In the cloud era, complex IT environments, fragmented data, slow security response times, difficulties in detecting complex attacks, and compliance requirements all complicate security operations. Enterprises need a comprehensive threat detection and response system to centralize alerts and log data from multiple cloud environments, accounts, and services, so that they can quickly respond to attacks. Security Center's cloud threat detection and response (CTDR) feature offers a cloud-native security information and incident management solution with capabilities such as log standardization, alert generation, aggregation analysis, and incident orchestration and response.
How CTDR works
CTDR collects logs from various accounts and cloud services across multiple providers. It analyzes these logs using predefined and custom detection rules to identify attacks, restore complete attack chains, and generate detailed security incidents. When threats are detected, it activates Security Orchestration Automation Response (SOAR) to collaborate with Alibaba Cloud services, performing actions like blocking and quarantine to enhance security incident handling efficiency.
Getting started
1. Purchase and activate CTDR
CTDR supports subscription and pay-as-you-go billing methods. This topic uses the subscription billing method as an example to introduce the specific steps for purchasing and activating the feature. For more details, see Billing overview.
Log on to the Security Center console.
In the left-side navigation pane, select .
On the CTDR page, click Subscription.
On the purchase page, follow the instructions below to configure the purchase parameters.
The following are the purchase parameters you must set. You can choose to set other purchase parameters as needed. For more information, see Purchase Security Center.
Billing Method: Subscription
Edition: Value-added Plan
CTDR:
Purchase or Not: Select Yes.
Log Data to Add: Set to 100 GB/day.
Log Storage Capacity: Set to 1000 GB.
Service Linked Role: Click Create Service-linked Role.
Collection Policy: Select After you enable the recommended log collection policy of the CTDR feature, you are charged based on the actual resource usage.
2. Add cloud services
After using the recommended log access policy, CTDR will automatically add logs from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail of the current Alibaba Cloud account, without manual configuration. The table below lists the data sources and supported security capabilities.
Automatic access to ActionTrail incident logs is provided only with the Anti-virus, Advanced, Enterprise, or Ultimate editions of Security Center. Without a paid version of Security Center, the system will not automatically add the ActionTrail incident logs.
If you have not enabled the recommended log access policy or need to add third-party cloud service logs, see Add logs of cloud services.
No. | Alibaba Cloud service | Data source | Standardized log category | Supported security capability |
1 | Security Center | Alert logs | Security log - alert log |
|
2 | Vulnerability logs | Security log - vulnerability log | Incident investigation and tracing | |
3 | Baseline logs | Security log - host baseline log | Incident investigation and tracing | |
4 | Logon logs | Logon log - host logon log | Incident investigation and tracing | |
5 | Web access logs | Network log - HTTP log | Predefined analysis rules | |
6 | File read and write logs | Host log - process file read and write log | Incident investigation and tracing | |
7 | Process startup logs | Host log - process startup log |
| |
8 | DNS query logs | Host log - process DNS query log |
| |
9 | Network connection logs | Host log - process network connection log |
| |
10 | Web Application Firewall | WAF alert logs | Security log - WAF alert log |
|
11 | Full/block/block and monitor logs of WAF 2.0 | Network log - HTTP log | Predefined analysis rules | |
12 | Full/block/block and monitor logs of WAF 3.0 | Network log - HTTP log | Predefined analysis rules | |
13 | Cloud Firewall | Real-time alert logs of Cloud Firewall | Security log - firewall alert log |
|
14 | ActionTrail | ActionTrail incident logs | Audit log - cloud platform operation audit log | Incident investigation and tracing |
3. Enable log delivery (optional)
All logs added to CTDR can be stored using the log management feature. For log analysis, tracing, or compliance needs, enable log delivery by following these steps. Only after enabling log delivery can you access the CTDR log management, rule management (custom rules), and dashboard features.
In the left-side navigation pane, select .
On the Service Integration page, click the Log Settings icon in the upper-right corner.
In the Log Delivery Management area, activate the switch in the Deliver Log to Hot Data/Enabled and Disabled At column for the log types you want to deliver.
You can select multiple log types and click Batch Deliver Log To.
On the Log Management page, activate the switch next to the desired log type to enable its delivery.
4. Manage threat detection rules
CTDR features built-in predefined detection rules and custom detection rules that thoroughly analyze the added logs, pinpoint potential attack chains and timelines, and compile comprehensive security incident reports.
Predefined rules
CTDR activates all predefined rules by default. These rules are designed to detect threats solely within the designated Log Scope. You can view and modify the activation status of predefined rules on the page.
Custom rules
If you have enabled log delivery according to 3. Enable log delivery (optional), you can customize threat detection rules based on your needs.
5. Generate security alerts
When an attack matches the enabled predefined rules or custom rules, a corresponding security alert is generated. You can view these alerts on the page under the Aggregate and Analyze Alerts and Custom Alert Analysis tabs.
6. Generate and handle security incidents
How security incidents are generated
Security incidents are created by aggregating multiple related security alerts through predefined or custom rules, enabling swift identification and response to threats. These incidents fall into two categories based on the source of the alerts:
Network: CTDR focuses on hacker detection (such as scanning or reconnaissance), generating incidents from network-side alerts through predefined rules to prevent attackers from further probing user information.
Host: CTDR uses graph computing technology to aggregate host-side alerts with associations (such as matching MD5 hashes or parent process IDs), so that users can quickly locate and respond to attack entry points.
Not all alerts generate security incidents. Only ones that meet the following conditions will do so:
Host-side alerts: All host-side alerts will generate security incidents.
Network-side alerts: Network-side alerts will generate incidents only if they match the incident aggregation strategy defined by either predefined or custom rules.
Whitelisting rules: If an incident whitelisting rule is applied, alerts that match this rule will not generate incidents.
Predefined rules: If only predefined rules are enabled, alerts will generate incidents only when they trigger the Graph Compute or Expert Rules within those predefined settings.
View security incidents
On the page, you can click Details in the Actions column for the desired incident to view details such as the incident timeline, security alerts, associated entities, and explanations from the intelligent assistant. This helps you determine if the incident needs to be handled.
Section | Description |
Overview | This section provides basic information about the incident and the ATT&CK phase. You can view information such as the number of affected assets, generation method, number of associated alerts, detection rules, associated accounts, occurrence time, and alert source in this area. |
Timeline | View the alert attack timeline and tracing graph of the security incident on this tab. Click Full Screen to view the attack timeline and tracing graph in full screen, and then click the alert icon to see the details. In some cases, you can see the specific attack entry point in the tracing graph. |
Alert | View the list of security alerts aggregated into the incident on this tab. Through multidimensional alert statistics (including the number of alerts, defense measures, occurrence time), gather insights to determine the attack methods, the stage of the attack, and the appropriate handling measures. |
Entity | View the entities involved in the incident on this tab, including hosts, files, processes, IP addresses, and host accounts. This information helps you understand basic information of IPs, Alibaba Cloud threat intelligence, incidents associated in the last 30 days, alerts associated in the last 30 days, and associated handling tasks, to identify malicious entities and affected assets. |
Response Activity | View the detailed records of the incident response and handling on this tab. |
Intelligent Assistant | Offers dialog capabilities through the Security Center AI, providing incident summaries, threat intelligence on related IPs, and details of affected assets. |
Handle security incidents
Security Center supports handling security incidents either manually using recommended strategies or automatically through Security Orchestration and Automation Response (SOAR).
Manual: Review and manage security incidents based on the severity of the security incidents and business scenarios. This approach is best for complex incidents or new, unknown threats requiring professional expertise.
Automatic: The system automatically manages security incidents using configured playbooks and rules, such as quarantining infected hosts or blocking suspicious IP addresses. This method is effective for known, well-defined security incidents and low-complexity threats requiring quick resolution, such as large volumes of similar low-risk alerts.
Manual
For identified malicious entities, CTDR enables one-click creation of recommended handling strategies based on detection sources or the entity’s defensible device. This feature automatically generates tasks and executes handling playbooks, facilitating prompt resolution of security incidents with Alibaba Cloud security services. For example, it can block high-risk inbound IPs using Alibaba Cloud WAF or isolate high-risk files with Alibaba Cloud Security Center.
The table below lists the entities addressed by these strategies and the specific cloud service modules involved.
Entity | Recommended handling playbook | Associated service | Associated service module |
IP address | Built-in Alibaba Cloud WAF to block incoming high-risk IPs | Alibaba Cloud Web Application Firewall | |
Built-in Alibaba Cloud Firewall to block outgoing high-risk IPs | Alibaba Cloud Cloud Firewall | ||
Built-in Alibaba Cloud Firewall to block incoming high-risk IPs | |||
File | Built-in Alibaba Cloud Security Center to isolate high-risk files | Alibaba Cloud Security Center | |
Process | Built-in Alibaba Cloud Security Center to terminate high-risk processes | ||
Built-in Alibaba Cloud Security Center to terminate high-risk processes through Command Prompt (CMD) | |||
Built-in Alibaba Cloud Security Center to terminate and isolate high-risk processes | |||
Built-in Alibaba Cloud Security Center to terminate high-risk processes through MD5 | |||
Container | Built-in Alibaba Cloud Security Center to stop high-risk containers | ||
Host | Built-in Alibaba Cloud security group to block incoming high-risk IPs | Alibaba Cloud ECS security group | |
Built-in Alibaba Cloud security group to prohibit all outgoing traffic from the host | |||
Domain name | Built-in Alibaba Cloud Security Center to block malicious domain names through malicious behavior defense | Alibaba Cloud Security Center |
Procedure
In the left-side navigation pane, select .
On the Security Incident page, in the Actions column of the target incident, click Response Use Recommended Handling Policy.
In the panel, select the malicious entities to be handled, and click Confirm and update the incident status.
You can modify the entities and action validity period for the recommended strategy. In the Use Recommended Handling Policy panel, click Edit in the action column of the corresponding entity. In the Edit Policy panel, modify parameters such as the destination account and action validity period for the blocking rule.
In the Update incident Status dialog box, set incident Status to either Handling or Handled, and click OK.
Handling: Additional actions related to incident handling will be taken, including immediate remediation, tracing, and vulnerability repair.
Handled: No further actions are needed.
Once you complete this step, CTDR will automatically generate a handling strategy and execute the corresponding task. If the task fails, the incident status will be updated to Failed. If successful, the incident status will reflect the status you have specified.
On the tab within the incident details, you can view the recommended handling strategy automatically generated by CTDR.
Automatic
Automatic response rules execute predefined actions when alerts or incidents are triggered. These rules address specific security incidents, such as malware infections or intrusion attempts, by taking appropriate actions like isolating malicious files or cutting off network connections.
Upon adding these rules, the system automatically matches new security incidents to the defined strategy. Successful matches prompt CTDR to immediately run the preset playbook, accelerating threat response and mitigation.
For more information, see Use SOAR.
For professional guidance on configuring automatic response rules, consider purchasing Managed Security Service Enterprise Edition. For more information, see What is Managed Security Service?
The steps below outline the complete process of automatic incident response, using network attack alerts detected by WAF as an example, including the action of IP blocking.
Prerequisites
CTDR has added the Alibaba Cloud WAF alert logs. For details on how to add cloud service logs, see Add logs of Alibaba Cloud services.
Ensure that business-related requests are whitelisted to prevent interception. For details, see Whitelist an alert.
Procedure
In the left-side navigation pane, select .
On the SOAR page, under the Automatic Response Rule tab, click Create Rule.
In the Create Automatic Response Rule panel, set up the response rule as shown in the figure below and click OK.
On the SOAR page, under the Automatic Response Rul tab, activate the rule by toggling the switch in the Enabling Status column.
Wait for a WAF-protected domain name to experience an attack event. View the corresponding incident on the Security Incident page.
The Disposal Center tab shows the policies and tasks assigned to the IP under attack once the incident triggers the automatic response rule and initiates the playbook.
Handling policies created by automatic response rules
Handling tasks created by automatic response rules
In the WAF console, check the attack IP blocking rules that CTDR automatically adds.
Below are the steps for the WAF 3.0 console.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose .
On the Core Web Protection page, in the Custom Rule area, you can view the attack IP blocking rules that CTDR automatically issues.
References
Use CTDR's multi-account management feature to manage data across multiple Alibaba Cloud accounts.
CTDR supports logs from Alibaba Cloud, Tencent Cloud, and Huawei Cloud, and enables integration with logs from multiple security services.