/ DOCS
nav-img
Advanced

Managing the Alarm Whitelist

You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.

Whitelisted events will not trigger alarms.

On the Alarms page, you can add falsely reported alarms to the alarm whitelist. After an alarm is added to the whitelist, HSS will not generate alarms on it.

Adding Events to the Alarm Whitelist

Table 1 Configuring the alarm whitelist

Method

Description

Add to alarm whitelist

Choose to add the alarm to the whitelist when handling it.

The following types of events can be added to the alarm whitelist:

  • Reverse shells
  • Ransomware
  • Malicious programs
  • Web shell
  • Abnormal process behaviors
  • Process privilege escalations
  • File privilege escalations
  • High-risk command executions
  • Malicious programs
  • Important file changes
  • File/Directory changes
  • Abnormal shells
  • Suspicious crontab tasks
  • Invalid accounts
  • Common vulnerability exploits

Checking the Alarm Whitelist

Perform the following steps to check the alarm whitelist:

  1. Log in to the management console.
  2. Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
  3. In the navigation pane on the left, choose Detection & Response > Whitelists.

    Note

    If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.

  4. Click the Alarm Whitelist tab to view the whitelist. For more information, see Table 2.

    Table 2 Alarm whitelist parameters

    Parameter Name

    Description

    Alarm Type

    Name of the alarm whitelist type.

    Whitelist Field

    Whitelisted file field

    Wildcard

    Logic used by a whitelisted rule, which can be equal or include.

    Description

    Description of the whitelist.

    Whitelist Rule

    Whitelisted rule ID

    Added

    Time when an alarm is added to the whitelist.

    Occurrences Today

    Number of times that alarm events meet the whitelist conditions today.

Removing an Alarm from the Whitelist

To remove an alarm from the whitelist, select it and click Delete.

Note
  • Exercise caution when performing this operation. Whitelisted alarms cannot be restored after removal, and will be reported once triggered.
  • After an alarm is deleted from the whitelist, the handling status of the events associated with the alarm is not updated. To change the status, choose Detection & Response > Alarms, click Handle in the Operation column of an event, and select Remove from whitelist.
Parent topic: Whitelist Management
Предыдущая статья
Managing Login Whitelist
Следующая статья
Managing the System User Whitelist
Была ли эта статья полезна?
Поддержка Юридические документы
© 2025 Cloud.ru