After you enable the threat analysis and response feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. The cloud services can belong to the same Alibaba Cloud account as Security Center, a different Alibaba Cloud account from Security Center, or a third-party cloud account. After you add logs, the threat analysis and response feature monitors and analyzes the added logs, identifies and builds attack chains, and generates security events. This improves the analysis and handling efficiency of alerts.
Prerequisites
The threat analysis and response feature is enabled. For more information, see Purchase and enable threat analysis and response.
Simple Log Service is activated for the cloud service whose logs you want to add to the threat analysis and response feature. For more information, see the documentation of the cloud service on the official website, or click View Document in the Select Account panel.
Add logs of cloud services within the same Alibaba Cloud account
If the cloud service whose logs you want to add to the threat analysis and response feature belongs to the Alibaba Cloud account that is used to purchase the feature, you can directly find the cloud service and select log types on the Service Integration page to add logs.
In the left-side navigation pane, choose .
On the Service Integration page, find the required cloud service and click Access Settings in the Actions column.
In the panel that appears, find the required log type and click Select in the Import Account column.
In the Select Account panel, select the current logon account. Then, select a Logstore if required.
NoteIf your Alibaba Cloud account is an account that has passed only individual real-name verification, only the account is displayed in the Select Account panel.
If a cloud service such as Security Center supports only a dedicated Logstore, you need to only select the current logon account. You do not need to select a Logstore. After you select the current logon account, the logs of the cloud service are automatically stored in the dedicated Logstore.
If a cloud service also supports custom Logstores, you must select the current logon account and the required Logstore from the drop-down list in the LogStore (Format: regionId.project.logStore) column. Alternatively, you can copy and paste the name of the custom Logstore that you want to use. The name of a Logstore is in the
regionId.project.logStore
format.
Add logs of cloud services across Alibaba Cloud accounts
If you want to centrally manage the logs of cloud services that belong to different Alibaba Cloud accounts in the Security Center console, you can use the multi-account management feature that is jointly launched by Resource Directory of Resource Management and Security Center. You can use the feature to establish a multi-account structure for the accounts and resources of your enterprise to implement centralized management.
The Alibaba Cloud accounts that can be added to a resource directory must belong to the same enterprise and pass enterprise real-name verification. You can authorize the threat analysis and response feature to access a resource directory only once. If your Alibaba Cloud account passed only individual real-name verification, the threat analysis and response feature can collect logs only of the account, and you do not need to configure settings in Resource Directory.
1. Establish a multi-account structure
Enable a resource directory and specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account.
Log on to the Resource Management console with the management account.
The first time you use Resource Directory, click Resource Directory in the left-side navigation pane, and click Enable Resource Directory. Then, follow the on-screen instructions to enable a resource directory. For more information, see Enable a resource directory.
Create a member or invite an Alibaba Cloud account to join the resource directory.
Create a member: In the left-side navigation pane, choose Create a member.
to create a member. For more information, seeInvite a member: Choose Invite an Alibaba Cloud account to join a resource directory.
to invite an Alibaba Cloud account to join the resource directory. For more information, see
Specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account.
In the left-side navigation pane, choose Add a delegated administrator account.
. In the Actions column of Security Center - Threat Analysis, click Manage to specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as a delegated administrator account. For more information, see
2. Add the member to threat analysis and response for monitoring
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
The first time you use the multi-account management feature, click Enable Management in Security Center.
After you enable the multi-account management feature, the system automatically creates a service-linked role named AliyunServiceRoleForSasRd for the member. Security Center can assume this role to access the resources of cloud services within the member, such as Virtual Private Cloud (VPC) and Cloud Firewall. After you add the cloud services to the threat analysis and response feature, you can use the feature to monitor the logs of the cloud services, deliver logs, and handle security events. The threat analysis and response feature provides centralized alert management and threat source tracing capabilities.
On the
tab, click Account Management.In the Add Account panel, select the member and click OK. The member must be an Alibaba Cloud account.
Optional. In the account list, turn on Access Authorization for the added Alibaba Cloud account.
After you turn on Access Authorization, the added Alibaba Cloud account is granted the read-only permissions on the Alert and Log Management pages, and the added Alibaba Cloud account can view resource data that is added to the threat analysis and response feature and within the account.
3. Add logs of cloud services within the member
You can add logs of cloud services across Alibaba Cloud accounts in the same manner as you add logs of a cloud service within the same Alibaba Cloud account. The only difference is the ID of the required account. For more information, see Add logs of cloud services within the same Alibaba Cloud account.
Add logs of cloud services within a third-party cloud account
If your business is deployed on Alibaba Cloud and a third-party cloud service and you want to manage alerts across cloud environments, you can add your third-party cloud account to the threat analysis and response feature to implement centralized alert monitoring and operations management. Supported providers of third-party cloud services are Huawei Cloud and Tencent Cloud.
1. Configure a third-party cloud account
Configure a Huawei Cloud sub-account
Configure a Tencent Cloud sub-account
2. Add the third-party cloud account to threat analysis and response
You must add the third-party cloud account to threat analysis and response by entering the AccessKey pair of the sub-account. This way, threat analysis and response can obtain the alert logs of third-party cloud assets.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
Grant permissions to the sub-account.
Security Center obtains the read permissions on third-party cloud assets and synchronizes the information about third-party cloud assets by using the AccessKey pair of the sub-account.
In the left-side navigation pane, choose .
On the
tab, click Grant Permission, and select the required third-party cloud service provider from the drop-down list. Tencent Cloud and Huawei Cloud are supported.In the Edit Multi-cloud Configuration panel, select Manual Configuration, select ${aegis.vendor.module._display_name_SIEM} in the Permission Description section, and then click Next.
In the Submit AccessKey Pair step, enter the AccessKey pair of the sub-account and click Next.
In the Policy Configuration step, configure the AK Service Status Check parameter and click OK.
Add the sub-account to threat analysis.
In the left-side navigation pane, choose .
In the Multi-cloud Service Access section, move the pointer over the icon of the required third-party cloud service provider and click Add Account.
In the Add Account panel, click Add.
In the Account Association Settings panel, enter the name and ID of the master account for the sub-account, select the AccessKey ID of the sub-account, and then click Associate Account and Associate Data Source.
In the Data Source Settings panel, specify the cloud services whose logs you want to add.
A cloud service corresponds to a data source, and an access method of the data source corresponds to a log type of the cloud service. You must select an access method for a data source based on your log type. The following table describes the mapping relationships between log types and access methods.
Cloud service provider
Log type
Access method
Huawei Cloud
Alert logs of Cloud Firewall
Alert logs of WAF
obs
Tencent Cloud
Alert logs of Cloud Firewall
ckafka
Alert logs of WAF
wafApi
3. Add logs of cloud services within the third-party cloud account
In the left-side navigation pane, choose .
On the Service Integration page, find the third-party cloud service whose logs you want to add and click Access Settings in the Actions column.
In the panel that appears, find the required log type and click the value in the Associated Accounts column.
In the panel that appears, select the sub-account and click OK.
Turn on or turn off the switch in the Automatically Associate New Accounts column based on your business requirements.
Automatically Associate New AccountsIf you turn on the switch for a log type and a new third-party cloud account is added to Security Center, threat analysis and response automatically adds the logs of the log type of the cloud services within the new account.
Reference
After you add logs of cloud services to threat analysis and response, you can configure detection rules to aggregate multiple related alerts into security events that contain complete attack chains. This reduces the number of alerts and improves the analysis and handling efficiency of alerts. For more information, see Use detection rules.
You can use the charts on the dashboard provided by threat analysis and response to centrally monitor and manage the security status of your enterprise across cloud platforms, accounts, and cloud services. You can also review the performance of security operations. For more information, see Dashboard.
You can use the log management feature of threat analysis and response to quickly query logs and view information about logs. This helps simplify log management in a multi-resource environment. For more information, see Log management.
You can call API operations to submit multiple cloud service adding tasks or log adding tasks at the same time, or view cloud accounts that are added to threat analysis. For more information, see Log Management.
Does the threat analysis and response feature support devices in a data center?