Alibaba Cloud Network Detection and Response (NDR) is a security product that monitors and analyzes all network traffic to identify and respond to potential security threats.
Access management
To protect your public assets with NDR, you must first onboard your cloud asset traffic to the service. NDR supports two onboarding types: automatic full provisioning and manual on-demand provisioning. You can choose the connection type that best suits your requirements.
Feature | Description | References |
Internet traffic access | Connect traffic from cloud assets, such as ECS, SLB, NAT, and ENI instances with elastic IP addresses (EIPs) or public IP addresses, to NDR for detection and analysis with a single click. No deployment is required and the service is activated instantly. Two connection types are supported:
|
Packet retention
After you connect your cloud asset traffic, you can retrieve and retain attack packets in NDR. You can manually configure packet retention filter rules to retain traffic from core business assets and create PCAP generation tasks to download raw traffic packets for further analysis.
Feature | Description | References |
Packet retention and retrieval | NDR automatically retains attack events that trigger alerts and the raw traffic during the attacks. You can retrieve retained attack packets and asset service traffic packets on the page. Advanced query tools such as Berkeley Packet Filter (BPF) are supported. | |
Packet retention filter rules | Configure retention rules for traffic from core business assets as needed. The feature supports filtering logic based on blacklists and whitelists. You can also create, retrieve, update, and delete the retention rules. | |
PCAP generation tasks | Centrally manage all created PCAP generation tasks. You can view and filter historical tasks and download the packets to your local machine. |
Threat analysis
After you connect your cloud asset traffic, NDR automatically detects malicious attacks and abnormal behavior. It uses multiple engines for feature detection, threat intelligence, malicious file analysis, and behavior analysis. NDR generates alerts and correlates attack events. It uses bidirectional request and response traffic and the ATT&CK framework to determine the attack stage and outcome. You can then analyze the attack details on the alert details page.
Feature | Description | References |
Alert analysis | Analyzes alerts for malicious attacks and abnormal behaviors in service traffic. In the alert details, you can view detailed alert information, the alert list, and the attack packet payload online. The feature correlates multiple alert events between the same suspect and victim. It also lets you retrieve attack packet traffic and download PCAP tasks. | |
ATT&CK matrix | Aggregates alert events based on the ATT&CK framework. It automatically determines the stage and outcome of an attack. You can also view the details of aggregated alerts based on different attack tactics and techniques. | |
Alert whitelist | Add rules to a whitelist for false positive alerts and trusted assets. You can configure rules based on various stream information, protocol fields, and rule information. The feature also lets you create, retrieve, update, and delete whitelist rules. |
Log analysis
Protocol log analysis is a core NDR feature that uses bidirectional traffic for in-depth threat analysis. This feature lets you retain and deliver protocol logs. You can then retrieve and analyze key information or push the logs to third-party products for further correlation. This process helps you identify key attack features.
Feature | Description | References |
Log retrieval | Retrieve Layer 7 protocol logs, such as HTTP, DNS, and TLS logs, and 5-tuple logs online. You can add multiple filter conditions, such as source IP, port, protocol, and direction. The log details show detailed fields and payload information from the raw log. | |
Log filter rules | Filter and retain protocol logs on demand. Flexibly customize information for core service traffic. The feature supports a wide range of log types and field filter conditions. You can create, retrieve, update, and delete log filter rules. | |
Log delivery | Deliver all protocol logs to Simple Log Service (SLS). NDR can deliver logs within seconds. |