All Products
Search

This Product

    Security Center:Assess and handle CWPP security events

    Document Center

    Security Center:Assess and handle CWPP security events

    Last Updated:Jan 19, 2026

    Security Center aggregates related security alerts into a single security event to help you understand the full scope of an attack. By assessing the event's impact, executing response actions to contain the threat, and hardening your system, you can prevent similar events from recurring.

    Security incident handling flowchart

    image

    Security incident response assessment

    Before you respond, you must thoroughly assess the event's severity, scope of impact, and whether it is a false positive to develop the right response strategy.

    Go to the event details page

    1. Log on to the Security Center console.

    2. In the navigation pane on the left, choose Detection and Response > Security Incident

      Note

      If you purchased the Agentic SOC service, in the navigation pane on the left, choose Agentic SOC > Security Incident.

    3. Select a Occurred Within to find the security event.

      Important

      • The Security Incident page displays events from the last 180 days only.

      • Enable event notifications in System Settings > Notification Settings. This lets you use information from the notifications, such as the event name, to quickly find the event.

    4. In the Actions column, click Details to go to the event details page.

    Assessment methods and examples

    You can assess an event's urgency, coverage, and whether it is a false positive using the , the event Overview information, the Timeline information, the Alert, and the Entity information.

    Overview area

    This area provides basic information about the event and its ATT&CK attack stage. You can use the data in this area, such as the number of affected assets, associated alerts, the occurrence time, and the alert source, to assess whether the security event requires handling.

    Example assessment:

    • Number of affected assets: If many assets are affected, including core business assets such as database servers or application servers, the event may have a significant impact and requires high-priority handling.

    • Number of associated alerts: A higher number of associated alerts indicates that the event may have a wider scope and a greater potential risk.

    • Occurrence time: Recent events need to be handled more promptly than historical events because they may still be causing an impact.

    • Alert source: The credibility and severity of alerts can vary by source. Alerts from authoritative detection modules, such as a dedicated virus scanning module, indicate a higher risk for the corresponding event.

    Timeline

    On this tab, you can view the attack timeline and the event chain diagram. The big data analytics engine processes, aggregates, and visualizes data to form an event chain diagram. This diagram helps you quickly identify the cause of the event and create a handling policy. To view the details, perform the following steps:

    1. Click the image icon to enter full-screen mode.

    2. Click a node in the event chain diagram to view its details.

    Use the timeline to assess whether the security event requires handling. The following are examples of assessments:

    • If the timeline shows that an initial, small-scale probing attack alert quickly evolves into multiple, closely related attack alerts of different types, the security event is high-risk and must be handled immediately. This is especially true if the attack pace is accelerating and the scope of affected assets is expanding.

    • If no new related alerts appear on the timeline for a long period and the attack behavior shows no signs of further spreading, the handling priority can be relatively lower.

    Alert

    On this tab, you can view the list of all security alerts aggregated into this event. You can use multi-dimensional alert statistics, including the number of alerts, defense measures, and occurrence times, to determine the attack method, the attack stage, and the appropriate handling plan. The following are examples of assessments:

    • Many alerts of the same type or related types may indicate a large-scale attack or a more severe threat.

    • For defense measures, determine whether the measures taken have effectively blocked the attack. If the defense measures have failed or are insufficient, the urgency of handling the event increases.

    • If the Occurrence time of recent security alerts is concentrated in a specific period, it may indicate that the attack is in an active phase.

    Entity

    This section displays the entities extracted from the event. Supported entity types include hosts, files, processes, IP addresses, and host accounts. You can view and manage entities from the following dimensions:

    • All entities: Displays all entities extracted from the event. You can view the number of associated events, associated alerts, and associated handling tasks in the last 30 days, and perform operations such as running a playbook.

    • Affected assets: Displays the assets affected by the event. This helps you quickly assess the scope of the impact on your assets.

    Use the affected entities to assess whether the security event requires handling. The following are examples of assessments:

    • In the entity details, you can view the basic information of an IP address entity, its Alibaba Cloud threat intelligence, and the number of associated events, alerts, and handling tasks in the last 30 days. If these numbers are high, it may indicate that an attacker is continuously using the IP address for attacks. You must handle this IP address, for example, by blocking it.

    • On the Affected Asset tab, if multiple assets are attacked by the same IP address within the same period, this may indicate a targeted attack from that IP address. You need to handle this IP address, for example, by blocking it.

    Response Activity

    The Response Activity section provides a complete record of the event investigation, risk analysis, and response handling process. It also provides access to key handling policies, tasks, and the Activity Log. This allows team members to share investigation progress and handling information during collaboration. After the event, you can review and summarize the event activities to improve future responses.

    Respond to a security event

    Handle a security event

    Handling solution

    Description

    Use Recommended Handling Policy

    • Security Center provides event handling methods based on the experience of Alibaba Cloud security experts. These methods are called recommended handling policies.

    • After you use a recommended handling policy to handle malicious entities in a security event, the event status and the status of its associated alerts are updated at the same time.

    Note

    If the Use Recommended Handling Policy pane is empty, this means that the current entity does not have a built-in handling policy.

    Add Alert to Whitelist

    Add Alert to Whitelist: Adds programs, IPs, or behaviors that are confirmed to be harmless to the whitelist to prevent them from triggering alerts.

    Run Playbook

    Based on the experience of Alibaba Cloud security experts, Security Center provides a set of built-in playbooks for handling malicious entities. Examples include host offline investigation, in-depth virus scanning, and interaction with WAF to block IP addresses.

    Update Incident Status

    • If an event is determined to be a false positive or you have manually handled all of its security alerts and entities, you can change the event status to Handled.

    • For handled events, you can also reset the event to Unhandled or Handling.

    Use Recommended Handling Policy

    Procedure

    1. Go to the event details page. On the Entity tab, click the Use Recommended Handling Policy button.

      Note

      On the Security Incident page, for the target event, click Response in the Actions column, or select Use Recommended Handling Policy.

    2. In the Use Recommended Handling Policy panel, select the malicious entities that you want to handle.

    3. (Optional) Modify the handling policy. In the Actions column for the entity, click Edit. In the Edit Policy panel, modify parameters such as the destination account and the action validity period for the blocking rule.

      • Action validity period: The period during which the handling policy is effective. The policy automatically becomes invalid after this period expires.

      • Destination account: The current account and manageable member accounts. For more information about how to manage member accounts, see Multi-account security management.

    4. Click Confirm and update the incident status.. In the Update Incident Status dialog box, set Event Status to Handling or Handled, and then click OK.

      Important

      After you complete this step, Security Center automatically creates a handling policy and executes a handling task. If the handling task fails, the event status changes to Failed. Otherwise, the event status changes to the status that you set here.

      • Handling: Indicates that in addition to the current handling operation, there are other actions related to event handling, such as immediate remediation, source tracing, and vulnerability fixing.

      • Handled: Indicates that there are no subsequent handling actions besides the current one. The impacts are as follows:

        • Updates the status of associated alerts to Handled in the security incident.

        • Subsequent alerts will generate a new security event and will no longer be associated with the current event.

    Impact of the operation

    • This operation interacts with other Alibaba Cloud products for event response to handle malicious entities, for example, by blocking an IP address.

    • If you Use Recommended Handling Policy to change an event's status to Handled, the system changes the status of all unhandled alerts associated with the event to Handled in the security incident. The event handling information is also added to the alert details. Subsequently, new alerts are no longer associated with the current security event. Instead, they generate a new security event.

      Important

      For Cloud Workload Protection Platform (CWPP) "Precision Defense" alerts, the default status is "Handled" (defend only, no notification). Updating the security event status does not affect the status of these alerts.

    • If you use the Use Recommended Handling Policy option to change the status of an event to Handling, the status of associated alerts is unaffected. You can still associate new alerts with the event.

    Add Alert to Whitelist

    Procedure

    1. Go to the event details page. On the Alert tab, select the alert to whitelist and click Add Alert to Whitelist in the Actions column.

    2. (Optional) Add a new alert whitelist rule. You can click Create Rule to configure multiple whitelist rules.

      Important

      • Multiple rules have an "OR" relationship, which means the rule takes effect if any one of the conditions is met.

      • Ensure the precision of the rules that you configure to avoid an overly broad scope. For example, setting "Path contains: /data/" might mistakenly whitelist other sensitive subdirectories, which increases security risks. ​​

      Each rule has four configuration boxes from left to right, as described below:

      1. Alert information field: On the details page, under More Information, you can see which alert information fields are supported for the current alert.

      2. Condition type: Supports operations such as Regex Match, greater than, equal to, less than, and contains. Some rules are described as follows:

        • Regular expression: Use a regular expression to precisely match content with specific patterns. For example, to whitelist all content under the "/data/app/logs/" folder, you can set the rule "Path matches regex: ^/data/app/logs/.*". This will match all files or processes in that folder and its subdirectories.

        • Contains keyword: Set a rule "Path contains: D:\programs\test\". All events whose paths contain this folder will be whitelisted.

      3. Condition value: Supports constants and regular expressions.

      4. Applicable assets:

        • All assets: Takes effect for newly added assets and all existing assets.

        • Only for the current asset: Takes effect only for the asset involved in the current alert.

    3. Click OK.

    Impact of the operation

    Warning

    After an alert is whitelisted, notifications for the same or matching alerts will no longer be sent. Use this feature with caution.

    • For the current alert:

      • The status of the current alert changes to Manually Add to Whitelist.

      • If the same alert occurs again, a new alert will not be generated. Instead, the latest occurrence time of the current alert will be updated.

        What is the same alert?

        The same alert refers to a security threat with highly consistent alert features. For example:

        • Virus-related alerts: The same asset, virus file path, and virus file MD5.

        • Abnormal logon: The same asset and logon IP address.

    • For subsequent alerts:

      • If you set a specific whitelist rule, Security Center no longer associates alerts that match this rule with the security event.

      • When an alert that matches a custom whitelist rule occurs again, it will automatically be added to the handled list with the status Automatically Add to Whitelist, and no alert notification will be sent.

    • For other alerts: A whitelist rule takes effect only for alerts with the specified alert name that meet the conditions. It does not affect other alerts for which no rules are set.

    Cancel Whitelisting

    • Cancel an automatic whitelist rule

      Important

      • This action affects only subsequently generated alerts. Alerts that match the whitelist rule are no longer automatically whitelisted.

      • This has no effect on already handled alerts. The alert status remains unchanged.

      1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

        Note

        If you have purchased the Agentic SOC service, in the navigation pane on the left, choose Agentic SOC > Alert.

      2. In the upper-right corner of the CWPP tab, click Cloud Workload Alert Management and select Alert Settings.

      3. On the Alert Settings page, in the Alert Handling Rule section, set Handling Method to Automatically Add to Whitelist.

      4. Find the target rule and click Delete in the Actions column to cancel the automatic whitelist rule.

    • Cancel whitelisting for an alert

      Important

      After you cancel the whitelisting, the alert reappears in the Unhandled alert list. You must re-evaluate and handle the alert.

      1. Log on to the . In the navigation pane on the left, choose Detection and Response > Alert.

        Note

        If you have purchased the Agentic SOC service, in the navigation pane on the left, choose Agentic SOC > Alert.

      2. On the CWPP tab, set the Handled or Not filter to Handled.

      3. Find the alert data that you want to remove from the whitelist and click the Remove from Whitelist button in the Actions column to cancel the whitelisting for the current alert.

        Note

        You can also select multiple alert data items and click the Remove from Whitelist button at the bottom of the list to perform a batch cancellation.

      image

    Run Playbook

    Procedure

    1. On the event details page, locate the entity to handle on the Entity tab.

    2. In the Actions column, click Run Playbook. On the Run Playbook configuration page, configure the playbook parameters as described below.

      • Playbook: The system automatically retrieves the corresponding built-in playbook based on the type of the current entity.

        Important

        If the built-in playbooks do not meet your needs, you can use the Response Orchestration feature provided by Agentic SOC to create custom playbooks.

      • Action validity period: The period during which the playbook runs. The playbook will no longer be executed after this period expires.

      • Destination account: The current account and manageable member accounts. For more information about how to manage member accounts, see Multi-account security management.

    3. Click OK.

    Impact of the operation

    The event is handled according to the process configured in the playbook (such as blocking an IP address), and the event status is changed to Processed.

    Update Incident Status

    Procedure

    1. On the event details page, click the Incident Response drop-down list in the upper-right corner and select Update Incident Status. Alternatively, on the Security Events page, find the target event, click the Response drop-down list in the Actions column, and select Update Incident Status.

    2. In the Update Incident Status dialog box, select Handled, Unhandled, or Handling.

    3. (Optional) Add a remark, such as "I have handled this manually", "Ignore", "Manually whitelisted", or "Re-handle".

    Impact of the operation

    • If you update the status to Handled:

      • All unhandled alerts associated with the event are updated to the Handled in the security incident status, and information about the security event operations is added to the alert details.

        Important

        For Cloud Workload Protection Platform (CWPP) "Precision Defense" alerts, the default status is "Handled" (defend only, no notification). Updating the security event status does not affect the status of these alerts.

      • Subsequent alerts are no longer associated with the current security event. They will generate a new security event.

    • If the status of the event is Unhandled or Handling, you can select a different handling method.

    Manage event properties

    Management operation

    Procedure

    Update Owner

    Security event response often involves multiple teams and members. To ensure a clear workflow, assign or change the event owner at different stages of the process.

    Update Incident Level

    Adjust the event's risk level. If the automatically assigned risk level is too high or too low, you can change it manually. This helps your team prioritize responses and allocate resources to the most urgent events.

    Update Owner

    Procedure

    1. Go to the event details page. In the upper-right corner, under Incident Response, click Update Owner. Alternatively, on the Security Events page, find the event, click Response in the Actions column, and select Update Owner.

    2. In the dialog box that appears, enter the following information and click OK.

      • Owner: Select the current account or a Resource Access Management (RAM) user under the account.

        Important

        Ensure that the target Owner (RAM user) has the necessary permissions to handle security events.

      • Remarks: Enter handover instructions, suggestions, or other notes. This helps the new owner quickly understand the context and begin work.

    Impacts

    When the operation is complete, the system creates a change record. View the details of this change in the Activity Log on the Response Activity tab of the event details page.

    Update Incident Level

    Procedure

    1. Go to the event details page. In the upper-right corner, under Incident Response, click Update Incident Level. Alternatively, on the Security Events page, find the event, click Response in the Actions column, and select Update Incident Level.

    2. In the dialog box that appears, modify the Incident Severity and Remarks.

    Operational Impact

    After you change the level, the system records the operation in the event's activity log. View the details of this change in the Activity Log on the Response Activity tab of the event details page.

    Export security events

    You can export security event details to a local Excel file. This helps different departments collaborate on security events and facilitates internal information sharing and event tracking.

    1. (Optional) On the Security Incident page, set filter conditions such as event risk level, status, and occurrence time.

    2. Select the security events to download (up to 1,000 records), and click the image.png icon in the upper-right corner of the security event list.

    3. After the file is exported, click Download to save the file to your local machine.

      Note

      The exported file contains three tabs: a list of security event records, a list of assets involved in the security events, and a list of entities involved in the security events.

    Threat prevention

    To prevent future virus attacks, harden the server. This makes it more difficult and costly for an attacker to breach its defenses.

    • Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus isolation, which provides precise defense and more security check items.

    • Tighten access control: Open only necessary service ports, such as 80 and 443. Configure strict IP address whitelists for management ports, such as 22 and 3389, and database ports, such as 3306.

      Note

      For Alibaba Cloud ECS servers, see Manage Security Groups.

    • Set complex server passwords: Create complex passwords that contain uppercase letters, lowercase letters, digits, and special characters for your servers and applications.

    • Upgrade software: Promptly update your applications to the latest official versions. Avoid using old versions that are no longer maintained or that have known security vulnerabilities.

    • Perform regular backups: Create an automatic snapshot policy for important data and system disks.

      Note

      If you use an Alibaba Cloud ECS server, see Create an automatic snapshot policy.

    • Fix vulnerabilities promptly: Regularly use the Vulnerability Fix feature in Security Center to promptly fix important system vulnerabilities and application vulnerabilities.

    • Reset the server system (use with caution).

      If a virus deeply infects the system and compromises underlying system components, we strongly recommend that you back up important data and then reset the server. Perform the following steps:

      1. Create a snapshot to back up important data on the server. For more information, see Create a snapshot.

      2. Reinitialize the operating system of the server. For more information, see Reinitialize a system disk.

      3. Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.

      4. Attach the disk to the server on which you reinstalled the operating system. For more information, see Attach a data disk.

    Quotas and limits

    • Data retention: The Security Incident page displays events from the last 180 days for viewing and handling.

    • Entity details: An entity's details page shows the count of associated events, alerts, and response tasks from the last 30 days.

    • Export limit: You can export a maximum of 1,000 security event records at a time.

    • Status synchronization: Updating the status of a security event does not affect the status of CWPP 'Precision Defense' alerts. By default, these alerts are set to 'Handled', which means the system provides defense but does not send a notification.