All Products
Search

This Product

    Security Center:Assess and handle CWPP security events

    Document Center

    Security Center:Assess and handle CWPP security events

    Last Updated:Sep 11, 2025

    To handle a security event, you must first assess its impact and attack surface, identify any false positives, and perform immediate remediation. You can use recommended handling policies, update the event status, add items to a whitelist, or run playbooks to keep your system secure.

    Security incident handling flowchart

    image

    Assess a security event

    Before you handle a security event, you must assess its impact and attack surface and identify any false positives to avoid disrupting normal system operations. You can use the event details page to obtain information that helps with this assessment.

    Go to the event details page

    1. Log on to the Security Center console. In the upper-left corner of the console, select the region where your assets are located: China or Outside China.

    2. In the navigation pane on the left, choose Detection and Response > Security Incident.

      Note

      If you purchased the Cloud Threat Detection and Response (CTDR) service, in the navigation pane on the left, choose Cloud Threat Detection and Response > Security Incident.

    3. Select an Occurrence Time Range to find the security event.

      Important

      • The Security Incident page displays events from the last 180 days only.

      • You can enable event notifications in System Settings > Notification Settings. This lets you use information from the notifications, such as the event name, to quickly find the event.

    4. In the Actions column, click Details to go to the event details page.

    Methods and examples for assessing a security event

    Assess an event's urgency, coverage, and whether it is a false positive using the and the information on the Overview, Timeline, Alert, and Entity tabs.

    Overview area

    This area provides basic information about the event and its ATT&CK attack stage. You can use the data in this area, such as the number of affected assets, associated alerts, the occurrence time, and the alert source, to assess whether the security event requires handling.

    Example assessment:

    • Number of affected assets: If many assets are affected, including core business assets such as database servers or application servers, the event may have a significant impact and should be handled with high priority.

    • Number of associated alerts: A higher number of associated alerts indicates that the event may have a wider scope and a greater potential risk.

    • Occurrence time: Recent events need to be handled more promptly than historical events because they may still be causing an impact.

    • Alert source: The credibility and severity of alerts can vary by source. Alerts from authoritative detection modules, such as a dedicated virus scanning module, indicate a higher risk for the corresponding event.

    Timeline

    On this tab, you can view the attack timeline and the event chain diagram. The big data analytics engine processes, aggregates, and visualizes data to form an event chain diagram. This diagram helps you quickly identify the cause of the event and create a handling policy. To view the details, perform the following steps:

    1. Click the image icon to enter full-screen mode.

    2. Click a node in the event chain diagram to view its details.

    Use the timeline to assess whether the security event requires handling. The following are examples of assessments:

    • If the timeline shows that an initial, small-scale probing attack alert quickly evolves into multiple, closely related attack alerts of different types, the security event is high-risk and must be handled immediately. This is especially true if the attack pace is accelerating and the scope of affected assets is expanding.

    • If no new related alerts appear on the timeline for a long period and the attack behavior shows no signs of further spreading, the handling priority can be relatively lower.

    Alert

    On this tab, you can view the list of all security alerts aggregated into this event. You can use multi-dimensional alert statistics, including the number of alerts, defense measures, and occurrence times, to obtain more information. This helps you determine the attack method, the attack stage, and the appropriate handling plan. The following are examples of assessments:

    • Many alerts of the same type or related types may indicate a large-scale attack or a more severe threat.

    • Regarding defense measures, determine whether the measures taken have effectively blocked the attack. If the defense measures have failed or are insufficient, the urgency of handling the event increases.

    • If recent security alerts have an Occurrence time concentrated in a specific period, it may indicate that the attack is in an active phase during that time.

    Entity

    This section displays the entities extracted from the event. Supported entity types include hosts, files, processes, IP addresses, and host accounts. You can view and manage entities from the following dimensions:

    • All entities: Displays all entities extracted from the event. You can view the number of associated events, associated alerts, and associated handling tasks in the last 30 days, and perform operations such as running a playbook.

    • Affected assets: Displays the assets affected by the event. This helps you quickly assess the scope of the impact on your assets.

    Use the affected entities to assess whether the security event requires handling. The following are examples of assessments:

    • In the entity details, you can view the basic information of an IP address entity, its Alibaba Cloud threat intelligence, and the number of associated events, alerts, and handling tasks in the last 30 days. If these numbers are high, it may indicate that an attacker is continuously using the IP address for attacks. You must handle this IP address, for example, by blocking it.

    • On the Affected Asset tab, if multiple assets are attacked by the same IP address within the same period, this may indicate a targeted attack from that IP address. You must handle this IP address, for example, by blocking it.

    Response Activity

    The Response Activity section provides a complete record of the event investigation, risk analysis, and response handling process. This section also provides entry points for managing key handling policies and tasks. This allows team members to share investigation progress and handling information during collaboration. After the event, you can review and summarize the event activities to improve future responses.

    Handle a security event

    Handling a security event involves handling malicious entities and their associated alerts. After you handle the entities and alerts, you must update the event status.

    Use Recommended Handling Policy (Recommended)

    Security Center provides event handling methods based on the experience of Alibaba Cloud security experts. These methods are called recommended handling policies. After you use a recommended handling policy to handle malicious entities in a security event, the event status and the status of its associated alerts are updated at the same time.

    Note

    Not all entities support Use Recommended Handling Policy. If the Use Recommended Handling Policy panel is empty, it indicates that there are no built-in handling policies for the current entity.

    Impact of the operation

    • This operation interacts with other Alibaba Cloud products for event response to handle malicious entities, for example, by blocking an IP address.

    • If you use the Use Recommended Handling Policy option to change an event's status to Handled, the system changes the status of all unhandled alerts associated with the event to Handled in the security incident. The event handling information is also added to the details of the alerts. Subsequently, new alerts are no longer associated with the current security event. Instead, they generate a new security event.

      Important

      For Cloud Workload Protection Platform (CWPP) "Precision Defense" alerts, the default status is "Handled" (defend only, no notification). Updating the security event status does not affect the status of these alerts.

    • If you use the Use Recommended Handling Policy option to change an event's status to Handling, the status of currently associated alerts is unaffected. You can still associate new alerts with the event.

    Procedure

    1. Go to the event details page. On the Entity tab, click Use Recommended Handling Policy.

      Note

      On the Security Incident page, find the event. In the Actions column, click Response, or select Use Recommended Handling Policy.

    2. In the Use Recommended Handling Policy panel, select the malicious entities that you want to handle.

    3. (Optional) Modify the handling policy. In the Actions column for the entity, click Edit. In the Edit Policy panel, modify parameters such as the destination account and the action validity period for the blocking rule.

      • Action validity period: The period during which the handling policy is effective. The policy automatically becomes invalid after this period expires.

      • Destination account: The current account and manageable member accounts. For more information about how to manage member accounts, see Multi-account security management.

    4. Click Confirm and update the incident status.. In the Update Incident Status dialog box, set Event Status to Handling or Handled, and then click OK.

      Important

      After you complete this step, Security Center automatically creates a handling policy and executes a handling task. If the handling task fails, the event status changes to Failed. Otherwise, the event status changes to the status that you set here.

      • Handling: Indicates that in addition to the current handling operation, there are other actions related to event handling, such as immediate remediation, source tracing, and vulnerability fixing.

      • Handled: Indicates that there are no subsequent handling actions besides the current one. The impacts are as follows:

        • Updates the status of associated alerts to Handled in the security incident.

        • Subsequent alerts will generate a new security event and will no longer be associated with the current event.

    Update the security event status

    If you determine that an event is a false positive or if you have manually handled all associated security alerts and entities, you can change the event status to Handled.

    Impact of the operation

    • The status of all unhandled alerts associated with the event is updated to Handled in the security incident. The event handling information is added to the alert details.

      Important

      For Cloud Workload Protection Platform (CWPP) "Precision Defense" alerts, the default status is "Handled" (defend only, no notification). Updating the security event status does not affect the status of these alerts.

    • Subsequent alerts are no longer associated with the current security event. They will generate a new security event.

    Procedure

    1. On the event details page, you can click the Incident Response drop-down list in the upper-right corner and select Update Incident Status. Alternatively, on the Security Events page, you can find the target event, click the Response drop-down list in the Actions column, and select Update Incident Status.

    2. In the Update Incident Status dialog box, select Handled.

    3. (Optional) Add a remark. You can add remarks such as 'I have handled this manually', 'Ignore', or 'Manually whitelisted'.

    Add to a whitelist (alert whitelisting)

    If Security Center generates alerts for normal program activities, you can add these alerts to a whitelist. This prevents Security Center from repeatedly generating alerts for normal programs or behaviors. Examples of normal activities that might trigger alerts include suspicious outbound TCP packets from a normal business process or scanning behavior from a normal network detection tool.

    Impact of alert whitelisting

    Warning

    After an alert is whitelisted, notifications for the same or matching alerts will no longer be sent. Use this feature with caution.

    • For the current alert:

      • The current alert changes to "Handled", and the alert status is Manually Add to Whitelist.​

      • If the same alert occurs again, a new alert will not be generated. Instead, the latest occurrence time of the current alert will be updated.

        What is a same alert?

        A same alert refers to a security threat with highly consistent alert features. For example:

        • Virus-related alerts: The same asset, virus file path, and virus file MD5.

        • Abnormal logon: The same asset and logon IP address.

    • For subsequent alerts:

      • If you set a specific whitelist rule, Security Center no longer associates alerts that match this rule with the current event.

      • When an alert that matches a custom whitelist rule occurs again, it will automatically be added to the handled list with the status Automatically Add to Whitelist, and no alert notification will be sent.

    • For other alerts: A whitelist rule takes effect only for alerts with the specified alert name that meet the conditions. It does not affect other alerts for which no rules are set.

    Procedure

    1. Go to the event details page. On the Security Alerts tab, select the alert to whitelist and click Add Alert to Whitelist in the Actions column.

    2. (Optional) Create a new alert whitelist rule. You can click Create Rule to configure multiple whitelist rules.

      Important

      • Multiple rules have an "AND" relationship, which means the rule takes effect only when all conditions are met.

      • Ensure the precision of the rules that you configure to avoid an overly broad scope. For example, setting "Path contains: /data/" might mistakenly whitelist other sensitive subdirectories, which increases security risks.

      • We recommend that you combine multiple conditions to set rules, such as "Path contains: /app/" and "Process name: test.exe", to achieve more refined whitelist management.

      Each rule has four configuration boxes from left to right, as described below:

      1. Alert information field: On the details page, under More Information, you can see which alert information fields are supported for the current alert.

      2. Condition type: Supports operations such as regular expression matching, greater than, equal to, less than, and contains. Some rules are described as follows:

        • Regular expression: Use regular expressions to precisely match content with specific patterns. For example, to whitelist all content under the "/data/app/logs/" folder, you can set the rule "Path matches regex: ^/data/app/logs/.*$". This will match all files or processes in that folder and its subdirectories.

        • Contains keyword: Set a rule "Path contains: D:\programs\test\". All events whose paths contain this folder will be whitelisted.

      3. Condition value: Supports constants and regular expressions.

      4. Applicable assets:

        • All assets: Takes effect for newly added assets and all existing assets.

        • Only for the current asset: Takes effect only for the asset involved in the current alert.

    3. Click OK.

    How to remove an item from the whitelist?

    Cancel an automatic whitelist rule

    Important

    • This affects only subsequently generated alerts. Alerts that match the whitelist rule are no longer automatically whitelisted.

    • This has no effect on already handled alerts. The alert status remains unchanged.

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.

    3. On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Automatically Add to Whitelist.

    4. Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.

    Cancel whitelisting for an alert

    Important

    After you cancel the whitelisting, the alert reappears in the Unhandled alert list. You must re-evaluate and handle the alert.

    1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

      Note

      If you have purchased CTDR, in the navigation pane on the left, choose Cloud Threat Detection and Response > Alert.

    2. On the CWPP tab, set the Handled or Not filter to Handled.

    3. Find the alert data that you want to remove from the whitelist and click the Remove from Whitelist button in the Actions column to cancel the whitelisting for the current alert.

      Note

      You can also select multiple alert data items and click the Remove from Whitelist button at the bottom of the list to perform a batch cancellation.

    image

    Run Playbook

    Based on the experience of Alibaba Cloud security experts, Security Center provides a set of built-in playbooks for handling malicious entities. Examples include host offline investigation, in-depth virus scanning, and interaction with WAF to block IP addresses.

    1. Go to the event details page. On the Entity tab, find the entity that you need to process.

    2. In the Actions column, click Run Playbook. On the run playbook configuration page, configure the playbook parameters as described below.

      • Playbook: The system automatically retrieves the corresponding built-in playbook based on the type of the current entity.

        Important

        If the built-in playbooks do not meet your needs, you can use the Response Orchestration feature provided by Threat Analysis and Response to create custom playbooks.

      • Action validity period: The period during which the playbook runs. The playbook will no longer be executed after this period expires.

      • Destination account: The current account and manageable member accounts. For more information about how to manage member accounts, see Multi-account security management.

    3. Click OK.

    Security hardening solutions

    • Upgrade Security Center

      The Enterprise and Ultimate editions support automatic virus isolation to provide accurate defense. These editions support defense against common ransomware, DDoS Trojans, mining programs, trojans, malicious programs, backdoors, and worms. They also support more security check items.

    • Configure security groups for servers

      The following are common security group configurations. If you use Alibaba Cloud ECS instances, see Manage security groups.

      • Allow only specified IP addresses to log on to your server using Remote Desktop Protocol (RDP) on port 3389 or SSH on port 22. This prevents hackers from scanning for or launching brute-force attacks on the management ports of your server.

      • In the security group, allow access only to required service ports, such as 80 and 443. Do not allow access to other ports.

      • For database ports, such as 1433, 3306, and 6379, allow access only from specified IP addresses. We recommend that you do not expose these ports to the internet.

    • Set complex server passwords

      Create complex passwords that contain uppercase letters, lowercase letters, digits, and special characters. The passwords must be at least eight characters in length.

    • Upgrade software

      Regularly upgrade applications to the latest versions. Do not use outdated software.

    • Create disk snapshots

      Create snapshots for important servers periodically. If data is lost, deleted by mistake, or tampered with by hackers in an event such as a ransomware attack, you can use the snapshots to restore your data. If you use Alibaba Cloud ECS instances, see Create an automatic snapshot policy.

    • Fix vulnerabilities promptly

      Use the vulnerability fixing feature of Security Center to fix high-risk system and application vulnerabilities promptly. Note: Before you fix a vulnerability, create a snapshot backup.

    • Reset the server system (use with caution).

      If a virus deeply infects the system and is associated with underlying system components, we strongly recommend that you back up important data and then reset the server system. Follow these steps:

      1. Create a snapshot to back up important data on the server. For more information, see Create a snapshot.

      2. Initialize the operating system of the server. For more information, see Reinitialize a system disk.

      3. Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.

      4. Attach the disk to the server on which the operating system was reinstalled. For more information, see Attach a data disk.

    More operations

    Export security event details

    You can export security event details to a local Excel file. This facilitates cross-departmental collaboration in handling security events and improves internal information sharing and event tracking efficiency.

    You can export up to 1,000 security event records. The exported file contains three tabs: a list of security event records, a list of assets involved in the security events, and a list of entities involved in the security events.

    1. (Optional) On the Security Incident page, set filter conditions such as event risk level, status, and occurrence time.

    2. Select the security events that you want to download and click the image.png icon in the upper-right corner of the security event list.

    3. After the file is exported, click Download to save the file to your local machine.

    References