Release Notes and Announcements

Release Notes

Announcements

Getting Started

Product Introduction

Overview

Advantages

Basic Concepts

Scenarios

Associated Products

Features in Different Editions

Purchase Guide

Purchase Security Protection Licenses

Purchasing Log Analysis Service

Quick Start

Operation Guide

Security Dashboard

Asset Overview

Server List

Asset Fingerprint

Vulnerability Management

Baseline Management

Malicious File Scan

Unusual Login

Password Cracking

Malicious Requests

High-risk Commands

Local Privilege Escalation

Reverse Shell

Java Webshell

Critical File Monitor

Network Attack

A Ransomware Defense

Log Analysis

License Management

Alarm Setting

Cloud Access Management

Hybrid Cloud Installation Guide

FAQs for Beginners

Cloud Workload Protection Description

Feature Description

Agent Process Description

A Security Baseline Detection List

Parsing of JSON Format Alarm Data

Log Field Data Parsing

Agent Installation Guide

Security Score Overview

Practical Tutorial

Auto Fix of Vulnerabilities

Malicious File Processing

Troubleshooting

Intrusions on Linux

Intrusions on Windows

Offline Agent on Linux

Offline Agent on Windows

An Abnormal Log-in Notification

API Documentation

History

Introduction

API Category

Asset Management APIs

Virus Scanning APIs

Abnormal Log-in APIs

Password Cracking APIs

Malicious Request APIs

High-Risk Command APIs

Local Privilege Escalation APIs

Reverse Shell APIs

Vulnerability Management APIs

New Baseline Management APIs

Baseline Management APIs

Advanced Defense APIs

Security Operation APIs

Expert Service APIs

Other APIs

Overview Statistics APIs

Settings Center APIs

Making API Requests

Intrusion Detection APIs

Data Types

Error Codes

FAQs

Agreements

Service Level Agreement

Data Processing And Security Agreement

Glossary

Monitoring Rules Configuration

PDF

Focus Mode

Font Size

Last updated: 2024-08-13 16:29:50

﻿The monitoring rules for core file monitoring are divided into system rules and custom rules. System rules are configurations set by Tencent CWPP operation experts and algorithm experts through multi-model refinement, suitable for most tamper-proof user configuration monitoring requirements. You can also create custom rules based on your business needs. Custom rules support editing, copying, and deleting.
Note:
Core file monitoring is a feature of Ultimate Edition of CWPP. It is recommended to upgrade to Ultimate edition to protect CWPP.
Currently, core file monitoring is only available on Linux operating systems with kernel versions 3.10 and above.
Adding Rules
1. Log in to the CWPP console. In the left sidebar, choose Cyber Defense > Corefile Monitor > Configure monitoring rules.
2. On the configure monitoring rules page, click Add Rule at the top left.
3. On the add rule page, configure the basic settings, rule content settings, and effective server range parameter in sequence.
Basic information
﻿
            Parameter Description:
Rule Name: Custom name.
Risk Level: Depending on actual needs, you can select high-risk, medium-risk, low-risk, or none.
Enable/Disable: You can enable or disable this new rule.
Rule content settings: Click Add rule. You can add multiple lines, up to 20 lines.
﻿
Parameter Description:
Monitoring Behavior: Modify file/Read file.
Process Path: The file path of the process initiating the file tampering action, such as the program /usr/bin/vi, with a corresponding rule that could be */vi.
File Path: For example, /etc/cron.d/attack corresponds to a rule that could be /etc/cron.d/*.
Action: An alarm refers to the automatic generation of an alarm event in response to file system changes, with detailed event logging. Allowing refers to the operation of allowing file system change events, also with detailed event logging.
Note:
When the alarm and allowing respectively apply to the process path or the accessed file path, and there is an overlap in the effective servers, the overlapping servers will not generate alarms (meaning the allowing takes precedence).
Effective host range: You can select all servers or selected servers based on actual needs.
4. After the configuration is completed, click Save.
Managing Rules
Editing Rules
1. On the core file monitor > Configure monitoring rules page, choose the required rule and click Edit in the action bar.
﻿
2. On the edit rule page, modify the relevant parameters and click Save.
Copying Rules
1. On the core file monitor > Configure monitoring rules page, choose the required rule and click Copy in the action bar.
﻿
2. On the copy rule page, modify the relevant parameters and click Save.
Deleting Rules
1. On the core file monitor > Configure monitoring rules page, single rule or batches of rules can be deleted as follows.
Single: Choose a single rule, and click Delete in the action bar. Then the Confirm Deletion dialog box pops up.
﻿
Batch: Select the required rules, and click Delete. Then the Confirm Deletion dialog box pops up.
﻿
2. In the Confirm Deletion dialog box, click Confirm to complete the deletion of the rules.
Note:
After deletion, the rules cannot be recovered. Proceed with caution.
﻿