Skip to main content

View and handle detected intrusion event

This topic describes how to view and handle detected intrusion events on the Intrusions page.

Context

After intrusion events are detected, the intrusion events are displayed on the Intrusions page.
If the intrusion events are not handled, they are displayed in the Unhandled Alerts list on the Intrusions page. After the intrusion events are handled, the status changes from Unhandled Alerts to Handled.
Cloud retains the records of Unhandled Alerts and Handled on the Intrusions page. By default, the records of Unhandled Alerts are displayed.

Procedure

  1. On the product management page, select the Server Guard button.
    fg-dc-sg-3.3.1.2-1

  2. On the Server Guard page, click the Intrusions tab. fg-dc-sg-3.3.1.2-2

  3. On the Alerts page, review the information. Handle Individual Intrusion Events: Find the desired event in the list and click Process in the Actions column. In the pop-up window, choose a processing method:

    • Ignore: Silences future alert for this specific event, changing its status to "Handled."
    • Add to Whitelist: If the event is a false positive, add it to the whitelist to prevent future alerts. You can manage the whitelist in the "Handled" list.
    • Process Now: Applies the chosen processing method

    Handling Correlated Exceptions: If the event contains multiple correlated exceptions, clicking "Process" opens a new page where you can handle each exception individually. Choose the appropriate method for each exception and click "Process" again to apply your chosen actions.
    Note:

    • A false positive is an alert generated by the Server Guard on a normal process, often caused by a suspicious process sending TCP packets or scans on other devices detected on your servers.
    • While Batch unhandled allows processing multiple events simultaneously, reviewing their details beforehand is recommended.
    • If you confirm that one or more intrusion events are false positives or need to be ignored, go to the Intrusions page. Then, select the intrusion events and click Ignore Once or Whitelist (Optional)

Exporting the Intrusion Event List:

  1. Click the export icon located in the upper-left corner above the intrusion event list.
  2. A Done message will appear in the upper-right corner once the export is complete.

Downloading the Exported List:

  1. Click Download in the Done notification displayed on the Alerts page.
  2. The alert list will be downloaded to your computer.