Disposal Center - Security Center - Alibaba Cloud Documentation Center

The Disposal Center simplifies security responses by converting them into standard policies and tasks. It provides a centralized view to manage and audit all response actions, whether they are run manually or triggered by automated rules.

Core concepts

Entity Object: A core object that is involved in an alert or event. Examples include IP addresses, domain names, file hashes, processes, hosts, containers, cloud resource IDs such as ECS instance IDs, and user accounts.
Handling Component: An atomic tool that performs a specific security operation. It is responsible for a single, minimal task, such as blocking an IP address or quarantining a file.
Script: An automated security workflow that is orchestrated from one or more Handling Component. It predefines a complete response path that includes trigger conditions, logical judgments, and execution actions.
Handling Policies: A complete security response decision. When a playbook is triggered, the system generates a disposal policy. This policy specifies what entity to target, how to respond by running a specific playbook, and where the response takes effect.
Note
A Handling Policies and a Handling Tasks have a one-to-many relationship. This means that one Handling Policies can correspond to multiple Handling Tasks.
Handling Tasks: The execution record of a disposal policy on a specific target, such as an Alibaba Cloud account or a resource. It is a specific execution unit that is generated from a policy and records the result (success or failure) of a single operation.

Function overview

Data sources for the Disposal Center

Data in the Disposal Center, such as disposal policies and tasks, is generated in the following scenarios:

Not enabled: Agentic SOC
- Manual Handling Event: You can manually handle security events using Use Recommended Handling Policy, Run Playbook, or Add to Whitelist (automatic response rule). For more information, see Assess and handle CWPP security events.
Active Agentic SOC
- Manual Handling Event: You can manually handle security events using Use Recommended Handling Policy, Run Playbook, or Add to Whitelist (automatic response rule). For more information, see Assess and handle Agentic SOC security incidents.
- Incident Trigger Playbook: Playbooks are triggered by automatic response rules that are predefined in SOAR. These rules use Event Occurrence or Event Update as the trigger and Run Playbook as the action. For more information, see Automatic response rules.
- Alert Trigger Playbook:
  - Playbooks are triggered by automatic response rules that are predefined in SOAR. These rules use Alert Occurrence as the trigger and Run Playbook as the action. For more information, see Automatic response rules.
- Manual Execution Playbook: In SOAR, you can perform the Run operation on Custom Playbook and Predefined Playbook. For more information, see Playbook configuration guide.

Data retention period

By default, disposal policy and disposal task data is retained for 90 days.

Important

When the Agentic SOC service expires or you unsubscribe from it, related data generated by the service is retained for only 15 days. We recommend that you back up or migrate your data in advance.

User guide

View disposal policies

Log on to the Security Center console.
In the navigation pane on the left, choose Detection and Response > Disposal Center. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
Note
If you enabled the Agentic SOC service, the navigation path in the navigation pane on the left changes to Agentic SOC > Disposal Center.
On the Handling Policies tab, you can view information about disposal policies.
- Entity Object: Click the name of an Entity Object to view its context, related Alibaba Cloud threat intelligence, associated alerts, and other details.
- Associated Source: Click an entry in the Associated Source column to view the alerts, security events, or playbooks that are associated with the disposal policy.
- View Task: In the Actions column, click View Task to open the Handling Tasks page and view the tasks that are associated with the disposal policy.
- View Script: Click the name of a Script to view its details, including its run and publish history, a basic description, and its configuration components.
  Note
  You must enable Agentic SOC to view playbook information.

View and handle Handling Tasks

View disposal tasks

On the Handling Tasks tab, you can view the following information:

Entity Object: Click the name of an Entity Object to view its context, related Alibaba Cloud threat intelligence, associated alerts, and other details.
Handling Component: The component of the playbook that was executed to perform the security operation. For a list of common disposal components, see Appendix: Common security disposal components.
View Script: Click the name of a Script to view its details, including its run and publish history, a basic description, and its configuration components.
Note
You must enable Agentic SOC to view playbook information.
Task Status: If a task has a status of Failed, you can hover over the icon next to the status to view the failure reason.

Handle Handling Tasks

Retry: If a task fails, you can run it again by clicking Retry in the Actions column.
Note
If the Retry button is grayed out, the task cannot be retried.
Unblock: If a task resulted in a blocked IP address, you can unblock it. After you confirm that the IP address no longer poses a threat, click Unblock in the Actions column.

Billing

The Disposal Center feature does not have a separate charge. This feature is included in the paid editions of Security Center.

Subscription users: You can use this feature by subscribing to any paid edition.
Pay-as-you-go users: You can use this feature by enabling any pay-as-you-go module.

Some disposal actions may interact with other paid cloud products, such as WAF, CDN, and Anti-DDoS Proxy, or incur additional API call fees. For detailed billing information, see the documentation for the relevant cloud products.

Appendix: Common security disposal components

Component identifier	Function description
AegisKillProcess	Security Center component for terminating processes
AegisDeepCleanUp	Security Center component for in-depth scanning
AegisQuaraFile	Security Center component for quarantining files
AegisKillQuara	Security Center component for terminating processes and quarantining files
AliyunFirewallProcess	Cloud Firewall component for blocking inbound IP addresses
SasOfflineCheck	Security Center component for offline host investigation
RegionCLBProcess	Alibaba Cloud CLB blocking component
RegionALBProcess	Alibaba Cloud ALB blocking component
CDNProcess	Alibaba Cloud CDN blocking component
AliyunWafBlockIP	Alibaba Cloud WAF component for blocking inbound IP addresses
SecurityPolicyBlockIP	Alibaba Cloud security group component for blocking inbound IP addresses
CfwWhiteListBatch	Cloud Firewall component for adding inbound IP addresses to the whitelist
WafWhiteListBatch	Alibaba Cloud WAF component for adding IP addresses to the whitelist
TencentCFWBlockIP	Tencent Cloud Firewall component for blocking high-risk IP addresses
HuaWeiRegionCfwBlockIP	Huawei Cloud Firewall component for blocking high-risk IP addresses
TencentWafBlockIP	Tencent Cloud WAF component for blocking high-risk IP addresses
HuaWeiWafBlockIP	Huawei Cloud WAF component for blocking high-risk IP addresses
DcdnWafBanIP	DCDN-WAF component for blocking IP addresses
AegisStopContainer	Security Center component for stopping containers
AliNetBlockIP	Security Center component for adding IP addresses to the malicious behavior defense blacklist
AliNetBlockDNS	Security Center component for adding domain names to the malicious behavior defense blacklist
AliNetWhiteIP	Security Center component for adding IP addresses to the malicious behavior defense whitelist
AliNetWhiteDNS	Security Center component for adding domain names to the malicious behavior defense whitelist
AliyunCFWBlockDNS	Cloud Firewall component for blocking outbound malicious domain names
AliyunDDoSProxyBlockIP	Anti-DDoS Proxy component for blocking IP addresses
AliyunDDoSProxyWhiteIP	Anti-DDoS Proxy component for adding IP addresses to the whitelist
AliyunFirewallMonitorIPin	Cloud Firewall component for handling inbound IP addresses in monitor mode
AliyunFirewallMonitorIPOut	Cloud Firewall component for handling outbound IP addresses in monitor mode
AliYunWafMonitorIP	Alibaba Cloud WAF component for handling IP addresses in monitor mode

FAQ

Why did my disposal task fail?
- Insufficient permissions: The RAM role used for the operation does not have the required permissions for the target cloud product, such as WAF or Cloud Firewall. To resolve this issue, check and grant the required permissions.
- Resource does not exist: The target entity, such as a host or container, was destroyed, or the corresponding rule was manually deleted.
- Quota exceeded: The number of rules for the target cloud product, such as the WAF IP blacklist, has reached the quota limit.
- Cross-account operation restrictions: To perform operations on resources in other Alibaba Cloud accounts, both accounts must be verified under the same enterprise identity and have the multi-account management feature enabled in Resource Directory. Operations between accounts that have different identity verification entities are not supported.
Why is the "Retry" button grayed out?
Some disposal tasks cannot be retried because their operations are irreversible or have special characteristics.