In the increasingly complex network security environment, organizations and enterprises face challenges on how to effectively monitor and manage large amounts of alerts and logs in distributed systems. To handle these challenges, Security Center provides the threat analysis feature. You can use the threat analysis feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency and respond to potential risks.
Background information
How it works
The threat analysis feature provides a cloud-native management solution for security information and events. The feature provides capabilities such as log collection, alert generation, event aggregation and analysis, and event response and orchestration.
The feature collects logs from different accounts and cloud services of multiple cloud service providers. The feature also analyzes the collected logs based on predefined and custom detection rules to identify attacks, build complete attack chains, and generate security events with detailed information. When the feature detects security threats, it enables Security Orchestration Automation Response (SOAR) and handles threat sources in collaboration with related Alibaba Cloud services. The handling operation includes blocking and quarantine. This helps improve the handling efficiency of security events.
Benefits
Standardized data collection
The feature collects various logs, such as alert logs, network logs, system logs, and application logs, across services, accounts, and cloud platforms. This way, data is standardized and context is enhanced.
Multi-dimension threat detection
The feature strengthens the single-point threat detection capabilities of southbound security devices by using threat detection methods, such as multi-source data association analysis, AI image-based computing and inference, and threat intelligence that is updated in real time. The feature provides more than 40 threat detection scenarios and 3 types of event analysis models.
Efficient event investigation
The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.
Automated response and orchestration
The feature automatically handles malicious entities based on automatic response rules and playbooks in collaboration with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.
Supported cloud services and log types
The threat analysis feature supports more than 20 cloud services and more than 50 log types. The following table describes the supported cloud services and log types.
Cloud service provider | Service | Log type |
Alibaba Cloud | Security Center |
|
Web Application Firewall (WAF) | Alert logs and flow logs of WAF, and flow logs of WAF 3.0 | |
Cloud Firewall | Alert logs and flow logs of Cloud Firewall | |
Anti-DDoS | Flow logs of Anti-DDoS Proxy (Chinese Mainland), flow logs of Anti-DDoS Proxy, and logs of Anti-DDoS Origin | |
Bastionhost | Bastionhost logs | |
CDN | Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF | |
API Gateway | API Gateway logs | |
Container Service for Kubernetes (ACK) | Audit logs of Kubernetes resources | |
PolarDB | Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0 | |
ApsaraDB for MongoDB | Run logs and audit logs of ApsaraDB for MongoDB | |
ApsaraDB RDS | Audit logs of ApsaraDB RDS | |
Virtual Private Cloud (VPC) | Flow logs of VPC | |
Elastic IP Address (EIP) | Flow logs of EIP | |
Server Load Balancer (SLB) | Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB) | |
Object Storage Service (OSS) | Batch deletion logs, metering logs, and flow logs of OSS | |
Apsara File Storage NAS | Operation logs of NAS NFS | |
Function Compute (FC) | Operation logs of Function Compute | |
ActionTrail | ActionTrail logs | |
CloudConfig | Cloud Config logs | |
Tencent Cloud | WAF | Alert logs of WAF |
Cloud Firewall | Alert logs of Cloud Firewall | |
Huawei Cloud | WAF | Alert logs of WAF |
Cloud Firewall | Alert logs of Cloud Firewall |
Scenarios
Purchase and enable the threat analysis feature
Go to the Security Center buy page.
Set the Threat Analysis parameter to Yes and configure the Log Storage Capacity of Threat Analysis parameter.
Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Threat Analysis and Response page, click Authorize Now.
After the authorization, Security Center automatically creates a service-linked role named AliyunServiceRoleForSasCloudSiem. The threat analysis feature assumes this role to access the resources of your cloud services. For more information about the service-linked role, see Service-linked roles for Security Center.
Changes in the Security Center console after threat analysis is enabled
Terms
Before you use the threat analysis feature, you must understand the terms that are related to the feature. The following table describes the terms.
Term | Description |
handling policy | A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario. |
handling task | A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes. |
entity | An entity is the core object of an alert, which can be an IP address, a file, or a process. |
SOAR | SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security events, reduces manual interference, and improves the handling efficiency of events. |
playbook | A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered. You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component. |
component | A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components. |
resource instance | An asset instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component. |
action | An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications. |
References
After you enable the threat analysis feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. For more information, see Add logs of cloud services.
Does the threat analysis feature support devices in a data center?
Will the number of alerts be reduced after I enable the threat analysis feature?