Security Check Anomaly Detection¶
Used to monitor potential vulnerabilities, anomalies, and risks in components such as systems, containers, and networks within the workspace. You can configure alerts by setting the trigger count for detection indicators to promptly identify and manage security threats.
Use Cases¶
Supports monitoring vulnerabilities, anomalies, and risks in Network, Storage, Database, System, Webserver, and Container.
Configuration¶
Detection Frequency¶
Refers to the execution frequency of detection rules. Default selection is 5 minutes.
Detection Interval¶
Refers to the time range for querying detection indicators. Affected by the detection frequency, the available detection intervals will vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Indicators¶
Monitor the number of inspection events within a certain time range in Security Check that contain the specified fields. Supports adding tag filters for screening.
| Field | Description |
|---|---|
| Category | Event classification, supports: network, storage, database, system, webserver, container |
| Host | Host name |
| Level | Inspection event level, supports: info, warn, critical |
| Tags | Filter the data of detection indicators based on the tags of the indicators to limit the data scope of detection. Supports adding one or more tag filters, supports fuzzy matching and fuzzy non-matching filter conditions. |
| Detection Dimensions | Any string type (keyword) field in the configuration data can be selected as a detection dimension. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. TrueWatch will determine whether the statistical indicators corresponding to a detection object meet the threshold of the trigger condition. If the condition is met, an event is generated.(For example, selecting detection dimensions host and host_ip, the detection object can be {host: host1, host_ip: 127.0.0.1}.) |
Trigger Conditions¶
Set trigger conditions for alert levels: You can arbitrarily configure one of the trigger conditions: Critical, High, Warning, or Normal.
Configure trigger conditions and severity. When the query result contains multiple values, if any value meets the trigger condition, an event is generated.
For more details, refer to Event Level Description.
If Enable Consecutive Trigger Judgment is turned on, you can configure that an event is generated only after the trigger condition is met consecutively for a specified number of times. The maximum limit is 10 times.
Alert Levels
-
Alert Levels: Critical, High, Warning;
-
Alert Level: Normal: Based on the configured number of detection times, explained as follows:
- Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
- Each execution of a detection task counts as 1 detection. For example, if
After the detection rule takes effect, if a Critical, High, or Warning abnormal event is generated, and the data detection result returns to normal within the configured custom detection period, a recovery alert event is generated.
Data Gap¶
For data gap status, seven strategies can be configured.
-
Linked to the detection interval time range, judge the query result of the detection indicator for the most recent minutes, do not trigger an event;
-
Linked to the detection interval time range, judge the query result of the detection indicator for the most recent minutes, treat the query result as 0; at this time, the query result will be re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
-
Custom fill the detection interval value, trigger data gap event, trigger critical event, trigger high event, trigger warning event, and trigger recovery event; when selecting this type of configuration strategy, it is recommended that the custom data gap time configuration >= detection interval time. If the configured time <= detection interval time, there may be situations where both data gap and abnormal conditions are met simultaneously. In this case, only the data gap processing result will be applied.
Information Generation¶
After enabling this option, detection results that do not match any of the above trigger conditions will generate "Information" events and be written.
Note
If Trigger Conditions, Data Gap, and Information Generation are configured simultaneously, the triggering is judged according to the following priority: Data Gap > Trigger Conditions > Information Event Generation.
Other Configuration¶
For more details, refer to Rule Configuration.