Security Check Anomaly Detection¶
Used to monitor potential vulnerabilities, anomalies, and risks in systems, containers, networks, and other components within the workspace. You can configure alerts by setting the trigger count for detection metrics to promptly identify and manage security threats.
Use Cases¶
Supports monitoring vulnerabilities, anomalies, and risks in Network, Storage, Database, System, Webserver, Container.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rules; default is 5 minutes.
Detection Interval¶
The time range queried for the detection metrics. Affected by the detection frequency, the selectable detection intervals will vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Monitors the number of inspection events containing the set fields within a certain time range during Security Check, supporting label filtering for screening.
| Field | Description |
|---|---|
| Category | Event classification, supports: network, storage, database, system, webserver, container |
| Host | Host name |
| Level | Inspection event level, supports: info, warn, critical |
| Tags | Filters the data of the detection metrics based on tags associated with the metrics, limiting the scope of detected data. Supports adding one or more tag filters, and supports fuzzy matching and non-matching conditions. |
| Detection Dimensions | Any string type (keyword) field in the configured data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined, TrueWatch will judge whether the statistical metric corresponding to a detection object meets the threshold condition for triggering, and if it does, an event is generated.* (For example, selecting detection dimensions host and host_ip would result in a detection object like {host: host1, host_ip: 127.0.0.1}). |
Trigger Conditions¶
Set the trigger conditions for alert levels: You can configure any one of the following trigger conditions - urgent, important, warning, normal.
Configure trigger conditions and severity levels. When the query results contain multiple values, any value meeting the trigger condition will generate an event.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the condition to re-trigger after multiple consecutive judgments, up to a maximum of 10 times.
Alert Levels
-
Alert Levels Urgent (Red), Important (Orange), Warning (Yellow): Based on the configured conditional operators.
-
Alert Level Normal (Green): Based on the configured detection count, explained as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 Minutes, then 1 detection = 5 minutes; - You can customize the detection count, e.g.,
Detection Frequency = 5 Minutes, then 3 detections = 15 minutes;
- Each execution of a detection task counts as 1 detection, e.g.,
After the detection rule takes effect and generates urgent, important, or warning anomaly events, if the detection results return to normal within the configured custom detection cycle, a recovery alert event is generated.
Data Gaps¶
Seven strategies can be configured for data gap states.
-
Linking the detection interval time range, judging the query results of the most recent minutes for the detection metrics, does not trigger events;
-
Linking the detection interval time range, judging the query results of the most recent minutes for the detection metrics, the query result is treated as 0; at this point, the query result will be compared again with the thresholds configured in the Trigger Conditions section to determine whether an anomaly event should be triggered.
-
Customizing the filled detection interval values, triggers data gap events, triggers urgent events, triggers important events, triggers warning events, and triggers recovery events; if this configuration strategy is selected, it is recommended that the custom data gap time configuration be >= detection interval time. If the configured time <= detection interval time, there may be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap handling result will be applied.
Information Generation¶
Enabling this option will generate "information" events for detection results that do not match the above trigger conditions.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority order applies: data gap > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.