user guide - support.huaweicloud.com · if you want to know the types and number of threat alarms,...

Situation Awareness

User Guide

Issue 13

Date 2020-03-17

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 13 (2020-03-17) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Purchasing SA Professional Edition.....................................................................................1

2 Overview....................................................................................................................................52.1 Overview.................................................................................................................................................................................... 52.2 Large Screen........................................................................................................................................................................... 142.2.1 Overall Situation Awareness..........................................................................................................................................142.2.2 ECS Security Situation Awareness................................................................................................................................20

3 Asset Management............................................................................................................... 283.1 Host........................................................................................................................................................................................... 283.2 Website..................................................................................................................................................................................... 29

4 Threat Alarm.......................................................................................................................... 364.1 Alarms....................................................................................................................................................................................... 364.1.1 Overview...............................................................................................................................................................................364.1.2 DDoS...................................................................................................................................................................................... 384.1.3 Brute Force Attack.............................................................................................................................................................394.1.4 Web Attack.......................................................................................................................................................................... 414.1.5 Trojan..................................................................................................................................................................................... 414.1.6 Vulnerability Attack.......................................................................................................................................................... 424.1.7 Zombie.................................................................................................................................................................................. 434.1.8 Abnormal Behavior........................................................................................................................................................... 434.1.9 Command and Control.................................................................................................................................................... 444.2 Threat Analysis...................................................................................................................................................................... 454.3 Security Orchestration......................................................................................................................................................... 464.3.1 Enabling Security Orchestration................................................................................................................................... 464.3.2 Configuring a Whitelist................................................................................................................................................... 474.3.3 Viewing Event Details...................................................................................................................................................... 494.3.4 Setting a Policy................................................................................................................................................................... 514.3.5 Viewing Asset Security Status....................................................................................................................................... 56

5 Vulnerability Management.................................................................................................595.1 Vulnerability Scan................................................................................................................................................................. 595.2 Viewing Host Vulnerability Scan Details.......................................................................................................................605.3 Viewing Website Vulnerability Scan Details................................................................................................................ 615.4 Emergency Vulnerability.....................................................................................................................................................63

Situation AwarenessUser Guide Contents

Issue 13 (2020-03-17) Copyright © Huawei Technologies Co., Ltd. ii

6 Baseline Inspection............................................................................................................... 666.1 Host Baseline.......................................................................................................................................................................... 666.2 Cloud Service Baseline........................................................................................................................................................ 67

7 Managing SA Logs.................................................................................................................72

8 Settings.................................................................................................................................... 758.1 Alarm Settings....................................................................................................................................................................... 758.1.1 Alarm Notifications........................................................................................................................................................... 758.1.2 Alarm Monitoring Settings.............................................................................................................................................778.2 Authorization Settings.........................................................................................................................................................808.2.1 Host Authorization............................................................................................................................................................808.2.2 Authorizing LTS for Log Management....................................................................................................................... 848.3 Scan Job................................................................................................................................................................................... 858.3.1 Setting Cloud Service Baseline Scan Time................................................................................................................ 868.3.2 Starting Scan Jobs............................................................................................................................................................. 87

Situation AwarenessUser Guide Contents

Issue 13 (2020-03-17) Copyright © Huawei Technologies Co., Ltd. iii

1 Purchasing SA Professional Edition

SA provides two editions: basic and professional.

BackgroundAfter you register as an SA user, you can experience basic functions of the basicedition for free, or upgrade from the basic edition to the professional edition. Theprofessional edition provides more types of threat detection and analysis services,including threat analysis, alarm settings, ECS vulnerability scan, websitevulnerability scan, baseline inspection, and large screen. Large screen needs to bepurchased additionally. After large screen is purchased, both overall situationawareness and ECS security situation awareness can be used.

Prerequisites● You have obtained a username and its password for logging in to the

management console. The IAM user has been assigned with the TenantAdministrator permissions and has the SA operation permissions. For detailsabout how to configure IAM user permissions, see Creating a User andGranting Permissions.

● By default, IAM users created by the administrator do not have any permissions.The administrator needs to grant the Tenant Administrator or Tenant Guestpermissions to the IAM users so that they can perform operations or view SAinformation based on the granted permissions. For details about more permissions,see System Permissions.

● IAM users who have obtained the permissions can use the professional edition SApurchased under the same IAM account.

Procedure

Step 1 Log in to the management console.

Step 2 Go to the Purchase SA page, as shown in Figure 1-1.

Situation AwarenessUser Guide 1 Purchasing SA Professional Edition

Issue 13 (2020-03-17) Copyright © Huawei Technologies Co., Ltd. 1

https://support.huaweicloud.com/en-us/usermanual-iam/iam_03_0001.html


https://support.huaweicloud.com/en-us/usermanual-permissions/iam_01_0001.html

Figure 1-1 Purchase SA page

Step 3 Set required parameters. Table 1 Parameter description describes theparameters. For details about pricing, see Product Pricing Details.

Table 1-1 Parameter description

Parameter Description

Edition The basic edition can be upgraded to the professional edition.

MaximumNumber ofQuotas

The value must be greater than or equal to the number ofassets.

Website Quota The number of vulnerability scan domain names can beincreased by purchasing SA professional edition. The websitequota equals the maximum number of ECSs divide by ten, andthe value is rounded up.

Large Screen Large screen can be purchased together with the SAprofessional edition, or can be purchased after the SA basicedition is upgraded to the SA professional edition. Large screenis unavailable in the SA basic edition.



https://www.huaweicloud.com/en-us/pricing.html?tab=detail#/ssa


Validity Period You can purchase SA by month or year. At least one month isrequired. You can enjoy a discount of 17% on the basis of thetotal price for one year, 30% discount for two years, and 50%discount for three years.There is a minimum limit on Validity Period when the numberof asset quotas is less than 6.● If you purchase an asset quota, the minimum Validity

Period is six months.● If you purchase two asset quotas, the minimum Validity

Period is three months.● If you purchase three to five asset quotas, the minimum

Validity Period is two months.● If the number of newly purchased asset quotas is greater

than or equal to 6, there is no limit on Validity Period.● If you enable the Large Screen function, there is no limit

on Validity Period regardless of the number of requiredasset quotas.

Figure 1-2 Parameter configuration

Step 4 After the configuration is complete, click Purchase Now.

Step 5 On the Details page, confirm the order information, read the Situation AwarenessDisclaimer, select "I have read and agree to the Situation Awareness Disclaimer",and click Pay Now.



Step 6 After you complete the payment on the payment page, return to the SA consolepage. In the upper right corner of the SA page, you can view Current Edition andExpire at of the professional edition.

Figure 1-3 Expiration time

● To increase quotas, click Purchase SA in the upper right corner to access the purchasepage, enter the number of quotas to be added, and click Purchase Now.

● The new purchased quantity is the number of added quotas. When you change thespecifications, the validity period cannot be changed. The newly added quotas takeeffective since the time when you buy them and expire at the time when theprofessional edition is purchased for the first time (less than or equal to the validityperiod of the professional edition), the configuration fee varies according to the validityperiod of new quotas. The existing quotas will not be charged again.

----End



2 Overview

2.1 OverviewThe Overview page shows statistics on asset security risk, security status, threatalarms, host vulnerability, website vulnerability, baseline inspection, real-timethreat alarm monitoring, attacker rankings, asset risk rankings, and threatenedasset data trend.


management console. The IAM user has been assigned with the TenantGuest permissions and has view permissions on SA. For details about how toconfigure IAM user permissions, see Creating a User and GrantingPermissions.



Procedure


Step 2 Go to the Overview page, as shown in Figure 2-1.

Functions and usage of each area on the Overview page will be described later inthis section.

Situation AwarenessUser Guide 2 Overview





Figure 2-1 Viewing the overview information

----End

Security RiskThis area provides you with the security situation and analysis result of yourassets.

The Security Risk area consists of a risk level and a risk score. Figure 2-2 providesan example. There are five risk levels: Informational, Low, Medium, High, andCritical. The risk score ranges from 0 to 100. A higher score means a higher risk.Different security risk levels correspond to certain risk values. For example, the riskvalue corresponding to the medium risk is 60.



Figure 2-2 Security risk

Asset Security at a GlanceThis area provides you with the security distribution and security situation analysisresult of your assets.

Figure 2-3 is an example. The number in the middle of the circle indicates thetotal number of your assets, that is, the number of assets protected by SA.Legends on the right of the circle show the relationships between colors andthreat levels, for example, green indicates No risk. Threat levels include Critical,High, Medium, Low, Informational, and No risk.

Figure 2-3 Asset security at a glance

Size of the segment of a color shows the number of assets of the correspondingthreat level. You can move the cursor to a segment to view the threat level,number, and proportion of assets represented by the color.



Figure 2-4 Viewing assets of no risk

Click the number in the middle of the Asset Security at a Glance diagram. TheAsset Management > Host page is displayed, as shown in Figure 2-5. You canview more details about assets and search for certain assets using the filtercriteria.

Figure 2-5 Viewing details about threatened assets

Statistics - Threat AlarmsIf you want to know the types and number of threat alarms, you can view theresults of threat alarms.

The statistics are shown in Figure 6 -Threat Alarms. The center of a ring chartshows the total number of threat alarms in the last seven days, that is, the sum ofthreat alarms generated on all assets in the last seven days. Legends on the rightof the circle show the relationships between colors and threat alarm types. ThreatAlarms include DDoS Attack, Brute-Force Attack, Web Attack, Trojan,Vulnerability Exploit, Zombie, Abnormal Behavior, C&C.



Figure 2-6 Statistics - Threat Alarms page

Size of the segment of a color shows the proportion of threat alarms of thecorresponding type. You can move the cursor to a segment to view the type,number, and proportion of threat alarms represented by the color.

Figure 2-7 Viewing the number of threat alarms

Click the number in the middle of the Statistics - Threat Alarms chart. TheThreat Alarms > Alarms page is displayed, as shown in Figure 8 Viewing thedetails of a threat alarm. You can view more details about threats and search forthreats based on specific filter criteria.



Figure 2-8 Viewing the details of a threat alarm

Host VulnerabilityTo learn the number of vulnerabilities on a host, view the Host Vulnerabilitypage, as shown in Figure 2-9.

Linux vulnerability management displays the number of Linux vulnerabilities onhosts. If you want to know more about vulnerabilities and recovery suggestions,click the number.

Figure 2-9 Host vulnerability

Website VulnerabilityTo learn about the number of vulnerabilities on the website, you can view theWebsite Vulnerability page, as shown in Figure 2-10.

To learn more about web vulnerabilities and recovery suggestions, click thenumber.

Figure 2-10 Website vulnerability



Baseline Inspection

The Baseline Inspection page displays the Host baseline and Cloud servicebaseline statistics of the protected host, as shown in Figure 2-11.

To learn about details, click the number.

Figure 2-11 Baseline inspection

Real-Time Threat Alarms Monitoring

To learn about the real-time threat alarms, you can view the Real-Time ThreatAlarms Monitoring list.

Figure 9 shows the real-time threat alarms monitoring list. The list displays thelatest threat alarm information in scrolling mode, including the Asset IP Address,Alarms Type, Alarms Level, and Discovered At. If no information is displayed inthe list, it means no alarms are discovered today.

Figure 2-12 Real-time threat alarms monitoring

Attacker Rankings

This area enables you to know information about attackers (attack sources) andprovides a ranking list of attackers.

Figure 2-13 shows the list. The list displays top 6 attackers in the descendingorder, as well as the IP address, region, and number of attacks of each attacker.



Figure 2-13 Attacker rankings

Asset Rankings by Risk Level

This area enables you to know the security risk level, alarm statistics, and risk levelranking of each asset.

Figure 2-14 shows an example. On the left of the table, eight assets are displayedin the descending order based on their risk levels. If you click an asset, its alarmsstatistics are displayed on the right, that is, distribution of threat types that haveoccurred on the asset.

Figure 2-14 Asset rankings by risk level

The horizontal coordinate of each type of threat alarm indicates the time, and theposition of the column indicates the time when the threat alarm occurs. For onetype of threat alarms, there are typically multiple risk levels (same as the Level inthe Real-Time Threat Alarms Monitoring area). Therefore, cylinders may not bethe same in height. Figure 12 Viewing threat alarm information shows thethreat alarm information. Place the mouse pointer on the column to view thethreat alarm information at the time point.



Figure 2-15 Viewing threat alarm information

Trend of Threatened AssetsThis area enables you to know the trend of threatened assets.

Figure 2-16 shows an example. The horizontal coordinate indicates time and thevertical coordinate the number of threatened assets. Because secure assets are notincluded, the maximum value of the vertical coordinate is less than or equal to thetotal number of assets.

Figure 2-16 Trend of threatened assets

Move the cursor to a date to view the number of threatened assets of that day.

Figure 2-17 Viewing the trend of threatened assets

Click View Details in the upper right corner. The Asset Management > Host pageis displayed. You can view more details about assets and search for certain assetsusing the filter criteria.



Figure 2-18 Viewing details about threatened assets

2.2 Large Screen

2.2.1 Overall Situation AwarenessTo achieve better demonstration effect in scenarios, such as presentation,reporting, and real-time monitoring, the large screen is required to display theanalysis result of SA. It is not ideal to magnify the console only. Therefore, thelarge screen is designed to display a service interface, giving a better visual effect.

PrerequisitesLarge screen is a value-added service, including the overall situation awarenessand ECS security situation awareness. After purchasing the large screen, you canuse the functions related to overall situation awareness.

Procedure


Step 2 Access the Overall Situation Awareness page.



Figure 2-19 Viewing large-screen information

Step 3 Click the Overall Situation Awareness image. The large screen for overallsituation awareness is displayed.

Functions and usage of each area on the Comprehensive Situational Awarenesspage will be described later in this section.

Figure 2-20 Large screen for overall situation awareness

----End



Network-Wide Threat MapAs shown in Figure 2-21, the network-wide threat map dynamically displaysthreat events that are happening at the moment. By visualizing the attack sourcesand targets, the map enables you to clearly know the security of your assets. Inthe map, each circle represents a HUAWEI CLOUD region. The alarm sources ofeach HUAWEI CLOUD region are indicated by the attack lines on the map. Amaximum of 20 alarms can be displayed.

● The large screen for overall situation awareness gives a rough overview of regionalsecurity status based on the regions where HUAWEI CLOUD is deployed. You cannotzoom in on the map for precise locating.

● The large screen for overall situation awareness is used for demonstration only, withoutany illegal or malicious purposes.

Figure 2-21 Network-wide threat map

Network-Wide Threat DegreeAs shown in Figure 2-22, Network-Wide Threat Degree shows the overallsecurity of assets. Displayed information includes the threat degree, total numberof threats, and number of threatened assets.

The threat degree ranges from 0 to 100. A greater number means greater threat.Because secure assets are not included, the number of threatened assets is lessthan or equal to the total number of assets.



Figure 2-22 Network-wide threat degree

Threat Event TrendAs shown in Figure 2-23, the horizontal coordinate indicates the time and verticalcoordinate indicates the number of threatened events. Move the cursor to a dateto view the number of threat events of that day.

Figure 2-23 Threat event trend

Threat Type DistributionAs shown in Figure 2-24, Threat Type Distribution displays the proportions ofthreats of different types.



Figure 2-24 Threat type distribution

Targeted Asset Quantity TrendAs shown in Figure 2-25, the horizontal coordinate indicates the time and verticalcoordinate indicates the number of threatened assets. Move the cursor to a dateto view the number of threatened assets of that day.

Figure 2-25 Targeted asset quantity trend

Threat Events TodayAs shown in Figure 2-26, Threat Events Today shows the number of threatevents discovered today.



Figure 2-26 Threat events today

Top 5 Threat SourcesAs shown in Figure 2-27, this area shows information about top 5 vulnerablehosts, including the IP address, originating country/region, and number of attacks.

Figure 2-27 Top 5 threat sources

Region Distribution of Targeted AssetsAs shown in Figure 2-28, Distribution of Targeted Assets shows proportions oftargeted assets by region.



Figure 2-28 Region distribution of targeted assets

2.2.2 ECS Security Situation AwarenessTo achieve better demonstration effect in scenarios, such as presentation,reporting, and real-time monitoring, the large screen is required to display theanalysis result of ECS security situation awareness. It is not ideal to magnify theconsole only. Therefore, the large screen is designed to display a service interface,giving a better visual effect.

PrerequisitesLarge screen is a value-added service, including the overall situation awarenessand ECS security situation awareness. After purchasing the large screen, you canuse the functions related to ECS security situation awareness.

Procedure


Step 2 Access the Overall Situation Awareness page.



Figure 2-29 Viewing large-screen information

Step 3 Click the ECS Security Overview image. The large screen for HUAWEI CLOUD ECSsecurity situation awareness is displayed.

Functions and usage of each area on the ECS Security Overview page will bedescribed later in this section.

Figure 2-30 Large screen for ECS security situation awareness

----End



Vulnerable ECSs by RegionFigure 2-31 shows whether there are vulnerable ECSs in different HUAWEI CLOUDregions on the current day. If there is no vulnerable ECS in a region, the indicatoris green. If there is a vulnerable ECS in a region, the indicator is red. When youclick a region whose indicator is on, the total number of ECSs, the number ofWindows ECSs, the number of Linux ECSs, and the number of vulnerable ECSs inthe region are displayed. By visualizing vulnerable ECSs, the map enables you toclearly know the security of your assets.

● The large screen for HUAWEI CLOUD ECS security situation gives a rough overview ofregional security status based on regions where HUAWEI CLOUD is deployed. Youcannot zoom in on the map for precise locating.

● The large screen for HUAWEI CLOUD ECS security situation is used for demonstrationonly, without any illegal or malicious purposes.

Figure 2-31 Vulnerable ECSs by region

Details of ECS Security EventsAs shown in Figure 2-32, details of ECS security events show five types of alarmsthat threaten ECS security: brute-force attack, remote login, malicious program,webshell, and document change. A ring chart indicates a type. The number in themiddle of each ring chart indicates the number of times a threat of this typeoccurs on the current day. The number of vulnerable ECSs in the lower part of thering chart indicates the number of ECSs that are under the threat on the currentday. The proportion of blue rings to total rings indicates the proportion ofvulnerable ECSs to the total assets. For example, in the ring chart of brute-forceattacks, three ECSs were under brute-force attacks for 83 times.



Figure 2-32 Details of ECS security events

Asset StatisticsAs shown in Figure 2-33, asset statistics show the total number and types ofassets. The ECSs are classified into Windows ECSs and Linux ECSs. The bar chart inthe middle shows the proportion of the two types of ECSs to the total assets, andthe number of the two types of ECSs is displayed in the lower part.

Figure 2-33 Asset statistics

Trend of Vulnerable ECSsAs shown in Figure 2-34, the horizontal coordinate indicates the date and verticalcoordinate indicates the number of vulnerable ECSs. The figure shows the numberof vulnerable ECSs and the trend of vulnerable ECSs every day within seven days.



Figure 2-34 Trend of vulnerable ECSs

Top 5 Vulnerable ECSs

Figure 2-35 shows the information about top 5 vulnerable ECSs in descendingorder of security risk levels. The information includes the ECS name, ECS system,and attack severity. A maximum of five vulnerable ECSs can be displayed. Securityrisk levels are classified into critical, high-risk, medium-risk, low-risk, and warningin descending order.

Figure 2-35 Top 5 vulnerable ECSs



Trend of Brute-Force Attacks in the Last Seven DaysAs shown in Figure 2-36, the trend of brute-force attacks in the last seven daysshows the number of brute-force attacks in each day in the last seven days. Thehorizontal coordinate indicates the date and vertical coordinate indicates thenumber of brute-force attacks. You can move the cursor to a date range to viewthe number of brute-force attacks on the day.

Figure 2-36 Trend of brute-force attacks in the last seven days

Brute-Force Attack TypesFigure 2-37 shows the brute-force attack types on the current day and thenumber of attacks of each type. There are five types of brute-force attacks: SSHbrute-force attack, RDP brute-force attack, web brute-force attack, Microsoft SQLbrute-force attack, and SQL server brute-force attack. The upper right cornerdisplays the number of all vulnerable ECSs that are threatened by brute-forceattacks on the current day.

Figure 2-37 Brute-force attack types



Vulnerability StatisticsAs shown in Figure 2-38, the ring chart of vulnerability statistics shows theproportion of Windows vulnerabilities and Linux vulnerabilities detected on thecurrent day. The number of two types of vulnerabilities is displayed below the ringchart, and the number of vulnerable ECSs that have detected vulnerabilities isdisplayed in the upper right corner.

Figure 2-38 Vulnerability statistics

Baseline InspectionAs shown in Figure 2-39, baseline detection involves two modules: ECS baselineand cloud service baseline. You can use the ECS baseline module to check thepassword complexity and configuration risks and the number of risks. You can alsouse the cloud service baseline module to check the credential authentication,access control, log audit, data security, and basic protection risks and the numberof risks.



Figure 2-39 Baseline inspection



3 Asset Management

3.1 HostThe Host page provides asset statistics, including the security status, risk value,and number of attacks. You can view such asset information as the IP address,region, and security status of an asset based on specific search criteria.

Procedure


Step 2 Access the host asset information page, as shown in Figure 3-1.

Figure 3-1 Viewing host asset information

Step 3 If you click an option next to Region, HSS Status or Security Status, thecorresponding list of assets will be displayed, as shown in Figure 3-2.● Region: region where an asset is located● HSS Status: whether HSS is enabled● Security Status: security status of an asset

Situation AwarenessUser Guide 3 Asset Management


Figure 3-2 Setting filter criteria

If a large number of assets are displayed, use the search function to quickly locatethe desired asset. You can enter the elastic IP address (EIP) of an asset in the

search box and click to view the asset information.

Step 4 Click a value in the Number of Attacks column. The Threats tab page isdisplayed. For details about this page, see Alarm Overview.

----End

3.2 WebsiteBefore scanning a website, perform the steps in this section to add a domainname to be scanned.

Context

Choose Security > Situation Awareness > Asset Management > Website. Onthe displayed Website page, perform the following operations:

1. Add a domain name.

2. Authenticate the domain name.

3. Start a scan job.

4. View scan results.

After scanning, choose Security > Situation Awareness > Asset Management >Website, to view vulnerability analysis results.

Prerequisites● You have obtained an account and its password for logging in to the

management console.

● You have purchased the professional edition SA service and your SA service iswithin the validity period.

Procedure


Step 2 Access the Website dialog box, as shown in Figure 3-3.



https://support.huaweicloud.com/en-us/usermanual-sa/sa_02_0004.html

Figure 3-3 Adding website asset information

Step 3 On the Add Domain Name tab, add the website to be scanned and click Ok.

Figure 3-4 Adding a domain name

Step 4 Close the Add Domain Name dialog box. In the Authentication Status column,click Authenticate Now. The dialog box for authenticating the website isdisplayed. Select the domain name authentication mode (DocumentAuthentication or One-Click Authentication).

After adding a website, you can choose the tab of Add Domain Name > AuthenticateDomain Name Ownership to authenticate the domain name. The authentication methodsare the same.

● Method 1: Select Document Authentication, as shown in Figure 3-5.



Figure 3-5 Document authentication

a. Click Download Authentication Document.b. Upload the downloaded document to the root directory of the website to

ensure that target website/hwwebscan_verify.html can be accessed.c. Select I have read and agree to the HUAWEI CLOUD Vulnerability

Scan Service Disclaimer.d. Click Authenticate.

Authentication Status becomes Authenticated if authentication succeeds.● Method 2: Select One-Click Authentication, as shown in Figure 3-6.

Figure 3-6 One-click authentication

Select I have read and agree to the HUAWEI CLOUD Vulnerability ScanService Disclaimer, and click Authenticate.Authentication Status becomes Authenticated if authentication succeeds.

Step 5 After domain name authentication is complete, click Scan in the Operationcolumn to create a scan job.



After domain name authentication is complete, choose the tab of Add Domain Name >Configure Website to create a scan job. The configuration methods are the same.

Table 3-1 describes the parameters. Figure 3-7 shows the parameter settings.

Figure 3-7 Scan settings



Job Name Customizable job name

Target NetworkAddress

Enter the domain name or IP address to be scanned.Select an authenticated domain name from the drop-downlist.

Start Time Time when a scan job begins

Scan Mode There are three scan modes:● Quick Scan: takes the least amount of time and detects

the fewest vulnerabilities.● Standard Scan: takes more time and detects more

vulnerabilities.● Complete Scan: takes the longest time and detects the

most vulnerabilities.

Step 6 After the setting is complete, click OK to start the scan job.

Step 7 After the scanning is complete, click View Details in the View Latest column toview the scan results.



Figure 3-8 Scan results


Item Description Operation

Scan IPAddress

Scan from the current page. The defaultvalue is the Target Network Addressentered during job creation.

Click the icon next to the TargetNetwork Address toview details,including:● IP Address● Server● Language



Item Description Operation

JobInformation

The basic information about the job isdisplayed, including:● Score: The initial score is 100 points.

After the job is scanned, the score isdeducted based on the number ofscanned vulnerabilities and thevulnerability level. If no vulnerabilityexists, the score is not deducted.

● Security Level: Security level of thewebsite based on the scan result If novulnerability is detected, Secure isdisplayed. If vulnerability is detected,Medium or High is displayed.

● Total: Total number of vulnerabilitiesand number of vulnerabilities at eachlevel

● Started: Start time of job scan● Scan Duration: Time consumed to finish

a scan job● Scan Mode: Scan mode of the website

selected when a scan job is created● Scan Result: The execution result of the

scanning. Scanning completed orScanning failed is displayed.

● Click Scan Againor Cancel to re-scan or cancelthe scan job.

● Click Edit to editthe scan job.

ScanSummary

Displays the scan items, scan types, andscan results of each scan item.

-

Vulnerability List

Displays information about discoveredvulnerabilities. A maximum of fivevulnerabilities can be displayed on a page.You can view more by turning pages.

● Click Learn Moreto view thevulnerability list.

● ClickVulnerability IDto view theVulnerabilityDetails.

SiteStructure

Displays the site location of thevulnerability. If no vulnerability is detected,no site structure data is displayed.

-

Step 8 Manage other website assets.● Click Edit and set the web page login mode so that Vulnerability Scan Service

(VSS) can detect web page security issues in a timely manner. For details, seeWebsite Login Settings and Obtaining the Cookie Value.



https://support.huaweicloud.com/en-us/usermanual-vss/vss_01_0104.html

https://support.huaweicloud.com/en-us/bestpractice-vss/vss_06_0003.html

Figure 3-9 Editing the website

● Click Delete to delete the website asset information.

----End



4 Threat Alarm

4.1 Alarms

4.1.1 OverviewThe Alarm List page provides the alarm threat statistics list, including the name,type, level, and time. By customizing filtering conditions, such as the alarm name,alarm severity, and time, you can quickly query information about thecorresponding threat alarm.

Context

SA can identify various types of threat events, helping you quickly learn andhandle the threats. Table 4-1 describes the event types.

Table 4-1 Alarm threat type

Alarm Name(Parent)

Supported AlarmTypes

Basic EditionSupport

ProfessionalEdition Support

DDoS attack 100+ All supported All supported

Brute-force attack 8 Five types aresupported.

All supported(three types canbe detected anddisplayed onlyafter HSS ispurchased.)

Web attack 33 One type issupported.

All supported (19types can bedetected anddisplayed onlyafter WAF ispurchased)

Situation AwarenessUser Guide 4 Threat Alarm


Alarm Name(Parent)

Supported AlarmTypes

Basic EditionSupport

ProfessionalEdition Support

Trojan 5 One type issupported.

All supported

Vulnerabilityexploit

2 Not supported All supported

Zombie 8 Five types aresupported.

All supported

Abnormalbehavior

3 Not supported All supported

C&C 6 Not supported All supported

Viewing Alarms


Step 2 Access the Alarms page, as shown in Figure 4-1.

Figure 4-1 Viewing the alarm list information

Step 3 Click the option next to the Alarm Name, Risk Severity, or Time. The list ofthreat alarms that meet the filter criteria is displayed, as shown in Figure 4-2.● Alarm Name: the category to which a threat alarm belongs.● Risk Severity: severity of a threat alarm. The value can be Critical, High,

Medium, Low, or Informational.● Time: time range for generating a threat alarm. The value can be Today,

Yesterday, Last 3 days, Last 7 days, Last 30 days, or Last 6 months.



Figure 4-2 Setting filter criteria

When a large number of filtered threat alarms occur, you can use the searchfunction to quickly locate the specified alarms. Choose Asset IP Address or Source

from the drop-down list, enter an IP address in the search box, and click . Thealarm information about the asset is displayed.

Step 4 Click one alarm in the Alarm Name column. The Alarm Details window isdisplayed on the right. The Basic Information, Alarm Information, and TenantInformation about the event are displayed in the window. Click Close. In addition,when you place the cursor on an alarm name, the subtypes of threats andhandling suggestions are displayed.

Figure 4-3 Alarm details page

----End

4.1.2 DDoSIn a DDoS attack, an attacker uses compromised computers on the Internet tolaunch DoS attacks on the target. DoS attacks are also called flood attacks. Theyare intended to exhaust the network or system resources on the target computer,



causing service interruption or suspension. Consequently, legitimate users fail toaccess network services.

There are about 100 sub-types of DDoS threat parent types. The basic andprofessional editions of SA support all sub-types of DDoS threat alarms.

If SA detects that an application system is under DDoS threats, the applicationsystem is under DDoS attacks. This is a threat at the Informational alarm severity.You are advised to purchase AAD.

4.1.3 Brute Force AttackIn brute force attacks, each possible result is verified according to certain criteriauntil the actual result is obtained. Attackers guess and try login usernames andpasswords remotely. When they succeed, they can attack and control systems.

SA can detect eight subtypes of brute force attack threats. The basic edition candetect five subtypes of such threats. The professional edition can detect allsubtypes of such threats. (HSS must be purchased for three subtypes of suchthreats.)

If a brute force attack threat is detected, handle the threat according to theinstructions in Table 4-2.

Table 4-2 Suggestions on handling brute force attack threats

ThreatAlarm

Severity

Threat Description Suggestion

SSHbrute-forceattack

Medium

Detectedcontinuousattempts of SSHlogins to the ECSinstance, indicatingthat an attacker isattempting to crackthe ECS instanceusing SSH.

The main cause of the attack is thatthe SSH port is open to the publicnetwork. Therefore, you are advised toperform the following operations:1. In the security group settings,

forbid external SSH access.2. Configure hosts.deny in the ECS

operating system.

RDPbruteforceattack

Medium

Detectedcontinuousattempts of RDPlogins to the ECSinstance, indicatingthat an attacker isattempting to crackthe ECS instanceusing RDP.

The main cause of the attack is thatthe RDP port is open to the publicnetwork. Therefore, you are advised toperform the following operations:1. In the security group settings,

forbid external RDP access.2. Configure remote desktop access

control, such as Windows firewall,in the ECS operating system.



https://support.huaweicloud.com/en-us/productdesc-cad/cad_01_0003.html

https://support.huaweicloud.com/en-us/productdesc-hss/hss_01_0001.html

ThreatAlarm

Severity


Webbruteforceattack

Medium

Detectedcontinuousattempts of loginsto your web service(such as the loginpage), indicatingthat an attacker isattempting to crackthe web service(such as the webapplication loginpage).

The main causes of the attack are thatthe background management pages(such as phpMyAdmin and Tomcatmanagement pages) of theapplication are open to the publicnetwork, and that login verification isnot performed for login pages forservices that need to be accessed fromthe public network. Therefore, you areadvised to perform the followingoperations:1. In the security group settings,

forbid external access to thebackground management systempage.

2. Set logic of brute force attackdefense in web applications, suchas login SMS verification code andimage verification code.

MySQLbrute-forceattack

Medium

Detectedcontinuousattempts of loginsto MySQL on theECS instance,indicating that anattacker isattempting to crackMySQL on the ECSinstance.

The main cause of the attack is thatthe MySQL service port is open to thepublic network. Therefore, you areadvised to perform the followingoperations:1. In the security group settings,

forbid external access to theMySQL instance.

2. Configure the firewall policy on theOS to forbid external access.

3. Unbind the EIP from the ECS wherethe MySQL instance is installed.

MS SQLbruteforceattack

Medium

Detectedcontinuousattempts of loginsto MS SQL Serveron the ECSinstance, indicatingthat an attacker isattempting to crackMS SQL Server onthe ECS instance.

The main cause of the attack is thatthe MS SQL Server service port is opento the public network. Therefore, youare advised to perform the followingoperations:1. In the security group settings,

forbid external access to the MSSQL Server instance.

2. Configure the firewall policy on theOS to forbid external access.

3. Unbind the EIP from the ECS wherethe MS SQL Server instance isinstalled.



ThreatAlarm

Severity


Systembruteforceattackdetection event

Medium

Detected bruteforce attacks onand continuousattempts of loginsto your ECSinstance.

Log in to the HSS console and performthe processing.

Unauthorizedsystemaccount

Medium

Detected bruteforce attacks onand continuousattempts of loginsto the ECS instanceusing anunauthorizedsystem account.


Systemcracksuccessdetection event

High Detected that yourECS instance wasforcibly cracked.


4.1.4 Web AttackA web attack is an attack against the Internet access or devices, such as webservers. Common web attacks include SQL injection, buffer overflow, cross-sitescripting (XSS), and cross-site request forgery (XSRF) attacks.

SA can detect 33 subtypes of web attack threats. The basic edition can detect onesubtype of web attack threats. The professional edition can detect all subtypes ofweb attack threats. Among the 33 subtypes of web attack threats, WAF needs tobe purchased for 19 subtypes.

If SA detects a web attack threat, an attacker is attempting to attack webapplication vulnerabilities. This threat is of the alarm severity Medium or lower.Therefore, you are advised to perform the following operations:

1. Check the web application logic to check whether there is a vulnerability.

2. Purchase WAF.

4.1.5 TrojanTrojan, also called Trojan horse, is any malicious computer program whichmisleads users of its true intent. It acts like a legitimate application program orfile to deceive victims into executing or spreading it. When victims execute it,attackers gain unauthorized access to target hosts to steal data, such asusernames, passwords, and encrypted files. In various hacker attacks, Trojantypically serves as the foundation for further attacks.



https://support.huaweicloud.com/en-us/productdesc-waf/waf_01_0045.html

SA can detect five subtypes of Trojan horse threats. The basic edition can detectone subtype of Trojan horse threats. The professional edition can detect allsubtypes of Trojan horse threats.

When a Trojan horse threat is detected and the ECS instance has network requestsof Trojan horses, the ECS instance has the characteristic of being implanted withTrojan horses. For example, the ECS instance attempts to send DNS resolutionrequests related to WannaCry ransomware and download .exe Trojan horseprograms. This is a threat at the High alarm severity. Therefore, you are advised toperform the following operations:

1. Disable the ECS instance that is attacked.2. Check whether other hosts on the subnet where the instance resides are

intruded.3. Purchase HSS.

4.1.6 Vulnerability AttackA vulnerability is a weakness that can be exploited by a threat actor, such as anattacker, to perform unauthorized actions within a computer system. Gainingaccess, stealing sensitive data, or sabotaging software and hardware systems areall vulnerability attacks.

SA can detect two subtypes of vulnerability attack threats. The basic edition doesnot support vulnerability attack detection. The professional edition supportsdetection of all subtypes of threats.

If a vulnerability attack threat is detected, handle the threat according to theinstructions in Table 4-3.

Table 4-3 Suggestions for handling vulnerability attack threats

ThreatAlarm

Severity


MySQLvulnerabilityattack

Low If SA detects thatan ECS instance isattacked using theMySQLvulnerability, theECS instance isattacked using theMySQLvulnerability.

The main cause of the attack is thatthe MySQL service is enabled on thepublic network for the ECS instance.Therefore, you are advised to performthe following operations:1. Configure security group rules and

forbid the MySQL service fromaccessing the public network.

2. Unbind the ELB, and disable theMySQL service from accessing thepublic network.



ThreatAlarm

Severity


Redisvulnerabilityattack

Low If SA detects thatan ECS instance isattacked using theRedis vulnerability,the ECS instance isattacked using theRedis vulnerability.

The main cause of the attack is thatthe Redis service is enabled on thepublic network for the ECS instance.Therefore, you are advised to performthe following operations:1. Configure security group rules and

forbid the Redis service fromaccessing the public network.

2. Unbind the ELB, and disable theRedis service from accessing thepublic network.

4.1.7 ZombieA zombie is a computer connected to the Internet that has been compromised bya hacker, computer virus or Trojan horse program and can be used to performmalicious tasks of one sort or another under remote direction. Attackers sendcommands to "zombies" through control channels and order them to send forgedor junk packets to targets. As a result, the targets fail to respond and denyservices. This is a common DDoS attack. Now, as virtual currencies (such asBitcoins) grow in value, attackers start using zombies to mine Bitcoins.

SA can detect eight subtypes of zombie threats. The basic edition supports fivesubtypes of zombie threats. The professional edition supports detection of allsubtypes of zombie threats.

When a zombie threat is detected, the ECS instance is detected to have miningbehavior (for example, accessing the address of the mining pool), or initiate DDoSattacks or brute force attacks, the ECS instance may have been implanted withmining Trojan horses or backdoor programs and may become a botnet. This is athreat at the High alarm severity. Therefore, you are advised to perform thefollowing operations:

1. Scan for and remove viruses and Trojan horses on the ECS instance. If thescanning and removal fail, disable the instance.

2. Check whether other hosts on the subnet where the instance resides areintruded.

3. Purchase HSS.

4.1.8 Abnormal BehaviorAbnormal behavior refers to the events that should not occur on hosts. Forexample, a user successfully logs in to the system at an abnormal time, some filedirectories are changed abnormally, or an error occurs in the process. Many ofthese events are caused by malicious programs. When abnormal behavior occurs,the administrator should pay attention to it. Abnormal behavior data in SA mainlycomes from Host Security Service (HSS).



SA can detect three subtypes of abnormal behavior threats. The basic edition doesnot support detection of abnormal behavior threats. The professional edition candetect all subtypes of abnormal behavior threats.

If an abnormal behavior threat is detected, handle the threat according to theinstructions in Table 4-4.

Table 4-4 Suggestions on handling abnormal behavior threats

Threat Alarm Severity


File directorychangemonitoringevent

Informational

Detected that the keyfile of the ECS instanceis modified.

Log in to the HSS consoleand perform theprocessing.

System loginaudit event

Informational

Detected the abnormallogin of the ECSinstance.


Abnormalprocessbehavior

Low Detected that the ECSinstance has theabnormal processbehavior.Detected suspectedmalicious programs.


4.1.9 Command and ControlDomain generation algorithm (DGA) is used to generate command and control(C&C) domain names with random characters. It is commonly used by attackers toavoid domain name blacklist detection. Attackers register with malicious domainnames generated by DGA and point them to C&C servers. When victims runmalicious programs, their hosts connect to C&C servers through the maliciousdomain names. Then, attackers can remotely control the hosts.

SA can detect six subtypes of C&C threats. The basic edition does not supportdetection of C&C threats. The professional edition supports detection of allsubtypes of C&C threats.

When a C&C threat is detected, the ECS instance may access the DGA domainname, access the remote C&C server, or establish a channel to connect to the C&Cserver. A malicious software access or connection behavior indicates that the ECSinstance may be remotely controlled by the C&C server and may become amember of the botnet. This is a threat at the High alarm severity. Therefore, youare advised to perform the following operations:

1. Scan for and remove viruses and Trojan horses on the ECS instance. If thescanning and removal fail, disable the instance.

2. Check whether other hosts on the subnet where the instance resides areintruded.



3. Purchase HSS.

4.2 Threat AnalysisYou can analyze attacks from the dimensions of Attack source or Attacked asseton the Threat Analysis page.


management console.● You have purchased the professional edition SA service and your SA service is

within the validity period.

Procedure


Step 2 Access the Threat Analysis page, as shown in Figure 4-4.

Figure 4-4 Viewing threat analysis information

Step 3 Select Attack source or Attacked asset from the drop-down list, set occurrencetime, enter the IP address of the attack source to be queried, and click StartAnalysis.

The time can be Today, Yesterday, Last 3 days, Last 7 days, Last 30 days, or Last 6months.

Step 4 In the list, you can view the threat information that meets the filtering conditions.You can view the types of attacks launched by the attack source on which assets,or the attacks launched on the attacked resources, as shown in Figure 4-5.

Figure 4-5 Detailed threat information

----End



4.3 Security Orchestration

4.3.1 Enabling Security OrchestrationAfter security orchestration is enabled, you can view the security risks exposed toyour assets. This section describes how to enable security orchestration, which isfree of charge.

Prerequisites● An account with the Security Administrator permissions and its password

have been obtained.


Procedure


Step 2 Access the Security Orchestration page, as shown in Figure 4-6.

Figure 4-6 Viewing security orchestration information

Step 3 Click Authorize, as shown in Figure 4-7.



Figure 4-7 Authorization page

Step 4 On the Security Orchestration Authorization Statement page, read thestatement carefully, select I have read and agree to the Security OrchestrationDisclaimer, and click Agree, as shown in Figure 4-8.

If the Authorization successful message is displayed in the upper right corner ofthe page, the security orchestration service is enabled successfully.

Figure 4-8 Agreeing authorization page

----End

4.3.2 Configuring a WhitelistThis section describes how to configure a whitelist.

Prerequisites● An account with the Security Administrator permissions and its password

have been obtained.● You have purchased the professional edition SA service and your SA service is


Procedure






Step 3 In the Response Orchestration for Security Events area, click ConfigureWhitelist, as shown in Figure 4-10.

Figure 4-10 Clicking Configure Whitelist

To disable SO, click Disable SO

Step 4 In the Configure Whitelist box, enter an IP address or IP address/subnet mask tobe configured, as shown in Figure 4-11.



Figure 4-11 Whitelist configuration

● The IP address is in the format of X.X.X.X or X.X.X.X/X. The mask range is 24-32.

● SO supports 50 whitelists for free.

Step 5 Click OK. If Whitelist configured successfully is displayed in the upper rightcorner of the page, it means the whitelist is configured.

----End

4.3.3 Viewing Event DetailsThis section describes how to view details about a security event. A brute-forceattack is used as an example.

Prerequisites● Login credentials have been obtained.


● Security orchestration has been enabled.

Procedure






Step 3 In the Response Orchestration for Security Events area shown in Figure 4-13,view the percentage of processed and unprocessed attack events.

When you move the cursor to the green and red parts, you can view the numberof processed and unprocessed assets.

Figure 4-13 Response orchestration for security events

Step 4 Click View Details and Implement Policy, as shown in Figure 4-14. Table 4-5describes the parameters.

Figure 4-14 Event details





Event Type Security orchestration supports policyorchestration for the following attacks: Brute-force attack, web attack, Trojan, and zombie.● Brute-force attack

– SSH brute-force attack– RDP brute-force attack– MySQL brute-force attack– Microsoft SQL brute-force attack– Brute-force attack

● Web attack– Webshell– SQL injection– Command injection– XSS

● Trojan– WannaCry ransomware– Malicious programs

● Zombie– Outbound miner program– Outbound DDoS attack

Asset Name/ID Name and ID of an assetNOTE

Click an asset name to view details.

Event Status ● Unexecuted● Executing● Processed (with failed items)● Executed

Latest Attack Time Time when the target asset is attackedrecently

Number of Interceptions Total number of interceptions that SO isimplemented after an asset is attacked

----End

4.3.4 Setting a PolicyThis section describes how to set a response policy when an asset is attacked.

Security orchestration provides two methods to deal with the two types of attacks.



● Pending● Execute security orchestration

You can terminate the orchestration.



within the validity period.● Security orchestration has been enabled.

Procedure




Step 3 Click View Details and Implement Policy. Figure 4-16 highlights the area.



Figure 4-16 Response orchestration for security events

Step 4 In the Event Type column of the target attack event, click the event type name, asshown in Figure 4-17.

Figure 4-17 Event details

Step 5 In the Event Processing area, select Execute security orchestration. Figure 4-18highlights the area.



Figure 4-18 Setting a policy

Step 6 Click OK. In the displayed dialog box, select View SMN Topic and Figure 4-19 isdisplayed.

Figure 4-19 Two-factor authentication topic



You can click View SMN Topic to create a new one. Multiple subscriptions can be added toa topic. Before selecting a topic, ensure that subscriptions added to it are in Confirmedstatus. Otherwise, notifications may fail to be received. For details about topics andsubscription, see the Simple Message Notification User Guide.

Step 7 Click OK to view the procedure of security orchestration (see Figure 4-20). SSHbrute-force attack is used as an example. Table 4-6 describes each stage.

Figure 4-20 Procedure of security orchestration

Table 4-6 Procedure description

Procedure Involved Service Operation

Detect HSS Whether HSS is enabled.

Block VPC Blocks the attack source.

VPC Disables remote login.

VPC Isolates the outbound traffic.

Analyze HSS Checks for weak passwords.

HSS Checks for the passwordcomplexity policy.

HSS Checks for applicationconfigurations.

VPC Checks for network ACLs.

VPC Checks for security groups.



Procedure Involved Service Operation

Harden HSS Enables two-factorauthentication.

● If you want to execute security orchestration again, select Re-execute securityorchestration in the Event Processing area and click OK.

● If you want to cancel the defense policy or hardening policy delivered, select thecorresponding option, for example, [VPC] Block the attack source, and click OK.

● In the Recommended Services area, click the service name to purchase and configurethe corresponding services, enhancing protection for your assets.

----End

4.3.5 Viewing Asset Security StatusThis section describes how to view the security status of an asset.



within the validity period.● Security orchestration has been enabled.

Procedure






Step 3 In the Asset Security at a Glance column, view the security status of the asset, asshown in Figure 4-22.

Figure 4-22 Asset security at a glance

1. You are advised to configure security services.When you move the cursor to a service, you can view the configurationinformation about the region where the service is located, as shown in Figure4-23.



Figure 4-23 Service configuration

– If you need to modify the asset protection configuration of the current region, clickModify Configuration.

– If the current region is not protected, click Buy Now to buy the recommendedasset protection service.

2. Viewing protected assetsWhen you move the cursor to a port asset icon identified by Attack Record orNo Attack Record, you can view details about the Attack Record asset listand No Attack Record asset list, as shown in Figure 4-24.

Figure 4-24 Protected assets

----End



5 Vulnerability Management

5.1 Vulnerability ScanCurrently, eight types of vulnerabilities can be scanned.

SA supports scanning vulnerabilities listed in Table 5-1.

Table 5-1 Supported vulnerabilities

Vulnerability Name Description

Common web securityvulnerabilities (morethan 30 commonvulnerabilities such asXSS and SQL injection)

Scans more than 30 common vulnerabilities, such asXSS and SQL injection attacks. This function is enabledby default and cannot be disabled.

Ports Checks which ports are enabled on a host.

Weak passwords Scans for any weak passwords used on your website.

CVE vulnerabilities Common Vulnerabilities and Exposures (CVE) is asecurity vulnerability database. This function quicklyupdates vulnerability rules and scans for the latestvulnerabilities.

Web content (text) Checks the compliance of texts on your website.

Web content (picture) Checks the compliance of pictures on your website.

Malicious codes Checks for malicious codes when your website isrunning.

Link health (dead links,hidden links, andmalicious links)

Health check is performed on the URLs of yourwebsite to avoid dead links, hidden links, andmalicious links.

Situation AwarenessUser Guide 5 Vulnerability Management


5.2 Viewing Host Vulnerability Scan DetailsAfter a host vulnerability scan task is executed, you can view the scan result onHost Vulnerability page.


management console.


● A scan job has been completed.

Procedure


Step 2 Access the Host Vulnerability page, as shown in Figure 5-1. Table 5-2 providesthe parameter description.

In the upper right corner of the list, you can filter target vulnerability details based on thevulnerability IP address, vulnerability level, or vulnerability name.

Figure 5-1 Viewing host vulnerability information



Vulnerability Name Name of the scanned vulnerabilityClick a Vulnerability Name to viewvulnerability description and vulnerabilitylibrary information.

IP Address IP address of the host

Severity Vulnerabilities are classified into the followingtypes based on the risk level: Informational,Low, Medium, and High.

Advice Quickly response to vulnerabilities based onrecovery suggestions




Operation ● If a vulnerability has been fixed, click Ignorein the Operation column of the targetvulnerability.

● If you want to pay attention to the ignoredvulnerabilities, click View Ignore Reason inthe Operation column of the targetvulnerability to learn the handling reason.After confirming the risk items to berestored, click Unignore to restore thevulnerability.

----End

5.3 Viewing Website Vulnerability Scan DetailsAfter a website vulnerability scan job is executed, you can view the result on theWebsite Vulnerability page.



within the validity period.● A scan job has been completed.

Procedure


Step 2 Access the Website Vulnerability page, as shown in Figure 5-2.



Figure 5-2 Viewing website vulnerability information

● View the vulnerability distribution ratio and vulnerability level distributionratio, as shown in Figure 5-3.

Figure 5-3 Website vulnerability

● View the vulnerability details list, as shown in Figure 5-4. Table 5-3 describesthe parameters.

Figure 5-4 Website vulnerability list





Vulnerability Name/Vulnerability ID

Name of the scanned vulnerabilityClick Vulnerability Name to viewvulnerability description and vulnerabilitylibrary information.

Target Network Address IP address of the website

Discovered Time when a vulnerability is detected

Severity Vulnerabilities are classified based on therisk level: Informational, Low, Medium,and High.

Item Vulnerability type

Status – Not fixed– Fixed– Ignored

Operation – If there are no risks, click Ignore in theOperation column of the target risk typeto ignore the item.

– To unignore an ignored risk item, clickUnignore in the Operation column ofthe target risk.

----End

5.4 Emergency VulnerabilityWhen a new vulnerability occurs in the industry, you can quickly detect whether ahigh-risk vulnerability exists on your website on the Emergency Vulnerabilitypage.


management console.


Procedure


Step 2 Access the Emergency Vulnerability page, as shown in Figure 5-5.



Figure 5-5 Viewing emergency vulnerability information

Step 3 Click One-Click Detection. In the displayed dialog box, enter the domain name orIP address and click Detect Now.

Figure 5-6 One-click detection

Step 4 View the detection result. If the website has a risky vulnerability, rectify the faultbased on Advice, for example, Upgrade the patch.



Figure 5-7 Viewing the detection result

----End



6 Baseline Inspection

6.1 Host BaselineAfter host vulnerability scan is performed, you can view the baseline inspectionresults on the Host Baseline page.



within the validity period.● You have added a host by choosing Security > Vulnerability Scan Service >

Asset List.● You have authorized the host by choosing Security > Situation Awareness >

Set up > Host Authorization.● You have performed a scan job by choosing Security > Situation Awareness

> Set up > Scanning Tasks.

ContextTo use the host vulnerability scan service, perform the following steps:

1. Add a host. Choose Security > Vulnerability Scan Service > Asset List.2. Authorize a host. Choose Security > Situation Awareness > Set up > Host

Authorization.3. Start the scan job. Choose Security > Situation Awareness > Set up >

Scanning Tasks4. View host baseline data. Choose Security > Situation Awareness >

Baseline Inspection > Host Baseline. Perform the operations described inthis section.

Situation AwarenessUser Guide 6 Baseline Inspection


Viewing the Password Complexity Policy Detection Result


Step 2 Access the Password Complexity Policy Detection page, as shown in Figure 6-1.

Figure 6-1 Viewing password complexity policy detection information

Step 3 Move the pointer to the Description and Advice rows to view the details andadvice.

----End

Viewing the Configuration Detection Result


Step 2 Access the Configuration Detection page, as shown in Figure 6-2.

Figure 6-2 Viewing the configuration detection information

Step 3 Move the pointer to the Description and Advice rows to view the details andadvice.

----End

6.2 Cloud Service BaselineYou can view the detailed information and suggestions of each risk on the CloudService Baseline page.

ContextYou can view data only after scanning. Click Set Now on the right of Scan Timeto set the scan time and perform periodic scan. You can also click Scan Now toperform real-time scan. You can also view the Latest Scan Time on the right ofthe Scan Now.


management console.




Procedure


Step 2 Access the Cloud Service Baseline page, as shown in Figure 6-3.

Figure 6-3 Viewing cloud service baseline information

Step 3 View the number of risks and check items of Identity Authentication, AccessControl, Log Audit, Data Security, and Basic Protection. Table 6-1 provides thedetails of the check items and item description.

Table 6-1 Risk items and check items

Risk Item Check Item Item Description

IdentityAuthentication

Whether IAM isenabled

Checks whether there are at least two userswho have enabled IAM in the tenant's listand either of users does not belong to theadmin user group.Enabling IAM is to enable users who do notbelong to the admin group except theenterprise administrator.




AccessControl

Network ACL rules Checks whether there are insecure rules. Aninsecure rule is one whose direction isinbound, action is allowed, protocol is anytype, source port number is 1-65535 or 0,destination IP address is 0.0.0.0/0 (alladdresses), and destination port number is1-65535, 0, or a specified service port, suchas 22.

Security grouprules

Checks whether security group rules includeinsecure rules, which are open access controlpolicies. An insecure rule is one whosedirection is inbound, operation is allowed,protocol is any type, source IP address is0.0.0.0/0 (all addresses), port is 1-65535 orspecified service port, such as 22.

LogAuditing

Whether CloudTrace Service (CTS)is enabled

Checks whether the tenant has enabled CTSand at least one tracker is normal.CTS records operations on cloud resources inyour account. You can use the records toperform security analysis, track resourcechanges, audit compliance, and locate faults.

Whether OBSbucket logging isenabled

Check whether the logging function isenabled for all OBS buckets of the tenant.OBS automatically logs access requests to abucket and generates and writes log filesinto the specified bucket (that is, thedestination bucket) after bucket logging isenabled.

DataSecurity

ACL permissions ofOBS buckets

Checks all OBS buckets to see whetheraccess permission to any buckets or ACLs isgranted to anonymous users.Bucket ACLs control access to buckets basedon the account or user group The owner of abucket can use the bucket ACL to grantspecified accounts or user groups withspecific access permissions to the bucket. Forsecurity purposes, do not grant the bucketpermission to anonymous users by using thebucket ACL. If access permissions to a bucketare granted to anonymous users, it meansthat all users can access the bucket withoutidentity authentication.




RDS instancesecurity grouprules

Checks whether RDS instance-relatedsecurity group rules include insecure ones.An insecure rule is one whose direction isinbound, protocol is any type, source IPaddress is 0.0.0.0/0 (all addresses), port is1-65535 or database service port, such as3306.

BasicProtection

Whether Anti-DDoS is enabled

Checks whether anti-DDoS is enabled for theECSs and ELB instances of the tenant.Anti-DDoS is a traffic scrubbing service thatprotects resources such as Elastic CloudServers (ECSs) and Elastic Load Balance(ELB) instances and enables traffic cleaningto fight against denial-of-service (DDoS)attacks.

HSS is enabled forECS instances

Checks whether HSS agents are installed onyour ECSs and whether HSS protection isenabled.HSS provides protection for ECSs installedwith HSS agents. It is designed to improvethe overall security and reduce intrusion risksfor hosts.

Step 4 Click the concerned risk item to view the check result of the risk sub-item.

1. Click a sub-item on the left of the area to view details.– If the green icon is displayed, no risk is found in this item.– If the red icon is displayed, risks exist in this item.The Access Control item is used as an example. Click Access Control. If theicon of the Network ACL Rule Check is green, there is no risk. If the icon ofSecurity Group Rule Check is red, there are some risks.

Figure 6-4 Viewing the risk sub-item

2. Click a risk sub-item to view its details. Rectify the fault based on thedisplayed information.Click Security Group Rule Check.



Figure 6-5 Security group rule check page



Description Check items

Mechanism Standards that the check item complies with

Result Items that do not meet the requirements. Generally, aURL is displayed in the Operation column. This helpsthe administrator to directly switch to thecorresponding operation interface to rectify risks.

Best Practices For this check item, provide the operation suggestionsthat meet the security requirements.If possible, you are advised to perform configurationbased on the solution provided in the Best Practices.

Help Guide Guidance for repairing Result and configuring BestPractices. Click Learn More to go to the page wherethe detailed guide information is located.

Step 5 Rectify all risky check items according to the instructions in 4.

Step 6 After the rectification is complete, click Scan Now to perform the scan again.After the scan is complete, check whether the risk items have been rectified.

----End



7 Managing SA Logs

After authorizing Log Tank Service (LTS), you can use LTS to manage your SA logs.With LTS, you can collect, query, and analyze your SA logs in real time andtransfer the logs to an OBS bucket for long-term storage, meeting your securityrequirements for storing logs for 180 days at least and collective audit.

BackgroundLTS allows you to query and transfer logs in real time. With LTS, you can makereal-time decisions with just one-click authorization instead of development. Afteryou authorize LTS for log management, the SA logs can be viewed only after theyare checked for security.

By default, the SA logs uploaded to LTS are stored for 7 days. To meet the securityrequirements for storing logs for 180 days and centralized audit, you need tocreate a log transfer task on LTS to transfer SA logs to an Object Storage Service(OBS) bucket for long-term storage.

● LTS and OBS are billed separately. For details, see Product Pricing Details.● By default, LTS stores logs for 7 days. However, this will not affect your SA logs that

have been transferred to OBS buckets.





Situation AwarenessUser Guide 7 Managing SA Logs


https://www.huaweicloud.com/en-us/pricing.html





Procedure


Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 Click Service List on the top of the page and choose Situation Awareness underSecurity.

Step 4 In the navigation pane on the left, choose Log Management.

Figure 7-1 LTS page on the SA console

Step 5 Authorize LTS for log management.

1. On the displayed LTS page, click Authorize.2. Click OK in the displayed Authorize LTS dialog box. The system then switches

to the LTS console.3. Choose Log Management to go to the Log Management page.4. View the log group and log topic created after the authorization.



– LTS will create the SA log group and log stream automatically only after youauthorize LTS to manage your logs and you have SA logs reported to LTS. You canthen view and manage SA logs on LTS. For details, see Viewing Logs in Real Time.

– Logs are reported every 10 minutes. You can view real-time logs and search forlogs generated in the last 7 days on the LTS log topic page.

– After authorizing the log management, you can click LTS Console on the LogManagement page to go to the log management page of SA log groups.

Figure 7-2 Log management page after authorization

Step 6 Create a log transfer task.

1. In the navigation pane of the LTS console, choose Log Transfer to go to theLog Transfer page.

2. Click Create Log Transfer.3. On the Create Log Transfer page, select OBS for Transfer Mode and specify

other parameters. For details, see Log Transfer.4. Click OK.

After the log transfer function is enabled, the security audit requirements for storinglogs for 180 days are met. Logs are stored in OBS buckets for a long time. You canview log data in the target OBS buckets.

----End

Other OperationsAfter authorizing the log management, you can click Log Management on the SAconsole to go to the LTS console.

If you want to cancel the authorization, log in to the SA console, choose Settings> Authorization Settings > Log Authorization. In the displayed window, disablethe Authorize function state. For details, see Authorizing LTS for LogManagement.



https://support.huaweicloud.com/en-us/usermanual-lts/lts_04_0008.html

https://support.huaweicloud.com/en-us/usermanual-lts/lts_04_0011.html



8 Settings

8.1 Alarm Settings

8.1.1 Alarm NotificationsAfter the alarm notification function is enabled, SA notifies you by email or SMSmessage once your assets are threatened.




Procedure


Step 2 Access the Alarm Notifications page, as shown in Figure 8-1.

Figure 8-1 Setting alarm notifications

Situation AwarenessUser Guide 8 Settings


Step 3 Select required notification items and alarm severities.● Daily alarm notifications

The daily alarm notification is sent to you at 10:00 every day.You need to select required notification items and the alarm severity. Thesetting of daily alarm notification takes effect only when you set bothNotification Item and Alarms Level.

Figure 8-2 Daily alarm notifications

● Real-time alarm notificationsThe real-time alarm notification is sent on the hour after a threat alarmoccurs.You need to select required notification items and the alarm severity. Thesetting of real-time alarm notification takes effect only when you set bothNotification Item and Alarms Level.To avoid disturbing, you can select 24 hours or a specified time segment inNotification Time column to receive notifications only in the specified period.

Figure 8-3 Real-time alarm notifications

Step 4 Select a message notification topic.

You can select an existing topic from the drop-down list or click View messagenotification topic to create a topic. For details, see section Creating a Topic.

Multiple subscriptions can be added to a topic. Before selecting a topic, ensurethat subscriptions added to it are in the Confirm status. Otherwise, notificationsmay fail to be received. For details, see section Adding a Subscription.

For details about topics and subscription, see the Simple Message NotificationUser Guide.

Figure 8-4 Message notification topic

Step 5 After the alarm information is configured, click Apply.

----End



https://support.huaweicloud.com/en-us/usermanual-smn/en-us_topic_0043961401.html

https://support.huaweicloud.com/en-us/usermanual-smn/en-us_topic_0043961402.html

8.1.2 Alarm Monitoring SettingsYou can configure required alarm information in alarm monitoring settings. Afterthe configuration is complete, SA detects and analyzes the alarm information.




ProcedureStep 1 Log in to the management console.

Step 2 Access the Alarm Monitoring Settings page, as shown in Figure 8-5.

If alarm monitoring is not configured, SA monitors attacks to all ports and IPaddresses of assets by default. If specific alarm information needs to bemonitored, you can set configurations on the List Settings, Type and LevelSettings, and Alarm Source Settings pages.

Figure 8-5 Configuring alarm monitoring



Step 3 Configure an alarm monitoring list.

Click Configure. The List Settings page is displayed. After the setting is importedor manually configured, SA pushes only alarm monitoring information from thewhitelist. To set the alarm monitoring source list, perform the following steps:

1. Import a monitoring list.

Click and select the target file in TXT format. The selected file is displayedin the text box.

2. Enter required IP addresses, IP addresses with port numbers, IP addresses withmasks, or IP address segments in the text box.

You can enter a maximum of 50 IP addresses, IP addresses with port numbers, IPaddresses with masks, or IP address segments in the text box. The entered objectscannot be duplicated and must be separated with line breaks.

For example, if you enter 0.0.0.0/0:3389, 0.0.0.0/0:22, and 10.1.1.1 in the textbox, SA only displays the alarm information of attacks to these objects.

3. Synchronize security group policies.Click Synchronize Security Group Policy to synchronize security grouppolicies into the text box of List Settings. After the synchronization iscomplete, the objects to be monitored are automatically displayed in the textbox.

4. Click OK.



Figure 8-6 Alarm monitoring list

Step 4 Select the alarm monitoring type and severity.

Select Notification Item and Alarms Level to be monitored. The settings takeeffect only after both Notification Item and Alarms Level are selected. After thesetting is successful, SA monitors the alarm information of the selected items andseverities.

For example, you can select all alarm severities except Info.

Figure 8-7 Selecting the notification items and alarm severities



Step 5 Set the alarm sources.

Select notification items. After the setting is successful, the alarm information ofthe selected items is monitored.

Figure 8-8 Selecting notification items

Step 6 After the alarm monitoring setting is complete, click Apply.

SA monitors the alarm information that matches the configurations in List Settings, Typeand Level Settings, and Alarm Source Settings. The alarm monitoring settings take effectonly for alarms generated after the settings are complete.

----End

8.2 Authorization Settings

8.2.1 Host AuthorizationSA can perform vulnerability scan only on authorized hosts. You can authorize theLinux or Windows host after adding a host.

Linux hosts can be authorized using SSH accounts or authorization scripts.Windows hosts can be authorized using Windows accounts.





● You have added a host in Security > Vulnerability Scan Service > Assets.

Procedure







Step 2 Access the Host Authorization page, as shown in Figure 8-9.

Figure 8-9 Viewing host authorization information

Step 3 Click Configure Authorization in the Operation column.

To authorize multiple hosts at the same time, select each host and click BatchConfigure Authorization above the host list.

Step 4 Select an authorization mode for the Linux or Windows operating system.● Linux OS: login using an SSH account

a. In the displayed Configure Authorization dialog box, select Method 1:SSH.

Figure 8-10 Selecting an SSH account

b. Select an existing SSH account from the drop-down list box.c. Click OK.

After the authorization is successful, you can view the authorizationinformation of the host in the host authorization list.



▪ If no SSH account is available, create an SSH account first.

Click New account and configure the SSH account information, as shown inFigure 8-11. Table 8-1 describes the parameters. After the setting iscomplete, click OK. The account is used to authorize the host.

▪ To modify an existing SSH account, click Edit.

▪ To delete an existing SSH account, click Delete.

Figure 8-11 Creating SSH account information



SSH AccountName

Name of a custom SSH account

Login Port Port number for logging in to the SSH account

Login Method The options are Password and Key.If you select Key, you need to create one first.

Encrypted Key Select an existing encrypted key or click Create Keyto create one. For details, see Creating a Key.

SSH Hardening After this permission is enabled, you cannot log in tothe system as the root user. Instead, you can log in tothe system as a common user and then switch to theroot user.



https://support.huaweicloud.com/en-us/usermanual-dew/dew_01_0178.html


SudoUsername

root (default value).

Sudo Password Set the password of the sudo user and clickEncrypted to save the password.

● Linux OS: authorization script execution

a. In the displayed Configure Authorization dialog box, select Method 2:Authorization Script.

b. Click Copy on the right to copy the command used to enableauthorization.

c. Use a remote management tool (such as Xshell, SecureCRT, or PuTTY)to log in to ECS to be authorized using the elastic IP address.You can also use the remote login function of ECS to log in to ECS.

d. Run the following command to copy the command (use the SecureCRTtool to log in to the system):If "Install Success" is displayed, the Linux host is authorized.

After the script authorization is successful, the authorization information is notdisplayed on the host authorization list page. You can only check whether theauthorization is successful based on the script execution result.

# curl -O -s http://XX.XX.XX.XX/southchina-vss-hostscan/vss_hostscan_427c_install.sh && bash vss_hostscan_427c_install.sh --start[INFO] Uninstall Success[INFO] Create vss_hostscan_55e9 account[INFO] Grant sudo privileges for vss_hostscan_55e9[INFO] Inject SSH Public Key[INFO] Install Success

● Windows OS: login using a Windows account

a. In the dialog box that is displayed, select an existing Windows account.b. Click OK.

After the authorization is successful, you can view the authorizationinformation of the host in the host authorization list.

Figure 8-12 Configuring Authorization



▪ If no Windows account is available, create a Windows account first.

Click New account and configure the Windows account information, asshown in Figure 8-13. Table 8-2 describes the parameters. After the setting iscomplete, click OK. The account is used to authorize the host.

▪ To modify an existing Windows account, click Edit.

▪ To delete an existing Windows account, click Delete.

Figure 8-13 Creating a Windows account



Windows AccountAlias

Name of a custom Windows account.

Encrypted Key Select an existing encrypted key or click Create Keyto create one. For details, see Creating a Key.

Username The default value is Administrator.

Password Password for logging in to the Windows operatingsystem.

Domain Domain of the Windows operating system. Thisparameter can also be left blank.

----End

8.2.2 Authorizing LTS for Log ManagementYou can enable or disable Authorize based on your need for managing your SAlogs on LTS.

● After you enable Authorize, SA logs are stored for 7 days on LTS by default. Ifyou want to store your logs for a long period to meet the security audit



https://support.huaweicloud.com/en-us/usermanual-dew/dew_01_0178.html

requirements, create a log transfer task on LTS. For more details, seeManaging SA Logs.

● After you disable Authorize, LTS will not collect or store you SA logs anymore,while the SA logs that have been uploaded to OBS buckets will not bedeleted.




Procedure


Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 In the upper part of the page, click Service List and choose Security > SecurityCenter.

Step 4 In the navigation pane on the left, choose Settings > Authorization Settings >Log Authorization.

Figure 8-14 Log Authorization

Step 5 Enable Authorize to go to the Authorize LTS dialog box if you want LTS tomanage your SA logs.

Click OK to authorize LTS to manage your SA logs. The system then switches to SAlog group management page on the LTS console.

Step 6 Disable Authorize to go to the Cancel Authorization dialog box if you do notwant LTS to manage your SA logs.

Click Yes to cancel the authorization.

----End

8.3 Scan Job




8.3.1 Setting Cloud Service Baseline Scan TimeBefore using cloud service baseline functions, you need to configure the scan timeby referring to this section.

Procedure


Step 2 Access the Scanning Tasks page, as shown in Figure 8-15.

Figure 8-15 Setting a scan job

Step 3 In the Cloud Service Baseline area, select the Scan Date for cloud servicebaseline scan.

Cloud service baseline scan can be executed a maximum of three times a week.The scan will avoid the peak hours, which will be executed at 23: 00 on thecurrent day.

Figure 8-16 Setting cloud service baseline scan time



Step 4 Click Apply To.

The scan policy takes effect, and SA scans the cloud service baseline at thespecified time. You can choose Security > Situation Awareness > Baseline Check> Cloud Service Baseline to view the scan result.

----End

8.3.2 Starting Scan JobsAfter the host is authorized, you can start the host vulnerability scan and hostbaseline scan jobs by referring to this topic.



within the validity period.● You have added a host in Security > Vulnerability Scan Service > Assets.● You have authorized the host by choosing Security > Situation Awareness >

Set up > Host Authorization.

ContextTo use the host vulnerability scan service, perform the following steps:

1. Add a host. Choose Security > Vulnerability Scan Service > Asset List.2. Authorize a host. Choose Security > Situation Awareness > Set up > Host

Authorization.3. Start the scan job. Choose Security > Situation Awareness > Set up >

Scanning Tasks Perform the operations described in this section.4. Check the scan result. Choose Security > Situation Awareness >

Vulnerability Management > Host Vulnerability.5. View host baseline data. Choose Security > Situation Awareness > Baseline

Inspection > Host Baseline.

Procedure


Step 2 Access the Scanning Tasks page, as shown in Figure 8-17.



Figure 8-17 Setting a scan job

Step 3 In the ECS Vulnerability Scan and Baseline Inspection area, click One-ClickSynchronization to synchronize the ECS EIP information of the current HUAWEICLOUD account and refresh the IP address list.

Step 4 In the ECS Vulnerability Scan and Baseline Inspection area, select the ECS to bescanned and click Start Scan.

If Scan Status is Completed, you can choose Situation Awareness >Vulnerability Management > ECS Vulnerabilities and Situation Awareness >Baseline Inspection > ECS Baseline to view the detailed scan result.

----End



user guide - support.huaweicloud.com · if you want to know the types and number of threat alarms,...

Documents