All Products
Search

This Product

    Security Center:Use threat detection rules

    Document Center

    Security Center:Use threat detection rules

    Last Updated:Nov 26, 2025

    Cloud Threat Detection and Response (CTDR) includes built-in predefined detection rules that analyze alerts and logs, reconstruct threat attack chains and timelines, and generate integrated alerts and detailed security incidents. Additionally, CTDR supports custom detection rules, allowing you to create a tailored threat detection system.

    Function description

    Overview

    The rule management feature of CTDR analyzes standardized logs or utilizes built-in playbooks to generate aggregated and custom alerts. It creates security incidents through graph computation, pass-through alert, and same type aggregation methods to assist in managing threat incidents. Rule management supports calling the following to generate alerts and incidents:

    • SQL syntax: Detects alerts and generates incidents by filtering logs, matching features, performing window statistics, and conducting association analysis using SQL syntax within the effective log scope.

    • Playbook: Detects alerts and generates incidents by calling cloud product APIs and making judgments through playbook flows, primarily used for business status alerts.

    Rule types

    Rule type

    Description

    Predefined

    Provides out-of-the-box threat detection rules that analyze logs added to CTDR within their effective log scope. Security alerts generated when rules are matched are displayed on the Aggregate and Analyze Alerts tab of the CTDR > Alert page. Predefined rules use graph association technology to aggregate alerts with the same assets or IOCs into incidents, and will correlate and aggregate all alerts except custom alerts.

    Custom

    Allows flexible rule extensions and provide templates for complex threat detection scenarios. Users can quickly customize rules based on these templates, utilizing either SQL syntax or playbooks.

    Security alerts generated by custom rules are displayed on the Custom Alert Analysis tab of the CTDR > Alert page. Custom rules generate security incidents through pass-through alert or same type aggregation.

    Incident generation methods

    • Graph computation: Correlates and aggregates alerts associated with the same assets or IOCs into incidents, excluding custom analysis alerts.

    • Pass-through alert: Generates one security incident for each alert produced by the analysis rules.

    • Same type aggregation: Aggregates alerts generated by the same rule into a single security incident.

    Workflow

    image

    Prerequisites

    You have purchased and activated CTDR. Different rule management features are supported depending on the Log Data to Add and Log Storage Capacity you purchase.

    Enable or disable predefined rules

    Predefined rules are enabled by default. You can view details of predefined rules and enable or disable them, but you cannot edit or delete predefined rules.

    1. Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets to be protected are located: China or Outside China.

    2. In the left-side navigation pane, choose CTDR > Rule Management.

    3. On the Predefined tab, view the list of predefined rules. In the Actions column of the target predefined rule, click Details to view the basic information, alert generation settings, and incident generation settings of the rule.

    4. Click the Enabling Status switch for the target predefined rule to enable or disable the rule.

      In the predefined rule list, you can also select Enabled or Disabled in the Enabling Status column for the target rule to change its status.

      image

    5. Alerts generated by predefined rules can be viewed on the Aggregate and Analyze Alerts tab of the CTDR > Alert page.

    Create and enable custom rules

    1. Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets to be protected are located: China or Outside China.

    2. In the left-side navigation pane, choose CTDR > Rule Management.

    3. On the Rule Template tab, click Create Rule in the Actions column of the target template rule. You can also click Create Custom Rule on the Custom tab.

      Important

      We recommend you create rules using rule templates for simpler and more efficient configuration.

    4. In the Create Custom Rule panel, enter the rule name and description on the Basic Information tab, and click Next.

    5. On the Alert Settings tab, complete the alert generation rule configuration.

      You can view the generated alert information on the Custom Alert Analysis tab of the CTDR > Alert page. The available configuration items and their values vary depending on the configured rules. The descriptions are as follows:

      SQL syntax

      Performs alert detection and incident generation by filtering logs, matching features, performing window statistics, and conducting association analysis on logs within the effective scope using SQL syntax.

      Rule body

      Configuration item

      Description

      Rule Body

      Default is SQL.

      Log Scope

      Select the log scope for this rule to detect. You need to select the standardized log category and structure. Multiple structures are supported.

      Click the Standard Fields link to view the description of the log fields for the current log structure.

      SQL Statement

      SQL statements are used to query records of specified incidents, aiming to identify potentially malicious behavior.

      For more information about SQL syntax, see SQL syntax and functions.

      Scheduling settings

      For custom rules with "SQL" as the rule body, after the rule is enabled, CTDR creates a corresponding scheduled SQL task in Simple Log Service (SLS) based on the Scheduling Settings. SLS generates multiple instances based on the scheduling interval. The parameters related to scheduled SQL instances are described as follows. For more information, see Manage a Scheduled SQL job and Query the result data of a Scheduled SQL job.

      • Task scheduling time: Determined by the Start Time and Scheduling Interval in the scheduling settings, not affected by timeout, delay, supplementary runs, or other situations of the previous instance.

        For example: If the start time of the rule is May 16, 2025, 10:58:45, and the scheduling interval is 5 minutes, the scheduling times will be May 16, 2025, 10:58:45, 2025-05-16 11:03:45, 2025-05-16 11:08:45, and so on.

      • Task execution time: The actual time when the scheduled SQL instance starts execution. If a task is retried, this represents the time when the last execution started.

        Note

        Scheduled SQL tasks may experience timeout, delay, supplementary runs, and other situations, causing the task execution time to differ from the task scheduling time.

      • SQL query range: The time range for SQL analysis, determined by the Task scheduling time and SQL Time Window, unrelated to the actual task execution time. Calculation rule: [Scheduling time rounded to the minute - SQL time window, Scheduling time rounded to the minute).

        For example: If the start time of the rule is May 16, 2025, 10:58:45, the scheduling interval is 5 minutes, and the SQL time window is 5 minutes.

        The SQL query interval for the first scheduled task is as follows:

        • Scheduling time: 2025-05-16 10:58:45

        • Data query time: [2025-05-16 10:53:00, 2025-05-16 10:58:00)

        The SQL query interval for the second scheduled task is as follows:

        • Scheduling time: 2025-05-16 11:03:45

        • Data query time: [2025-05-16 10:58:00, 2025-05-16 11:03:00)

      Configuration item

      Description

      Scheduling Interval

      Set the frequency for executing SQL queries. You can use one of the following methods:

      • Fixed Interval: Allowed range is 5 minutes to 24 hours.

      • Cron Expression: Minimum precision is minutes, format is 24-hour. Configuration examples:

        • 0/5 * * * *: Execute every 5 minutes starting from minute 0.

        • 0 0/1 * * *: Execute every 1 hour starting from 0:00.

        • 0 18 * * *: Execute once daily at 18:00.

        • 0 0 1 * *: Execute once monthly on the 1st at 0:00.

      SQL Time Window

      Specify the log time range for the scheduled SQL query. Allowed range: 5 minutes to 24 hours.

      Important

      The window period must be greater than or equal to the "scheduling interval."

      Start Time

      The time when scheduled SQL instances start executing after the rule is enabled. You can use one of the following methods:

      • Rule Enabled At: The moment when the rule is enabled.

      • Specified Time: A specific time that you set, accurate to the minute.

      Alert log generation

      CTDR generates different alert logs based on the Alert Log Generation configuration items. You can view the generated alert logs in CTDR > Log Management.

      Configuration item

      Description

      Generation Structure

      Select the type of alert log generated by this rule. Valid values:

      • Endpoint detection and response alert logs

      • Firewall alert logs

      • Web Application Firewall alert logs

      • Other alert logs

      You can click View Standard Fields on the Standardized Rule tab of the CTDR > Integration Center page to view the basic information and field details of the target log type.

      Alert Type

      Select the alert type detected by the current rule.

      Alert Level

      Select the risk level of alerts detected by the current rule. Valid values:

      • Information

      • Low-risk

      • Medium-risk

      • High-risk

      • Serious

      ATT&CK Phase

      Select the attack stage and attack technique detected by the current rule. If the threat detected by the current rule involves multiple attack stages, you can click Add Attack Phase. Within the same attack phase, you can select multiple attack techniques. The total number of attack techniques across all attack stages must be less than or equal to 5.

      Alert suppression

      The system can control the number of security alerts generated based on the rules configured in Alert Suppression, but the generation and delivery of alert logs are not affected.

      CTDR groups by the Cartesian product of the field values in the suppression conditions, and each group has a limit of 100 security alerts within the suppression window. When alert records exceed the limit, subsequent records matching the same conditions will no longer generate security alerts.

      Configuration item

      Description

      Suppression Window

      • The Suppression Window determines the statistical period for alert records.

      • The suppression window start time is the time when the rule generates the first alert log data.

      • Allowed range is 5 minutes to 24 hours.

      Note

      Assuming the time of the first alert data generated by the rule is May 16, 2025, 10:58:45, and the suppression window is set to 10 minutes. The time range for the first suppression window is 10:58:45~11:08:45, the time range for the second suppression window is 11:08:45~11:18:45, and so on.

      Suppression Condition

      • The dropdown data comes from the standardized log fields corresponding to the alert log selected in the Generation Structure setting in Alert Log Generation.

        You can click View Standard Fields on the Standardized Rule tab of the CTDR > Integration Center page to view the basic information and field details of the target log.

      • CTDR groups by the Cartesian product of the field values in the suppression conditions.

        For example: If there are two field suppression conditions A and B, where the value set of A is {1,2} and the value set of B is {3,4}, then there will be a total of 4 combinations: {1,3}, {1,4}, {2,3}, and {2,4}, with each combination being a group.

      • Each group has a limit of 100 security alerts within the window period.

      Important

      Suppression conditions are optional. If no suppression conditions are configured, it means that the total limit of security alerts generated by the rule during the entire window period is 100.

      Playbook

      Detects alerts and generates incidents by calling cloud product APIs and makes judgments based on playbook. Generally used for business alerts.

      Note

      If the rule is created through a Rule template (playbook), a corresponding custom playbook will be automatically created. You can view it on the Custom Playbook tab in CTDR > SOAR.

      Rule body

      Configuration item

      Description

      Rule Body

      Select Playbook.

      Playbook Name

      • If creating a rule through a Rule template (playbook), you can modify the playbook name but must ensure it is unique.

      • If creating a rule by clicking Create Custom Rule on the Custom tab, you can select an appropriate playbook from the dropdown list.

        Important

        Only playbooks that meet all of the following conditions will appear in the dropdown list:

        • Playbook type is custom.

        • Playbook status is published.

        • The input parameter type of the playbook's start node must be Custom.

        • The playbook has not been associated with other detection rules.

      Playbook Description

      • If creating a rule through a Rule template (playbook), you can modify it.

      • If creating a rule by clicking Create Custom Rule on the Custom tab, the description of the target playbook in SOAR will be automatically pulled and cannot be modified.

      Parameter settings

      Parameter settings are only required when creating a rule through a Rule template (playbook). Different playbooks require different parameters. You can click the image icon next to a parameter to view its meaning and configuration instructions.

      Authorization

      Authorization is only required when creating a rule through a Rule template (playbook).

      • Execution Role: If you have not created a role yet, Go to RAM Console to Create Role, and confirm authorization to create a role named AliyunSiemSoarExecutionDefaultRole.

        Warning

        If you do not have permission to create roles, you can contact the RAM administrator (a RAM user with resource management permissions or the main account) to complete role creation and trust policy binding in the RAM console. For specific operations, see Create a RAM role for a trusted Alibaba Cloud service. Take note of the following items when you configure claim rules:

        • Trusted entity: Alibaba Cloud Service.

        • Trusted entity name: cloudsiem.sas.aliyuncs.com.

        • Role name: AliyunSiemSoarExecutionDefaultRole

      • Permission Policy: The system will list the permission policies required to execute the playbook based on the selected template playbook. If you have not bound permission policies yet, click Modify Policy, select the unauthorized policies, and then click Authorize in RAM Console. Complete the authorization on the Resource Access Management quick authorization page.

        Warning

        If you do not have permission to authorize, you can contact the RAM administrator (a RAM user with resource management permissions or the main account) to bind the permission policies required to execute the playbook to the AliyunSiemSoarExecutionDefaultRole role. For the operation steps, see Grant permissions to a RAM role.

      Scheduling settings

      For custom rules with "Playbook" as the rule body, after the rule is enabled, CTDR creates a playbook call scheduled task in CTDR based on the Scheduling Settings.

      Note

      • When a scheduled task fails to execute the playbook within one cycle, the system will automatically retry after 30 seconds. If execution is still unsuccessful, the current task flow is terminated and enters a waiting state until the next preset execution cycle starts the task again.

      • You can view the playbook execution records on the details page of the custom playbook in the SOAR module.

      Configuration item

      Description

      Scheduling Interval

      Set the time interval for executing the playbook. Valid values:

      • Fixed Interval: Allowed range is 5 minutes to 24 hours.

      • Cron Expression: Minimum precision is minutes, format is 24-hour. Configuration examples:

        • 0/5 * * * *: Execute every 5 minutes starting from minute 0.

        • 0 0/1 * * *: Execute every 1 hour starting from 0:00.

        • 0 18 * * *: Execute once daily at 18:00.

        • 0 0 1 * *: Execute once monthly on the 1st at 0:00.

      Start Time

      The time when the playbook starts executing after the rule is enabled. Valid values:

      • Rule Enabled At: The moment when the rule is enabled.

      • Specified Time: A specific time that you set, accurate to the minute.

      Alert log generation

      CTDR generates different alert logs based on the Alert Log Generation configuration items. You can view the generated alert logs in CTDR > Log Management.

      Configuration item

      Description

      Generation Structure

      Only Other Alert Logs option is supported.

      You can click View Standard Fields on the Standardized Rule tab of the CTDR > Integration Center page to view the basic information and field details of the target log type.

      Alert Type

      Select the alert type detected by the current rule.

      Alert Level

      Select the risk level of alerts detected by the current rule. Valid values:

      • Information

      • Low-risk

      • Medium-risk

      • High-risk

      • Serious

      ATT&CK Phase

      Select the attack stage and attack technique detected by the current rule. If the threat detected by the current rule involves multiple attack stages, you can click Add Attack Phase. Within the same attack phase, you can select multiple attack techniques. The total number of attack techniques across all attack stages must be less than or equal to 5.

      Alert suppression

      The system can control the number of security alerts generated based on the rules configured in Alert Suppression, but the generation and delivery of alert logs are not affected.

      CTDR groups by the Cartesian product of the field values in the suppression conditions, and each group has a limit of 100 security alerts within the suppression window. When alert records exceed the limit, subsequent records matching the same conditions will no longer generate security alerts.

      Configuration item

      Description

      Suppression Window

      • The Suppression Window determines the statistical period for alert records.

      • The suppression window start time is the time when the rule generates the first alert log data.

      • Allowed range is 5 minutes to 24 hours.

      Note

      Assuming the time of the first alert data generated by the rule is May 16, 2025, 10:58:45, and the suppression window is set to 10 minutes. The time range for the first suppression window is 10:58:45~11:08:45, the time range for the second suppression window is 11:08:45~11:18:45, and so on.

      Suppression Condition

      • The dropdown data comes from the standardized log fields corresponding to the alert log selected in the Generation Structure setting in Alert Log Generation.

        You can click View Standard Fields on the Standardized Rule tab of the CTDR > Integration Center page to view the basic information and field details of the target log.

      • CTDR groups by the Cartesian product of the field values in the suppression conditions.

        For example: If there are two field suppression conditions A and B, where the value set of A is {1,2} and the value set of B is {3,4}, then there will be a total of 4 combinations: {1,3}, {1,4}, {2,3}, and {2,4}, with each combination being a group.

      • Each group has a limit of 100 security alerts within the window period.

      Important

      Suppression conditions are optional. If no suppression conditions are configured, it means that the total limit of security alerts generated by the rule during the entire window period is 100.

    6. On the Incident Generation Settings tab, complete the security incident generation rule configuration.

      You can view and handle the generated incidents on the CTDR > Security Incident page.

      Configuration item

      Description

      Generate Event

      Select whether alerts that match the rule generate incidents.

      Incident Generation Method

      • Pass-through alert: Generates one security incident for each alert generated based on the current rule.

      • Same type aggregation: Aggregates all alerts generated based on the current rule into one security incident.

      Aggregation Window

      You need to configure the window size only for the Same Type Aggregation scenario. The valid range is 5 minutes to 24 hours.

      For example, if aggregation window is set to 5 minutes, all security alerts generated within this 5-minute period are aggregated into a single security incident.

    7. Enable custom rules: Newly created rules are in the Disabled status. You can modify the status in the Enabling Status column of the custom rules Actions column.

      Note

      We recommend you test the custom rules before enabling them.

    Test custom rules (optional)

    Before enabling custom rules, you can change the rule's Enabling Status to Testing to view alert test results and confirm whether the output meets your expectations. The system will calibrate alert fields, values, standardized fields, and other elements based on built-in calibration logic. You can review the calibration results in the console and adjust the rule body, SQL syntax, or playbook as needed to ensure the alert logs generated upon official enabling meet the calibration requirements.

    Note

    • The testing phase is not mandatory, and calibration results do not affect rule enablement.

    • Alert results produced during testing are not displayed on the Alert page.

    The specific steps for testing custom rules are as follows:

    1. On the Custom tab, change the Enabling Status of the target rule to Testing.

    2. In the Actions column of the target rule, click View Alert Test Result.

    3. On the test results details page, view the alert trend chart and alert list generated by the test.

      You can click Details in the Actions column of the target alert to view the calibration results of the alert.

    What to do next

    After threat detection rules take effect, if the log data matches the detection rules, corresponding security alerts and security incidents will be generated. You can refer to the following instructions to handle them:

    • View the generated alert information on the Custom Alert Analysis and Aggregate and Analyze Alerts tabs of the CTDR > Alert page. For more information, see Security alerts.

    • View and handle the generated incidents on the CTDR > Security Incident page. For more information, see CTDR security incidents.

    References

    For more information about adding cloud product logs into CTDR, see Service Integration.