The new version of Alarm Center is now available. This document only describes operations for the previous version of Alarm Center. If you are currently using the previous version, click Switch to New Version in the upper-right corner of Alarm Center. For content related to the new Alarm Center, see Viewing and Handling of Attack Alarm Events.
Visualization of Fraud Trend
The Attack Deception Events page can utilize visual statistics and tabular statistics to record and integrate the scanning and attack behaviors of all exposed and configured probes and Network Honeypot, thereby performing statistical analysis and handling for all intercepted events. The statistical data is updated every 20 minutes.
1. Log in to the CFW console, in the left navigation, click Alarm Center > Honeypot events.
2. The Attack Deception Events page supports statistics and visualization analysis based on ① Probe Assets, ② Attack IP, ③ Probe IP, ④ Distribution of honeypot events, and ⑤ Time. On the left side of the page, view the number of honeypot hits, number of attack and intrusion events, number of network scanning probes, and the number of attack IP addresses for different probes or all probes in different time periods.
View Deception Events and Attacker Information
In the event list on the Honeypot events, the following types of deception events involving attacks are available:
Intrusion events: An attack event that leads to host compromise.
Port detection: Scanning and attack events conducted by attackers against honeypots.
Lateral movements: deception events involving attacks and moving laterally across assets.
Note:
Locate and view deception events for intrusion events, port detection, and lateral movemens. This supports filtering by honeypot. For other filter criteria, see the Quickly Locate Alarm Events page.
Captured attackers : Summarizes information on attack IP addresses for deception events.
Supports filtering attackers based on threat level and type of security event.
Supports viewing the threat intelligence tags of the attacker and sorting statistics for countermeasure data, detected events, and alarm counts.
Click the Attacker IP or the number in the column for countermeasure information to view the traceability and countermeasure information for this attack IP address.
Quickly Dispose of Deception Information
Handle a Single Blocked Item
On the Honeypot events, you can handle individual deception events. In the right-hand column of an event, perform Block, Allow, Ignore, or Quarantine operations.
Note
Since the status of assets varies, the actionable buttons on the right differ accordingly. Deception events involving lateral movement across assets only support Isolate and Ignore operations.
The following operations also apply to operations for batch processing.
Intrusion events and port scanning are generally actual attack events, and it is recommended to block them.
Lateral movement events generally indicate that your assets have been compromised, and isolation is recommended.
Block: For deception events with a high threat level or frequent alarms, click Block to add the IP address to the blacked list in the Managing Defense Operations module. Select the blocking duration, add remarks, and Cloud Firewall (CFW) will automatically block access of this IP address to all user assets within the specified time frame.
Allow: For deception event alarms that contain duplicates or possible false positives, click Allow to add the IP address to the Allowlist strategy in the Managing Defense Operations module. Select the allowance duration and reason, enter remarks, and Cloud Firewall (CFW) will bypass detection by the Intrusion Defense module for this IP address within a specified time frame, ceasing interception. If uncertain whether the reason for allowance is a false positive, select Emergency Allowance first. If it is confirmed as a false positive, provide feedback on the false alarm content. Click OK to confirm the modification.
Ignore: If you do not want to handle the alarm, you can click Ignore. The log will not disappear but can be viewed in the Ignored status list. Ignore operations cannot be undone; proceed with caution.
Quarantine: Click Quarantine to automatically create blocking rules in the Enterprise Security Group for the asset instance, blocking network access to the selected assets in specified directions. This is primarily used for deception events involving lateral movement across assets, facilitating subsequent tracing and investigation to mitigate losses in a timely manner.
Note:
After the asset instance is isolated, access to the asset is supported using the Ops allowlist. You may choose either Manually Enter IP or Use Zero Trust Protection.
Only supports manual entry of 10 IP addresses.
Zero Trust protection supports authorization for asset access based on WeChat or WeCom user identities. For details on how to integrate WeChat or WeCom users, see Enterprise Security Group.
Batch Handling of Alarm Information
On the Deception Events page, you can handle multiple interception records simultaneously. Select multiple interception records, then click One-click Block, Allow, Quarantine, or Ignore.
Note:
Depending on the asset's status, actionable buttons may differ. The isolation operation specifically targets deception events involving lateral movement, isolating compromised hosts to prevent further impact.
Users can reverse operations by navigating to Intrusion Defense > Block List, Allow List, or Isolation List. Ignore operations cannot be undone; proceed with caution.
Alarms exceeding 7 days will expire and cannot be processed.
