Skip to main content

View and handle detected intrusion event

This topic describes how to view and handle detected intrusion events on the Intrusions page.

Context

After intrusion events are detected, the intrusion events are displayed on the Intrusions page.
If the intrusion events are not handled, they are displayed in the Unhandled Alerts list on the Intrusions page. After the intrusion events are handled, the status changes from Unhandled Alerts to Handled.
Cloud retains the records of Unhandled Alerts and Handled on the Intrusions page. By default, the records of Unhandled Alerts are displayed.

Operation Steps

  1. In the product management page, choose "Server Guard". fg-dc-sg-3.3.1.2-1

  2. In the left-side navigation pane, click "Intrusion Prevention"> "Intrusions". fg-dc-sg-3.3.1.2-2

  3. On the page that appears, search for or view intrusion events. You can also view the details about the events.

  4. Find the intrusion event that you want to handle and click Process in the Actions column. In the dialog box that appears, set Process Method and click Process Now If the intrusion event contains multiple correlated exceptions, on the page that appears after you click Process, you can handle the exceptions.

  • Ignore: If you ignore the intrusion event, the status of the intrusion event changes to Handled. ServerGuard no longer generates alerts for the event.
  • Add To Whitelist: If the intrusion event is a false positive, you can add the intrusion event to the whitelist .Then, the status of the intrusion event changes to Handled. Server Guard no longer generates alerts for the event. In the Handled list, you can click Cancel whitelist to remove a specific intrusion event from the whitelist.A false positive indicates that Server Guard has generated a false alert on a normal process. A common false positive is asuspicious process that sends TCP packets ssuspicious process that sends TCP packets. The false positive notifies you that suspicious scans on other devices are detected on your servers.
  • Batch unhandled: This method allows you to handle multiple intrusion events at a time. Before you handle multiple intrusion events at a time, we recommend that you view the details of the intrusion events.
  1. If you confirm that one or more intrusion events are false positives or need to be ignored, go to the Intrusions page. Then, select the intrusion events and click Ignore Once or Whitelist (Optional).
  2. In the upper-left corner above the intrusion event list on the Intrusions page, click the icon to export the list.
  3. After the list is exported, the Done message appears in the upper-right corner.
  4. In the Done notification of the Alerts page, click Download. The alert list is downloaded to your computer.