检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
IAM Alarms Attacker Access from an attacker's IP address similar to historical intelligence is detected. Severity: medium Data source: IAM logs A malicious IP address similar to historical intelligence has been found accessing the IAM account.
Advantages Abnormal IAM Behavior Detection with an AI Engine MTD introduces an AI detection engine to work together with threat intelligence and detection policies.
MTD and Other Services IAM Identity and Access Management (IAM) provides you with permission management for MTD. Only users granted with the MTD Administrator permissions can use MTD. To obtain the permissions, contact the users who have the Security Administrator permissions.
Prerequisites MTD permissions have been granted to a user of the IAM account. For details, see How Do I Use My IAM Account to Grant MTD Permissions to a User? To create a detector and then perform other operations, you need to obtain permissions from the IAM account first.
The AI detection engine uses an elastic profile model, unsupervised model, and supervised model to detect seven high-risk scenarios of IAM, including risky passwords, credential leakage, token exploitation, abnormal delegation, remote logins, unknown threats, and brute-force cracking
How Do I Use My IAM Account to Grant MTD Permissions to a User of the Account? When you use an IAM user to create a detector or perform other operations on the MTD console, you need to grant the user related permissions using the IAM account.
How Do I Use My IAM Account to Grant MTD Permissions to a User of the Account?
MTD can detect security risks of IAM accounts and DNS attacks, as well as risks of being intruded by checking CTS logs. These security risks cannot or barely can be detected by other security services. Parent topic: About the Product
MTD generates alarms for access threats by detecting logs of cloud services (including IAM, CTS, OBS, VPC, and DNS). Parent topic: About Functions
The AI detection engine can detect IAM anomalies to protect your accounts.
In addition to detecting threats based on detection policies and intelligence, MTD uses an AI-powered detection model to detect abnormal IAM activities. Additionally, the abnormal behavior detection model of MTD detects distributed brute-force attacks on IAM accounts.
Create a user group on the IAM console, and assign MTD permissions to the group. Create an IAM user and add it to the user group. Create a user on the IAM console and add the user to the group created in 1. Create a custom policy. Create a custom policy.
For more information about IAM, see the IAM Service Overview. MTD Permissions By default, new IAM users do not have any permissions. You need to add a user to one or more groups, and attach permissions policies or roles to these groups.
MTD can monitor logs of IAM, DNS, CTS, OBS and VPC, all of which are global services in your account.
To identify unauthorized malicious activities, MTD must be granted the permissions for accessing the log data of target services, including IAM, DNS, CTS, OBS, and VPC.
IAM, DNS, CTS, OBS, and VPC detection is supported in the CN-Hong Kong region. 2022-03-28 This issue is the fifth official release.
Viewing Alarm Types IAM Alarms CTS Alarms DNS Alarms OBS Alarms VPC Alarms
IAM logs: 22 types CTS logs: 5 types VPC logs: 12 types DNS logs: 11 types
MTD collects logs from IAM, VPC, DNS, CTS, and OBS and uses an AI engine, threat intelligence, and detection policies to continuously detect potential threats, malicious activities, and unauthorized behaviors, such as brute-force cracking, penetration attacks, and mining attacks.
Currently, IAM, VPC, DNS, OBS, and CTS logs can be accessed and analyzed using MTD. Other types of files are not supported. Parent topic: About the Product
