Skip to content

Security Check Anomaly Detection


Used to monitor potential vulnerabilities, anomalies, and risks in system, container, network, and other components within the workspace. You can configure alerts by setting the trigger count of detection metrics to promptly identify and manage security threats.

Use Cases

Supports monitoring vulnerabilities, anomalies, and risks in Network, Storage, Database, System, Webserver, and Container.

Configuration

Detection Frequency

Refers to the execution frequency of detection rules. The default selection is 5 minutes.

Detection Interval

Refers to the time range for querying detection metrics. The available detection intervals vary depending on the detection frequency.

Detection Frequency Detection Interval (Dropdown Options)
30s 1m/5m/15m/30m/1h/3h
1m 1m/5m/15m/30m/1h/3h
5m 5m/15m/30m/1h/3h
15m 15m/30m/1h/3h/6h
30m 30m/1h/3h/6h
1h 1h/3h/6h/12h/24h
6h 6h/12h/24h
12h 12h/24h
24h 24h

Detection Metrics

Monitors the number of inspection events in Security Check within a specified time range that include the configured fields. Supports adding tag filters for screening.

Field Description
Category Event classification. Supported values: network, storage, database, system, webserver, container
Host Host name
Level Inspection event level. Supported values: info, warn, critical
Tags Filters the data of detection metrics based on the tags of the metrics, limiting the data scope of detection. Supports adding one or more tag filters, with conditions for fuzzy matching and fuzzy non-matching.
Detection Dimensions Any string-type (keyword) fields in the configuration data can be selected as detection dimensions. Currently, up to three fields can be selected as detection dimensions. By combining multiple detection dimension fields, a specific detection object can be determined. TrueWatch checks whether the statistical metrics of a detection object meet the threshold of the trigger conditions. If the conditions are met, an event is generated.
(For example, selecting detection dimensions host and host_ip allows the detection object to be {host: host1, host_ip: 127.0.0.1}.)

Trigger Conditions

Configure trigger conditions for alert levels: You can configure any one of the trigger conditions for Critical, Important, Warning, or Normal.

Configure trigger conditions and severity levels. If the query result contains multiple values, an event is generated if any value meets the trigger conditions.

For more details, refer to Event Level Description.

If Enable Consecutive Trigger Judgment is enabled, you can configure that an event is generated only after the trigger conditions are met consecutively for a specified number of times. The maximum limit is 10 times.

Alert Levels
  1. Alert Levels: Critical (red), Important (orange), Warning (yellow);

  2. Alert Level: Normal (green): Based on the configured number of detections, explained as follows:

    • Each execution of a detection task counts as 1 detection. For example, if Detection Frequency = 5 minutes, then 1 detection = 5 minutes.
    • The number of detections can be customized. For example, if Detection Frequency = 5 minutes, then 3 detections = 15 minutes.

After the detection rule takes effect, if Critical, Important, or Warning abnormal events are generated and the data detection results return to normal within the configured custom detection period, a recovery alert event is generated.

Data Gap

Seven strategies can be configured for data gap states.

  1. Linked to the detection interval time range, the query result of the detection metrics for the most recent minutes is judged, and no event is triggered.

  2. Linked to the detection interval time range, the query result of the detection metrics for the most recent minutes is judged, and the query result is treated as 0. In this case, the query result is re-compared with the threshold configured in the Trigger Conditions above to determine whether to trigger an abnormal event.

  3. Custom fill detection interval value, trigger data gap event, trigger critical event, trigger important event, trigger warning event, and trigger recovery event. For this type of configuration strategy, it is recommended that the custom data gap time configuration be >= detection interval time interval. If the configured time is <= detection interval time interval, there may be scenarios where both data gap and abnormal conditions are met simultaneously. In such cases, only the data gap processing result will be applied.

Information Generation

Enable this option to generate "Information" events for detection results that do not match any of the above trigger conditions and write them.

Note

When trigger conditions, data gap, and information generation are configured simultaneously, the triggering priority is as follows: Data Gap > Trigger Conditions > Information Event Generation.

Other Configuration

For more details, refer to Rule Configuration.