Alarm
Download
Focus Mode
Font Size
The alarm module is the core risk handling module for COS exception monitoring within data security posture awareness. It consists of two major sub-modules: abnormal access and malicious files. Through policy configuration, it enables real-time risk monitoring, centrally presents security events in the form of alarms, and supports alarm categorization, filtering, handling, and traceability. It serves as the core management and control entry point for securing COS assets.
Abnormal Access Alarm
1. Log in to the CSC console. In the left navigation pane, click Data Security Situation Managment > COS Risk Monitoring.
2. On the COS Exception Monitoring page, click the Alert > Abnormal Access tag.
3. In the abnormal access alarm list, you can view abnormal access alarm information, bucket information, and account information from the perspective of abnormal access alarm rules, and receive permission policy configuration recommendations.
Viewing Abnormal Access Alarm Details
1. In the abnormal access alarm list, select the desired abnormal access alarm and click Details.
2. On the abnormal access alarm details page, view the abnormal access alarm information and abnormal call records.
View abnormal access alarm information. The alarm information includes: alarm policy, policy description, COS name, COS remarks, Tag, region, account name, account identity, account ID/APPID, and access method.
View abnormal call records for abnormal access. The call records include: source IP address/region/remarks, IP address type, call method, call AK, operation action, operation status/quantity, and first/latest call time.
Abnormal Access Alarm Handling
Marking as Ignored
Mark the status of false positive or non-actionable abnormal access alarms to eliminate interference in risk statistics.
Note:
If an alarm's handling status is marked as Ignored, the corresponding risk will not be included in risk statistics.
1. On the Abnormal Access Alarm Tag page, you can process target alarms individually or in batches:
Single Alarm Handling: In the target alarm's operation column, click More > Ignored.
Batch Handling: Select multiple target alarms, and choose More > Ignored.
2. In the secondary confirmation dialog, click OK to mark the alarm as ignored.
Adding Allowlists
For behaviors that require long-term allowance, you can add the policy triggered by the abnormal access alarm to the rule allowlist.
1. On the Abnormal Access Alarm Tag page, in the target alarm's operation column, click More > Add an allowlist policy.
2. In the Add to Allowlist Policy window, review the allowlist policy content. After confirming it is correct, click Save to add the policy information triggered by this alarm to the allowlist.
Note:
After the allowlist policy rule takes effect, the corresponding behavior no longer triggers an alarm.
Marking as Handled
Update the status of alarms for which emergency response has been completed to achieve a closed-loop handling process.
1. On the Abnormal Access Alarm Tag page, select one or multiple target alarms, and click Mark as handled.
2. In the confirmation window, verify the alarm information. After confirming it is correct, click OK to mark the alarm as handled.
Note:
After an alarm's handling status is marked as Handled, the alarm will not be included in risk statistics.
Malicious File Alarm
1. Log in to the CSC console. In the left navigation pane, click Data Security Situation Managment > COS Risk Monitoring.
2. On the COS Exception Monitoring page, click the Alert > Malicious File tag.
3. On the Malicious File Tag page, information about detected malicious files is displayed. You can also perform handling, tracing, and remediation operations on malicious files.
Viewing Malicious File Alarm Details
1. On the Malicious File Tag page, select the malicious file alarm you want to view, and click Details in the operation column.
2. On the Malicious File Alarm Details page, detailed information about the detected malicious file is displayed, including the file path, file MD5, file size, and description, as well as information about the affected COS assets.
Malicious File Alarm Handling
Marking as Ignored
Mark the status of false positive or non-actionable malicious file alarms to eliminate interference in risk statistics.
Note:
If an alarm's handling status is marked as Ignored, the corresponding risk will not be included in risk statistics.
1. On the Alarm Tag page, you can process target alarms individually or in batches:
Single Alarm Handling: In the target alarm's operation column, click More > Ignored.
Batch Handling: Select multiple target alarms, and choose More > Ignored.
2. In the secondary confirmation dialog, click OK to mark the alarm as ignored.
Adding Allowlists
For behaviors that require long-term allowance, you can add the policy triggered by the alarm to the rule allowlist.
1. On the Alarm Tag page, in the target alarm's operation column, click More > Add an allowlist policy.
2. In the Add to Allowlist Policy window, review the allowlist policy content. After confirming it is correct, click Save to add the policy information triggered by this alarm to the allowlist.
Note:
After the allowlist policy rule takes effect, the corresponding behavior no longer triggers an alarm.
Marking as Handled
Update the status of alarms for which emergency response has been completed to achieve a closed-loop handling process.
1. On the Alarm Tag page, select one or multiple target alarms, and click Full Scan.
2. In the confirmation window, verify the alarm information. After confirming it is correct, click OK to mark the alarm as handled.
Note:
After an alarm's handling status is marked as Handled, the alarm will not be included in risk statistics.
Help and Support
Was this page helpful?
You can also Contact sales or Submit a Ticket for help.
Help us improve! Rate your documentation experience in 5 mins.
Feedback