Security Check Anomaly Detection¶
Used to monitor potential vulnerabilities, anomalies, and risks in system, container, network, and other components within the workspace. You can configure alerts by setting the trigger count of detection metrics to promptly identify and manage security threats.
Use Cases¶
Supports monitoring vulnerabilities, anomalies, and risks in Network, Storage, Database, System, Webserver, and Container.
Configuration¶
Detection Frequency¶
Refers to the execution frequency of detection rules. The default selection is 5 minutes.
Detection Interval¶
Refers to the time range for querying detection metrics. The available detection intervals vary depending on the detection frequency.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 30s | 1m/5m/15m/30m/1h/3h |
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Monitors the number of inspection events in Security Check within a specified time range that include the configured fields. Supports adding tag filters for screening.
| Field | Description |
|---|---|
| Category | Event classification. Supported values: network, storage, database, system, webserver, container |
| Host | Host name |
| Level | Inspection event level. Supported values: info, warn, critical |
| Tags | Filters the data of detection metrics based on the tags of the metrics, limiting the data scope of detection. Supports adding one or more tag filters, with conditions for fuzzy matching and fuzzy non-matching. |
| Detection Dimensions | Any string-type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. TrueWatch checks whether the statistical metrics of a detection object meet the threshold of the trigger conditions. If the conditions are met, an event is generated.(For example, selecting detection dimensions host and host_ip allows the detection object to be {host: host1, host_ip: 127.0.0.1}.) |
Trigger Conditions¶
Configure trigger conditions for alert levels: You can configure any one of the trigger conditions for Critical, Important, Warning, or Normal.
Configure trigger conditions and severity levels. If the query result contains multiple values, an event is generated if any value meets the trigger conditions.
For more details, refer to Event Level Description.
If Enable Consecutive Trigger Judgment is enabled, you can configure that an event is generated only after the trigger conditions are met consecutively for a specified number of times. The maximum limit is 10 times.
Alert Levels
-
Alert Levels: Critical (red), Important (orange), Warning (yellow);
-
Alert Level: Normal (green): Based on the configured number of detections, explained as follows:
- Each execution of a detection task counts as 1 detection. For example, if
Detection Frequency = 5 minutes, then 1 detection = 5 minutes. - The number of detections can be customized. For example, if
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
- Each execution of a detection task counts as 1 detection. For example, if
After the detection rule takes effect, if Critical, Important, or Warning abnormal events are generated and the data detection results return to normal within the configured custom detection period, a recovery alert event is generated.
Data Gap¶
Seven strategies can be configured for data gap states.
-
Linked to the detection interval time range, the query result of the detection metrics for the most recent minutes is judged, and no event is triggered.
-
Linked to the detection interval time range, the query result of the detection metrics for the most recent minutes is judged, and the query result is treated as 0. In this case, the query result is re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.
-
Custom fill detection interval value, trigger data gap event, trigger critical event, trigger important event, trigger warning event, and trigger recovery event. For this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection interval time interval. If the configured time is <= detection interval time interval, there may be scenarios where both data gap and abnormal conditions are met simultaneously. In such cases, only the data gap processing result will be applied.
Information Generation¶
Enable this option to generate "Information" events for detection results that do not match any of the above trigger conditions and write them.
Note
When trigger conditions, data gap, and information generation are configured simultaneously, the triggering priority is as follows: Data Gap > Trigger Conditions > Information Event Generation.
Other Configuration¶
For more details, refer to Rule Configuration.