocked in the inbound direction. For the allowed IPs, you can select More -> Block to block them if necessary.
      
      For the assets and IPs involving lateral movement attacks, you can view the blocking history here.
      
      You can pin, allow, quarantine, block, or ignore the assets/IPs blocked by the Intrusion defense module in the outbound direction.
      
      3. You can perform the following operations on different assets/IP addresses:
      Pin to top/Unpin: You can pin or unpin assets. Note: A maximum of 5 items can be pinned for Outbound or Inbound.
      Allow: Click Allow for an IP that does not need to be blocked. Then, select Reason, Direction, and Validity. The IP will be in the allowlist in the Intrusion defense module within the selected period. CFW allows traffic from the IP by skipping attack detection for the IP in Intrusion defense within the specified period. If you are not certain about whether the reason is "false positive", you can select Allow for emergency, and modify it later if necessary.
      
      Block: For assets with a high threat level, click Block. Then, specify a validity period and direction to add the IP to the blocklist in Intrusion defense. CFW automatically blocks that IP from accessing all of your assets within the specified period.
      
      Quarantine: Click Quarantine. When an asset instance is quarantined, the system automatically publishes the blocking rule for enterprise security groups to block network access to the selected asset in the specified blocking direction. This makes the subsequent troubleshooting easy and prevents the asset from being attacked.
      
      Ignore: For repeated or possible false alerts, you can click Ignore. The ignored alert events are not included in the alert list and statistics, but their logs are retained. You are no longer notified of the ignored alert events when they trigger alerts again. You can select Ignored in the list to view all the ignored events. The "Ignore" operation is irreversible.
      

      Resolving false alerts

      You can add the IP to the allowlist. On the Blocked attacks page, select the target asset/IP, click Allow, select False positive for Reason, and then click OK.
      

      Searching for attack events from an IP

      In the Asset view, place the pointer over the value of Access destination, Access source, or Asset name, and click Check in intrusion defense log to view all attack events.
      
      Note
      The figure above shows the process.

      Viewing the blocked attacks for an asset

      Method 1: Select the specified asset in the upper-left corner to filter the records.
      
      Method 2: Select the target asset by clicking Event details -> Asset name to view its records of blocked attacks.

      Viewing recently blocked attacks

      The Blocked attacks page is automatically refreshed. Click
      
      in the upper part of the page, select Last blocked for Blocking history ranking, and then click OK* to view the recently blocked attacks.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy