Security Check Anomaly Detection¶
Used to monitor potential vulnerabilities, anomalies, and risks in systems, containers, networks, and other components within the workspace. You can configure alerts by setting the trigger count for detection Metrics so that security threats can be identified and managed in a timely manner.
Use Cases¶
Supports monitoring vulnerabilities, anomalies, and risks in Network, Storage, Database, System, Webserver, and Container.
Detection Configuration¶
Detection Frequency¶
The execution frequency of the detection rules; default is 5 minutes.
Detection Interval¶
The time range for querying detection Metrics. Affected by the detection frequency, the available detection intervals may vary.
| Detection Frequency | Detection Interval (Dropdown Options) |
|---|---|
| 1m | 1m/5m/15m/30m/1h/3h |
| 5m | 5m/15m/30m/1h/3h |
| 15m | 15m/30m/1h/3h/6h |
| 30m | 30m/1h/3h/6h |
| 1h | 1h/3h/6h/12h/24h |
| 6h | 6h/12h/24h |
| 12h | 12h/24h |
| 24h | 24h |
Detection Metrics¶
Monitor the number of inspection events within a certain time range that include the set fields in Security Check. Supports adding label filters for screening.
| Field | Description |
|---|---|
| Category | Event classification, supports: network, storage, database, system, webserver, container |
| Host | Host name |
| Level | Inspection event level, supports: info, warn, critical |
| Tags | Screen data of detection Metrics based on labels associated with the Metrics, limiting the scope of detected data. Supports adding one or more tag filters, allowing for fuzzy matching and non-matching conditions. |
| Detection Dimensions | Any string type (keyword) field in the configuration can be selected as a detection dimension. Currently, up to three fields are supported for selection. By combining multiple detection dimension fields, a specific detection object can be determined. Guance will judge whether the statistical Metrics of a certain detection object meet the threshold of the trigger condition, and if the condition is met, an event will be generated.* (For example, selecting detection dimensions host and host_ip would make the detection object {host: host1, host_ip: 127.0.0.1}). |
Trigger Conditions¶
Set the trigger conditions for alert levels: you can configure any one of the emergency, important, warning, and normal levels.
Configure trigger conditions and severity levels, and when the query result contains multiple values, an event will be generated if any value meets the trigger condition.
For more details, refer to Event Level Description.
If Continuous Trigger Judgment is enabled, you can configure the trigger conditions to take effect after multiple consecutive judgments, and then trigger the generation of events again. The maximum limit is 10 times.
Alert Levels
-
Alert Levels Emergency (red), Important (orange), Warning (yellow): Based on configured conditional operators.
-
Alert Level Normal (green): Based on the configured number of detections, as follows:
- Each execution of a detection task counts as 1 detection, e.g.,
Detection Frequency = 5 minutes, then 1 detection = 5 minutes; - You can customize the number of detections, e.g.,
Detection Frequency = 5 minutes, then 3 detections = 15 minutes.
- Each execution of a detection task counts as 1 detection, e.g.,
After the detection rule takes effect, if urgent, important, or warning abnormal events occur, and the data detection results return to normal within the configured custom detection cycle, then a recovery alert event will be generated.
Data Gaps¶
You can configure seven strategies for data gap states.
-
Link with the detection interval time range to determine the query result of the most recent minutes of the detection Metric, no event triggered;
-
Link with the detection interval time range to determine the query result of the most recent minutes of the detection Metric, query result treated as 0; at this point, the query result will be compared again with the threshold configured in the Trigger Condition, thereby determining whether to trigger an anomaly event.
-
Customize the fill-in value for the detection interval, trigger data gap events, trigger urgent events, trigger important events, trigger warning events, and trigger recovery events; if this type of configuration strategy is chosen, it is recommended that the custom data gap time configuration be >= detection interval time difference. If the configured time <= the detection interval time difference, there might be simultaneous satisfaction of data gaps and anomalies, in which case only the data gap processing result will apply.
Information Generation¶
After enabling this option, unmatched detection results not meeting the above trigger conditions will generate "information" events and write them.
Note
If trigger conditions, data gaps, and information generation are configured simultaneously, the following priority applies for triggering: data gaps > trigger conditions > information event generation.
Other Configurations¶
For more details, refer to Rule Configuration.