Security Center:Use the host-specific rule management feature

Modules and supported editions

Malicious behavior defense

Scenarios

Malicious behavior defense supports system defense rules and custom defense rules. The following table describes the scenarios for which the two types of rules are suitable.

Manage system defense rules

Security Center automatically enables all system defense rules in the Advanced, Enterprise, and Ultimate editions.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

3. On the Host defense rules tab of the Malicious Behavior Defense tab, find and manage a system defense rule.

   Search for a system defense rule

   • On the Host defense rules tab, enter the name of the system defense rule in the search box.

   • On the Host defense rules tab, select a value in the ATT&CK Phase section to filter rules.

   Manage a system defense rule

   • Enable or disable a system defense rule

     If a system defense rule is not suitable for your business scenario and affects the security score of your assets, you can disable the rule.

     Important

     After you disable a system defense rule, Security Center no longer detects or reports risks based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.

     1. Select one or more system defense rules.

     2. In the lower-left corner of the rule list, click Enabled or Deactivation.

   • Manage servers to which a system defense rule is applied

     Important

     After you remove a server from a system defense rule, Security Center no longer detects or reports risks on the server based on the rule. Proceed with caution.

     1. Find the system defense rule that you want to manage and click Management host in the Actions column.

     2. In the Management host panel, add servers to the rule or remove servers from the rule. Then, click OK.

Manage custom defense rules

If Security Center generates alerts for your normal service requests, you can create a custom defense rule to add specific behavior to the whitelist. For example, you can add behavior of the Command line and process hash types to the whitelist.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

3. On the Custom defense rules tab of the Malicious Behavior Defense tab, click New rule.

4. In the New rule panel, configure the Rule type parameter, the required parameters, and the Action parameter based on your business requirements. Then, click Next.

   The required parameters vary based on the value of the Rule Type parameter. If you want to add specific behavior to the whitelist, make sure that the Rule type parameter for the defense rule uses one of the following values:

   • Process hash

   • Command line

   • Process Network

   • File Read and Write

   • Operation on Registry

   • Dynamic-link Library Loading

   • File Renaming

   For more information, see Best practices for configuring custom defense rules by using the malicious behavior defense feature.

   Note

   You can add only behavior of the Process hash type to the blacklist.

5. In the server list in the New rule panel, select the servers on which you want the rule to take effect and click Finish.

   By default, a new custom defense rule is enabled. You can manage the servers on which the rule takes effect.

View and handle alert events

After you configure a malicious behavior defense rule, Security Center automatically blocks malicious behavior that hits the rule and generates alerts based on the rule. To view and handle alert events, perform the following operations:

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Detection and Response > Alerts.

3. In the upper part of the Alerts page, click the number below Precise Defense.

   

4. In the list of alert events, view the alert events that are generated for automatically blocked risks. If an alert event is a false positive, click Details in the Operate column to handle the alert event.

   In this example, the alert event that is generated for the alert named Suspicious worm script behavior is handled.

   In the alert details panel, obtain and record the following information for subsequent use.

   • The name of the system defense rule based on which risks are detected. The alert event is generated for the detected risks. In this example, the name of the system defense rule is Malicious Damage To Client Processes.

   • The value of Attack Phase for the alert event. In this example, the value is Damage.

   • The names and IP addresses of the servers that are affected by the alert event.

   

5. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

6. On the Host defense rules tab, search for the system defense rule based on which the alert event is generated.

   • You can enter Suspicious worm script behavior in the search box.

   • You can also click Damage in the ATT&CK Phase section of the Host defense rules tab.

7. Manage the Suspicious worm script behavior system defense rule.

   • If the system defense rule is not suitable for your business scenario and you no longer want Security Center to generate alert events based on the system defense rule, you can click the icon in the Switch column to disable the rule.

     Important

     After you disable a system defense rule, Security Center no longer detects risks or generates alert events based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.

   • If you want to handle an alert event that is a false positive, you can click Actions in the Management host column and remove the servers that are affected from the server list of the rule.

     You can also find and handle the false positive alert event on the Alerts page. For more information, see View and handle alert events.

     Important

     If you want the system defense rule to continue protecting your server, you can add the server to the server list on the Malicious Behavior Defense tab after you handle the alert event.

Defense against brute-force attacks

How it works

You can create a defense rule against brute-force attacks. If the number of logon failures from an IP address to a server to which your defense rule is applied exceeds the specified limit during the specified statistical period, the defense rule is triggered, and an IP address blocking policy is automatically generated. Logon requests from the IP address to the server are blocked within the specified disablement period. You can view the IP address on the System Rules tab of the Defense Against Brute-force Attacks tab. The IP address blocking policy is automatically enabled and valid during the disablement period of the defense rule.

Create a defense rule against brute-force attacks

You can create a defense rule against brute-force attacks and specify a trigger condition in the rule. You can also create multiple defense rules against brute-force attacks for servers based on different scenarios.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

4. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.

   For more information, see Service-linked roles for Security Center.

5. On the Defense policy tab, click Create Rule. In the Create Rule panel, configure the parameters.

   Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.

   Parameter	Description
   Policy Name	Enter a name for the defense rule.
   Defense Rule:	Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes.
   Set As Default Policy	Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule. Note If you select Set As Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.
   Select Server(s):	Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address.

6. Click OK.

   Important

   You can create only one defense rule against brute-force attacks for each server.

   • If a selected server is not protected by a defense rule, the defense rule that you create takes effect.

   • If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.

   • If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.

Manage a system rule

A system rule refers to an IP address blocking policy that is automatically generated after a defense rule against brute-force attacks is triggered. You can perform the following operations to view, enable, and disable a system rule:

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

2. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

3. On the System Rules tab, perform the following operations:

   • View the information about a system rule

     You can view the following information: blocked IP address, port, effective servers, rule name, interception mode, validity period, and status. An effective server refers to a server to which a rule is applied. Security Center enables different interception mechanisms based on whether the AliNet plug-in is installed. The following list describes the interception mechanisms:

     • ECS Security Group: When you enable a system rule, a security group rule is automatically created. If the system rule expires or is disabled, the security group rule is automatically deleted.

     • Security Center: This interception mechanism uses the AliNet plug-in. If you use the Enterprise or Ultimate edition of Security Center and enable the Behavior prevention feature, Security center automatically uses the AliNet plug-in to block logons. For more information about how to enable the Behavior prevention feature, see Proactive Defense.

   • Enable a system rule

     If a system rule is disabled, you can turn on the switch in the Status column to enable the system rule. Then, Security Center continues to block logons from the IP address that is specified in the system rule. The rule is valid for 2 hours after it is enabled.

   • Disable a system rule

     If a system rule is enabled and you confirm that the blocking of the IP address specified in the system rule is a false positive, you can disable the rule to allow logons from the IP address. To disable the rule, turn off the switch in the Status column. After approximately 1 minute, logon attempts from the IP address are allowed.

Manage a custom rule

You can create custom IP address blocking policies to block access from malicious IP addresses to your cloud assets. To manage a custom IP address blocking policy, perform the following operations:

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

4. On the Custom Rules tab, perform the following operations:

   • Create a custom IP address blocking policy

     1. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.

        For more information, see Service-linked roles for Security Center.

     2. Click New rule. In the New IP Blocking Policy panel, configure the parameters and click OK. The following table describes the parameters.

        Parameter	Description
        Intercepted object	The IP address that you want to block.
        All Assets	The server on which you want the IP address blocking policy to take effect. You can select multiple servers. You can also enter a server name or server IP address in the search box to search for the server. Note Only Alibaba Cloud Elastic Compute Service (ECS) instances are supported.
        Rule Direction	The direction of the traffic that you want to block. Valid values: Inbound and Outbound.
        Security Group	The security group that is associated with the IP address blocking policy. Default value: Cloud Security Center Block Group. When you enable the policy, a blocking rule is automatically created in the security group. If the policy expires or is disabled, the rule in the security group is automatically deleted.
        Expire Date	The expiration time of the policy. After the policy expires, the status of the policy changes to Disabled.

        By default, a new IP address blocking policy is in the Disabled state. You must manually enable the policy.

   • View custom IP address blocking policies and the details of a custom IP address blocking policy

     On the Custom Rules tab, you can view the following information about each custom IP address blocking policy: blocked IP address, effective servers, expiration time, rule direction, and status. You can also click Details in the Actions column of a policy to go to the Effective Server(s) panel. In this panel, you can view the servers on which the policy takes effect. You can filter servers by status, such as Disabled, Enabled, Enabling, and Enable Rule.

   • Edit a custom IP address blocking policy

     Find the IP address blocking policy that you want to edit and click Edit in the Actions column. In the Edit IP Blocking Policy panel, modify the All Assets and Expire Date parameters and click OK. After modification, Security Center blocks access requests from IP addresses based on the new settings of the policy.

     You can edit a policy only if the policy is in the Disabled state. If you want to edit a policy that is in the Enabled state, you must disable the policy.

   • Enable or disable an IP address blocking policy

     You can configure an IP address blocking policy for an IP address that is likely used to launch brute-force attacks. If normal traffic is blocked by the policy, you can disable the policy. After you disable the policy, Security Center no longer blocks requests from the IP address.

     • Enable: To enable an IP address blocking policy, turn on the switch in the Status column. In the Enable IP Policies message, click OK. Then, the policy takes effect, and the status of the policy changes to Enabling. The amount of time during which the policy is in the Enabling state increases with the number of effective servers. Security Center blocks malicious traffic based on the policy. After you enable the policy, the policy may be in one of the following states:

       • Enable Rule: The IP address blocking policy does not take effect on all selected servers.

       • Partial Success: The IP address blocking policy takes effect only on several selected servers.

       To view the details of effective servers, click Details in the Actions column. In the Effective Server panel, find a server that is in the Enable Rule state and click Retry in the Operate column to enable the policy.

       Note

       If you enable a custom IP address blocking policy and the policy expires, the policy is valid for 2 hours after the point in time when you enable the policy. If you want to change the validity period of the policy, we recommend that you modify the policy before you enable the policy.

     • Disable: To disable an IP address blocking policy, turn off the switch in the Status column. In the Disable IP Policies message, click OK. Then, the policy becomes invalid, and the status of the policy changes to Disabled. Security Center no longer blocks requests from the IP address that is specified in the policy.

   • Delete a custom IP address blocking policy

     You can delete an IP address blocking policy that is in the Disabled state. To delete a policy, click Delete in the Actions column. In the message that appears, click OK.

Approved logon management

You can specify approved logon locations, IP addresses, time ranges, and accounts. Security Center monitors logons based on your settings. If unapproved logons are detected, Security Center generates alerts. To configure approved logon settings, perform the following operations:

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

3. On the Host-specific Rule Management page, click the Common Logon Management tab.

4. On the Common Logon Management tab, configure approved logon locations, IP addresses, time ranges, and accounts.

   This example shows how to configure Approved Logon Location.

   1. On the Approved Logon Location tab, click Create Rule.

   2. In the Approved Logon Location panel, select one or more locations as approved logon locations based on your business requirements, select the servers on which the settings take effect, and then click OK.

   Security Center allows you to change the servers that allow logons from selected logon locations and delete selected logon locations.

   • To change the servers that allow logons from the logon location, find the location and click Modify on the right side.

   • To delete an approved logon location, find the location and click Remove in the Actions column.

   Security Center allows you to add remarks to approved logon IP addresses. To add remarks to an IP address, find the IP address and click the icon in the Note column on the Approved Logon IP Address tab.