The Disposal Center gives your security team a single place to view, manage, and audit all response actions — whether triggered manually or by automated rules. It abstracts response actions into standardized disposal policies and disposal tasks.
Key concepts
| Concept | Description |
|---|---|
| Entity Object | A core object involved in an alert or incident. Examples include IP addresses, domain names, file hashes, processes, hosts, containers, cloud resource IDs such as Elastic Compute Service (ECS) instance IDs, and user accounts. |
| Handling Component | An atomic tool that performs a specific security operation — a single, minimal action such as blocking an IP address or quarantining a file. |
| Script | An automated security workflow composed of one or more Handling Components. It predefines a complete response path, from trigger conditions and decision logic to execution actions. |
| Handling Policies | A complete security response decision. When a playbook is triggered, the system generates a disposal policy that specifies which entity to target (What), which playbook to run (How), and where the response takes effect (Where). |
| Handling Tasks | The execution record of a disposal policy on a specific target, such as a cloud account or a resource. A single Handling Policies entry can correspond to multiple Handling Tasks (one-to-many relationship). Each task records the detailed result (success or failure) of a single operation. |
Overview
Data sources
Disposal policies and disposal tasks are generated from the following sources:
| Trigger type | Trigger condition | Requires Agentic SOC |
|---|---|---|
| Manual Handling Event | Handle a security event using Use Recommended Handling Policy, Run Playbook, or Add to Whitelist | No |
| Incident Trigger Playbook | An automated response rule in Response Rules fires on an Event Occurrence or Event Update and runs a playbook | Yes |
| Alert Trigger Playbook | An automated response rule in Response Rules fires on an Alert Occurrence and runs a playbook | Yes |
| Manual Execution Playbook | In Response Rules, manually run a Custom Playbook or Predefined Playbook | Yes |
For details, see:
Manual handling: Assess and handle CWPP security events or Assess and handle Agentic SOC security events
Automated response rules: Automated response rules
Playbook configuration: Playbook configuration guide
Data retention
Disposal policy and disposal task data is retained for 90 days by default.
If your Agentic SOC service expires or is canceled, data generated by the service is retained for only 15 days. Back up or migrate your data before the service ends.
View disposal policies
Log on to the Security Center console.
In the left-side navigation pane, choose Detection and Response > Incident Response. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
If you have activated Agentic SOC, the navigation path changes to Agentic SOC > Incident Response.
On the Handling Policies tab, view information about security incident disposal policies. You can filter by Entity Type, Disposal Action, Entity Value, or Policy Status. The following actions are available:
Entity Object: Click the name of the Entity Object to view its context, Alibaba Cloud threat intelligence, related alerts, and other information.
Associated Source: Click an entry in the Associated Source column to view the alerts, incidents, or playbooks associated with the disposal policy.
View Task: In the Actions column, click View Task to go to the Handling Tasks page and view tasks associated with the policy.
View Script: Click the name of a Script to view its run and publish history, basic description, and configured workflow components.
Activating Agentic SOC is required to view playbook information.
View and manage Handling Tasks
View disposal tasks
On the Handling Tasks tab, you can filter by Task Status or Entity Type. The following information is available:
Entity Object: Click the name of the Entity Object to view its context, Alibaba Cloud threat intelligence, related alerts, and other information.
Handling Component: The disposal component within a playbook that was executed to resolve the security threat. For a full list of components, see Appendix: Common security disposal components.
View Script: Click the name of a Script to view its run and publish history, basic description, and configured workflow components.
Activating Agentic SOC is required to view playbook information.
Task Status: A task can have one of the following statuses: Waiting, Executing, Succeeded, Partially Succeeded, Failed, or Ignored. If a task's status is Failed, hover over the
icon to view the failure reason.
Manage Handling Tasks
Retry: To retry a failed task, click Retry in the Actions column.
If Retry is grayed out, the task cannot be retried because the underlying action is irreversible.
Unblock: If a task blocked an IP address, click Unblock in the Actions column to remove the block. Only do this after confirming the IP address is no longer a threat.
Billing
The Disposal Center is included in all paid editions of Security Center at no additional charge.
Subscription users: Access this feature by purchasing any paid edition.
Pay-as-you-go users: Access this feature by enabling any pay-as-you-go module.
Some disposal actions interact with other paid cloud products, such as Web Application Firewall (WAF), CDN, and Anti-DDoS Proxy. These interactions may incur additional API call fees. For details, see the pricing documentation for the relevant products.
Appendix: Common security disposal components
| Identifier | Action type | Description |
|---|---|---|
| AegisKillProcess | Process termination | Security Center component to terminate a process |
| AegisDeepCleanUp | Malware scanning | Security Center component for in-depth malware scanning |
| AegisQuaraFile | File quarantine | Security Center component to quarantine a file |
| AegisKillQuara | Process termination + file quarantine | Security Center component to terminate a process and quarantine the associated file |
| AegisStopContainer | Container isolation | Security Center component to stop a container |
| SasOfflineCheck | Host investigation | Security Center component for offline host investigation |
| AliNetBlockIP | IP blocking | Security Center component to add an IP address to the malicious behavior defense blocklist |
| AliNetWhiteIP | IP allowlisting | Security Center component to add an IP address to the malicious behavior defense allowlist |
| AliNetBlockDNS | Domain blocking | Security Center component to add a domain name to the malicious behavior defense blocklist |
| AliNetWhiteDNS | Domain allowlisting | Security Center component to add a domain name to the malicious behavior defense allowlist |
| AliyunFirewallProcess | IP blocking (inbound) | Cloud Firewall component to block an inbound IP address |
| CfwWhiteListBatch | IP allowlisting (inbound) | Cloud Firewall component to add an inbound IP address to the allowlist |
| AliyunCFWBlockDNS | Domain blocking (outbound) | Cloud Firewall component to block an outbound malicious domain name |
| AliyunFirewallMonitorIPin | IP monitoring (inbound) | Cloud Firewall component to handle an inbound IP address in monitor mode |
| AliyunFirewallMonitorIPOut | IP monitoring (outbound) | Cloud Firewall component to handle an outbound IP address in monitor mode |
| AliyunWafBlockIP | IP blocking (inbound) | Alibaba Cloud WAF component to block an inbound IP address |
| WafWhiteListBatch | IP allowlisting | Alibaba Cloud WAF component to add an IP address to the allowlist |
| AliYunWafMonitorIP | IP monitoring | Alibaba Cloud WAF component to handle an IP address in monitor mode |
| SecurityPolicyBlockIP | IP blocking (inbound) | Alibaba Cloud security group component to block an inbound IP address |
| RegionCLBProcess | IP blocking | Alibaba Cloud Classic Load Balancer (CLB) component to block an IP address |
| RegionALBProcess | IP blocking | Alibaba Cloud Application Load Balancer (ALB) component to block an IP address |
| CDNProcess | IP blocking | Alibaba Cloud CDN component to block an IP address |
| DcdnWafBanIP | IP blocking | DCDN WAF component to block an IP address |
| AliyunDDoSProxyBlockIP | IP blocking | Anti-DDoS Proxy component to block an IP address |
| AliyunDDoSProxyWhiteIP | IP allowlisting | Anti-DDoS Proxy component to add an IP address to the allowlist |
| TencentCFWBlockIP | IP blocking | Tencent Cloud Firewall component to block a high-risk IP address |
| TencentWafBlockIP | IP blocking | Tencent Cloud WAF component to block a high-risk IP address |
| HuaWeiRegionCfwBlockIP | IP blocking | Huawei Cloud Firewall component to block a high-risk IP address |
| HuaWeiWafBlockIP | IP blocking | Huawei Cloud WAF component to block a high-risk IP address |
FAQ
Why did a disposal task fail?
Check the task details for the specific failure reason. The most common causes are:
Insufficient permissions: The RAM role used for the operation lacks the necessary permissions for the target cloud product, such as WAF or Cloud Firewall. Grant the required permissions to the role.
Resource not found: The target entity (such as a host or container) was destroyed, or its associated rule was deleted.
Quota exceeded: The number of rules for the target cloud product has reached its limit, such as the WAF IP address blocklist quota.
Cross-account restrictions: Cross-account operations require both accounts to have the same enterprise real-name verification and to be managed together under Resource Directory. Operations between accounts with different verification entities are not supported.
Why is the Retry button grayed out?
Some disposal tasks cannot be retried because the underlying action is irreversible. Once such an action completes — even if it fails — it cannot be run again.