SCC Help >> SCC Operation Guide >> Attack Alarm Management >> Operations on Attack Alarms

Operations on Attack Alarms

The attack alarm management function allows you to query alarm information, and allows a series of operations to be performed for the attack alarms to eliminate the network threats.

The links of the operations are provided on both the Realtime Attack Alarm page and the Browse Attack Alarm page. You can access the links by doing either of the following:

  • Automatically Execute Security Policy

    		•

    A security control policy can be executed automatically or manually. If the alarms match a policy that can be executed automatically, the system automatically executes the actions in the policy.

  • Manually Execute Security Policy

    		•

    A security control policy can be executed automatically or manually. If the alarms match a policy that needs to be executed manually, you need to manually execute the policy.

    Operation Procedure

    1. Click the Unexecuted link of an alarm to enter the page where you can manually execute the policy. Note that the link appears only when there are alarms matching the policy and the policy is not executed.
    2. Click Execute to execute the security control policy.

  • Manually Execute Action

    		•

    If an alarm does not match any security control policy, you can specify some actions and execute them manually.

    Operation Procedure

    1. Click the Unmatched link of an alarm to enter the page where you can manually execute actions. Note that the link appears only when the alarm does not match any policy.
    2. Select the actions to execute and the execution order.
    3. Click Execute to execute the actions.

  • View Result Report

    		•

    After the policies matched by alarms are executed, or you execute the actions for alarms matching no policy, you can view the execution results.

    Click the Executed link of an alarm to enter the result report page. The page displays the following information:

    • Started at: Execution start time, the time when the matched policy starts to be executed. An alarm that matches no policy matches a default policy when you execute actions for it.
    • Ended at: Execution end time, the time when the execution of the matched policy ends.
    • Execution Result List: Lists all actions and their execution results.

    Precautions

    • You can click Refresh to view the latest execution results of the policies/actions.

  • Perform Recovery Action

    		•

    Some of the actions can be recovered after being executed.

    Operation Procedure

    1. Click the Executed link of an alarm to enter the result report page.
    2. Click the Restored link of an action in the action list to recover the action.

    Precautions

    • You need to manually perform the reversing operation.
    • The Restored link is available only for actions having completed successfully.

  • Delete Attack Alarm

    		•

    This function is used to delete attack alarms that are not concerned.

    Operation Procedure

    1. In the attack alarm list, select the check boxes of the alarms to be deleted.
    2. Click Delete.

  • RESTful Action

    		•

    The RESTful action uses a third-party API to implement specific functions.

    In Intelligent Policy Center, configure a policy to associate the Execute RESTful Action option with a periodic event.

    Then, the system periodically calls the third-party API according to the RESTful action configuration.

    Use the following configuration to test the RESTful action:
    HOST IP: 127.0.0.1 (IP address of the system server)
    PROTOCAL(http/https): http (Protocol used to access the system
    PORT: 8080 (HTTP port used by the system)
    USER NAME: admin (Login username)
    PASSWORD: admin (Login password)
    URL: /imcrs/scc/testAction (Path of the action script on the system server)

    Structure of Request and Response Messages
    1. The RESTful action always uses the PUT method.
    2. Structure of the request message sent by the RESTful action:
    3. Structure of the response message returned by the third-party API:
    4. After the request and response messages are configured, the system stores the parameters returned by the action in returnMap(key,value).

  • Jython Script Action Execution Description

    		•

    The system provides the following parameters that can be used directly in the Jython script. A parameter value is empty when it does not exist.

    • eventName: Name of the event
    • eventOID: OID of the event
    • eventIp: IP address of the event
    • srcIp: Source IP address of the attack
    • srcMAC: Source MAC address of the attack
    • srcPort: Source port number of the attack
    • destIp: Destination IP address of the attack
    • destMAC: Destination MAC address of the attack
    • destPort: Destination port number of the attack
    • inputDeviceIp: IP address of the source access device of the attack.
    • inputDeviceIfDesc: Interface description of the source access device of the attack.
    • inputDestDeviceIp: IP address of the destination access device of the attack.
    • inputDestDeviceIfDesc: Interface description of the destination access device of the attack.
    • targetIpList: List of action target IP addresses that are configured in the policy.

    The system also provides the jythonErrorMsg parameter that returns execution failure information to the system. You can customize the execution failure information.

    Related Topics