how to use CTDR, how to use threat detection and response - Security Center

Cloud threat detection and response (CTDR) manages alerts and log data from multi-cloud environments, multiple accounts, and multiple cloud services. It processes security threats promptly through handling policies, helping you improve security operation efficiency and avoid potential risks.

CTDR workflow

The CTDR workflow is as follows:

Activate CTDR.
Add logs from cloud services or security providers.
Configure and enable predefined or custom threat detection rules to analyze the collected logs and reconstruct attack chains.
Identify threats and generate security alerts.
Aggregate multiple alerts to generate security events.
Perform recommended or custom handling policies or use Security Orchestration Automation Response (SOAR) to collaborate with relevant cloud services to block or isolate malicious entities.

Important

Only Alibaba Cloud, Huawei Cloud, and Tencent Cloud logs generate security events and support automatic event handling. Logs from other providers only generate security alerts without automatic processing. For more information, see Add logs of security services.

Usage example

This section explains how CTDR's SOAR feature automatically blocks attack IPs using the Web Application Firewall (WAF). It addresses common issues such as mistakenly blocking legitimate users and complex configurations involved in blocking attack IPs.

Prerequisites

Purchase a WAF 3.0 instance.
Add the domain name or cloud service that needs protection in the WAF console. The following figure shows how to enable WAF protection for an ECS instance.
In the WAF console, enable the Simple Log Service for WAF as shown in the following figure.

Procedure

Step 1: Activate pay-as-you-go for CTDR

Log on to the Security Center console and click Activate Pay-as-you-go on the CTDR page.
On the activation page, uncheck Enable Log Access Policy, and click Activate and Authorize.
Important
- The log access policy automatically collects logs from Security Center, WAF, Cloud Firewall, and ActionTrail, billing you based on the added log volume. Review your selections carefully. This example only shows how to add logs from WAF without enabling the recommended access policy.
- After activation, the authorization of service-linked roles for Security Center is automatically completed.

Step 2: Add WAF logs

Important

If you checked Enable Log Access Policy in Step 1, CTDR will automatically add WAF logs. You can skip this step.

In the Security Center console, go to the CTDR > Service Integration page.
Configure WAF Alert Log. Click the Associated Accounts column, select the account to add, then click OK.
Configure Full/Block/Block and Monitor Logs of WAF 3.0.
1. Click the Associated Accounts column and fill in the relevant information on the Add Account page.
  For this example, the WAF uses the pay-as-you-go billing method in the China (Hangzhou) region
  Project: wafnew-project-Alibaba Cloud account ID-cn-hangzhou.
  Logstore: wafnew-logstore.
  Note
  For more information about WAF project names and Logstore information, see Dedicated project and Logstore.
2. Click Check Validity to verify if the bound Logstore is correct and then click Save.

Step 3: Enable predefined detection rules

In the Security Center console, go to the CTDR > Rule Management page.
On the Predefined tab, search for WAF-related rules and turn on the Enabling Status switch.

Step 4: Configure automated response rules

In the Security Center console, go to the CTDR > SOAR page.
On the Automatic Response Rule tab, click Create Rule. Select Event Trigger, and refer to the following figure to complete the creation of the Automatic Response Rule.

Step 5: Confirm blocking effect

Wait for an attack event to occur on the ECS instance associated with WAF. You can view the corresponding event on the Security Event Handling page.
On the Disposal Center tab, check the handling policies and tasks issued by the playbook for the attack IP after the event triggers the automated response rule.
- Handling policies created by the automated response rule
- Handling tasks created by the automated response rule
In the WAF console, check the attack IP blocking rule automatically added by CTDR.
The following steps use the WAF 3.0 console as an example:
1. Log on to the Web Application Firewall 3.0 console. In the top menu bar, select the resource group and region (Chinese Mainland, Outside Chinese Mainland) for the WAF instance.
2. In the left navigation bar, select Protection Configuration > Core Web Protection.
3. On the Core Web Protection page, in the Custom Rule section, view the attack IP blocking rule automatically issued by CTDR.

References

Purchase CTDR.
Add logs of cloud services to CTDR and learn the user guide to CTDR.
Configure threat detection rules.
Use SOAR.