[Cyber Command] Enabling high detection mode leads to a large number of misjudgments in web Secure logs

Problem Description

Customers report that there are many SQL Injection, webshell and other web log false positives in the Cyber Command security log, which need to be resolved

Effective troubleshooting steps

Confirm STA configuration and find that the customer has enabled the high detection mode

Root cause

After the high detection mode is turned on, web log matching becomes sensitive and can easily lead to misjudgment.

solution

Turn off STA high detection mode and change high detection to low false positive.
[High Risk operation] Turning off the high-detection mode will affect subsequent security log detection. You need to explain this to the customer first.

Suggestions and Conclusion

The high detection mode is mainly used to prevent missed detection scenarios when professional Secure Operator are responsible for operation and maintenance, and logs mainly rely on manual analysis. Do not enable the high detection mode without the presence of security experts.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=24&type=1&category_id=9808&isOpen=true