Before responding to a security incident, assess its impact, analyze the attack surface, and identify false positives to avoid disrupting normal operations. Then take action: use a recommended handling policy, run a playbook, add alerts to a whitelist, or update the incident status to close the loop.
Security incident handling flowchart
Assess a security incident
The incident details page gives you everything you need to assess an incident: AI-driven investigation reports, event timelines, alert aggregation, entity analysis, and response activity logs.
Go to the incident details page
Log on to the Security Center console.Log on to the Security Center console.
In the left-side navigation pane, choose Agentic SOC > Security Events.
Select a time range to find the incident.
ImportantThe Security Events page shows only incidents from the last 180 days. To find an incident quickly, enable notifications on the System Settings > Notification Settings page and use the incident name from the notification.
In the Actions column, click Details.
Assessment tools and what they reveal
Use the following tools on the incident details page to evaluate urgency, scope, and whether the incident is a false positive.
Security AI Assistant
The Security AI Assistant runs an entity analysis agent to assess the risk level of malicious entities and suggest handling actions.
Example:
Investigation and AI analysis
After you upgrade to Security Operations Agent, the system uses Agentic AI as its core engine. The agent deeply integrates with Alibaba Cloud's native security data and infrastructure, and uses autonomous perception, reasoning, and execution to investigate incidents and produce an investigation report.
How the investigation runs:
Initial investigation: After an incident is created, the Incident Investigation Agent triggers automatically.
Follow-up investigation: When new alerts are correlated with the incident, the agent triggers again.
View investigation results:
Go to the incident details page and click Full Report to read the complete report.
For a quick summary, check the AI Analysis column in the security incident list.
You can also view the analysis results directly in the AI Analysis column of the security incident list.
AI analysis conclusions:
| Conclusion | Confidence interval | Description |
|---|---|---|
| Likely False Positive | ≤10% | The AI is highly confident this is benign activity, such as a routine scan from a known operations IP address. |
| Unable to Determine | 30%–60% | Lacking key features, complete logs, or facing ambiguous behavior, the AI cannot make a reliable determination due to insufficient information. |
| Confirmed Attack | >85% | The AI found a multi-source evidence chain matching known Tactics, Techniques, and Procedures (TTPs). |
Attack details in the report include affected assets, attack chain, payload analysis, attack timeline, and attack process names.
View investigation records:
On the incident details page, click Response Activity in the upper-right corner.
On the Activity Log tab, set Response Scenario to Event Investigation.
Review the investigation records and result summary in the log list.
Event chain diagram
The event chain diagram shows the attack timeline and provenance graph. The big data analytics engine processes and visualizes data so you can quickly trace the cause and decide on a handling policy.
Click any node to view its details, then use the timeline to evaluate urgency:
High priority: An initial, small-scale probe quickly escalates into multiple related alerts of different types, especially if the attack pace is accelerating and more assets are affected.
Lower priority: No new related alerts have appeared for an extended period and the attack shows no signs of spreading.
If you have Security Operations Agent, the Incident Investigation Agent automatically extracts key entity points, reconstructs entity behaviors as an event chain diagram, and provides a timeline explanation.
Alert
The Alert tab lists all security alerts aggregated into this incident. Use multi-dimensional alert statistics — number of alerts, defense measures, and occurrence times — to determine the attack method, stage, and handling plan.
Assessment examples:
Alert volume: Many alerts of the same or related types may indicate a large-scale attack or a more severe threat.
Defense measures: If the measures taken have not blocked the attack, the urgency of handling increases.
Occurrence time: Alerts concentrated in a specific time window suggest the attack is in an active phase.
Overview area
The Overview area shows basic event information and the ATT&CK attack stage. Use the following data points to evaluate whether the incident needs handling:
Number of affected assets: If core business assets — such as database servers or application servers — are affected, prioritize this incident.
Number of associated alerts: More alerts indicate a wider scope and greater potential risk.
Occurrence time: Recent incidents need faster responses than historical ones because the impact may still be ongoing.
Alert source: Alerts from authoritative detection modules — such as a dedicated virus scanning module — indicate higher risk.
Entity
The Entity section displays the entities extracted from the incident. Supported entity types include hosts, files, processes, IP addresses, and host accounts.
View entities from two dimensions:
All entities: All entities extracted from the incident. For each entity, you can see the number of associated events, alerts, and handling tasks in the last 30 days, and run playbooks.
Affected assets: Assets directly affected by the incident. Use this tab to quickly scope the impact.
Assessment examples using entity data:
In the entity details, view an IP address entity's basic information, Alibaba Cloud threat intelligence, and activity counts. High counts may indicate an attacker is continuously using that IP address — block it.
On the Affected Asset tab, if multiple assets are attacked by the same IP address in the same time window, this suggests a targeted attack — block that IP address.
Response Activity
The Response Activity section provides a complete record of risk analysis and response actions. It gives team members access to handling policies, tasks, and the Activity Log for collaboration and post-incident review.
Access Response Activity from the event details page by clicking Response Activity in the upper-right corner.
Respond to security incidents
Handle security incidents
| Handling method | Description |
|---|---|
| Use a recommended handling policy | Security Center provides handling methods based on Alibaba Cloud security expert experience. After applying a recommended handling policy to malicious entities, the incident and its associated alerts are updated. |
| Whitelist | Add harmless programs, IP addresses, or behaviors to prevent them from triggering alerts. Two options are available: Add Alert to Whitelist (supports Cloud Workload Protection Platform (CWPP) alerts only) and Add to Whitelist as an automated response rule (supports all alerts). |
| Run a playbook | Security Center provides built-in playbooks for handling malicious entities — for example, investigating offline hosts, running in-depth virus scans, or blocking IP addresses with Web Application Firewall (WAF). |
| Update Incident Status | If an incident is a false positive, or you have manually handled all related alerts and entities, set the status to Handled. You can also reset a handled incident to Unhandled or Handling. |
| Automatically handle security incidents | Use the response rule orchestration feature to handle security threat incidents automatically and in batches. |
Use a recommended handling policy
Two types of recommended handling policies are available:
| System-recommended handling policy | Agent-recommended handling policy | |
|---|---|---|
| Core capability | Combines graph computing and large security models to automatically select built-in automated playbooks. | Analyzes the Incident Investigation Agent's conclusions, reviews the root cause analysis and handling suggestions, and selects a suitable playbook. |
| Version requirements | Available in both Agentic SOC Basic Edition and Security Operations Agent. | Available only after upgrading to Security Operations Agent. |
| Policy management | Lets you modify playbooks and action validity periods. | Policy content cannot be modified. |
| Decision basis | Alibaba Cloud security expert experience. | Intelligent analysis by the agent. |
Procedure
On the Security Events page, find the target incident. Click Actions, then click Recommended Response.
Alternatively, go to the incident details page and click Recommended Handling in the lower-left corner.
In the Recommended Handling Policy panel, select the malicious entities to handle.
(Optional) Modify the handling policy: click Edit in the Actions column for the entity, then adjust parameters in the Edit Policy panel.
Action validity period: The period during which the handling policy is effective. The policy automatically expires after this period.
Target account: The current account and manageable member accounts. For more information, see Multi-account security management.
If you have Security Operations Agent, the AI Agent automatically selects a suitable playbook and configures the parameters — no manual modification is needed.
Click Resolve. In the Update Incident Status dialog box, set Event Status to Handling or Handled, then click OK.
Handling: Other actions — such as immediate remediation, source tracing, or vulnerability fixing — are still required.
Handled: No further actions are needed. This has the following effects:
All associated unhandled alerts change to Handled in the security incident.
Subsequent alerts generate a new security event instead of associating with this one.
ImportantAfter this step, Security Center automatically creates a handling policy and runs a handling task. If the task fails, the event status changes to Failed. Otherwise, the status changes to what you specified.
Potential impacts
This operation handles malicious entities by interacting with other Alibaba Cloud products — for example, blocking an IP address.
If you set the status to Handled, all associated unhandled alerts change to Handled in the security incident and event handling information is added to the alert details. New alerts generate a new security event.
ImportantCloud Workload Protection Platform (CWPP) "Precision Defense" alerts have a default status of Handled (defend only, no notification). Updating the incident status does not affect these alerts.
If you set the status to Handling, the status of associated alerts is unchanged. New alerts can still be associated with this incident.
Security Center generates corresponding Handling Policies and Handling Tasks on the Incident Response page.
Whitelist alerts
Whitelisting prevents Security Center from repeatedly generating alerts for normal programs or behaviors — such as suspicious outbound TCP packets that are actually normal business traffic, or scanning behavior that is normal network detection.
Two whitelist options are available. Choose based on the alert type and the scope of protection you need:
| Add to Whitelist (automated response rule) | Add Alert to Whitelist | |
|---|---|---|
| Supported alerts | All alerts. | CWPP alerts only. |
| Impact on the current alert | No impact on the current alert. | The current alert status changes to Manually Add to Whitelist. If the same alert occurs again, no new alert data is generated — only the last occurrence time updates. |
| Rule mechanism | Creates an Automated Rule using Response Rules. Whitelisting conditions are required. Conditions are derived from alert feature fields and entity attribute fields. | Whitelisting conditions are optional. Conditions are derived from alert information fields such as the triggering rule, tags, and image names (visible in the More Information section of alert details). |
| Impact on subsequent alerts | Matching alerts are no longer associated with the incident. CWPP alert status updates to Automatically Add to Whitelist; Agentic SOC alert Add to Whitelist field updates to Yes. No further notifications are sent. | Matching alerts are no longer associated with the security event. When a matching alert occurs again, its status automatically changes to Automatically Add to Whitelist and no notification is sent. |
After an alert is whitelisted, notifications for the same or matching alerts stop.
Add Alert to Whitelist
Procedure
Go to the event details page. On the Alerts tab, find the alert to whitelist and click Add Alert to Whitelist in the Actions column.
(Optional) Add whitelist rules. Click Create Rule to create a rule. Each rule has four fields (configured left to right):
Alert information field: The More Information section on the alert details page lists supported fields for the current alert.
Condition type: Supported operations include Regex Match, greater than, equal to, less than, and contains.
Regular expression: Matches content with specific patterns. For example, set "Path matches regex: ^/data/app/logs/.*" to whitelist all files and processes under "/data/app/logs/" and its subdirectories.
Contains keyword: For example, set "Path contains: D:\programs\test\" to whitelist all events whose paths contain that folder.
Condition value: Supports constants and regular expressions.
Applicable assets:
All assets: Applies to all existing assets and any newly added assets.
Only for the current asset: Applies only to the asset involved in the current alert.
ImportantMultiple rules have an OR relationship — the whitelist triggers if any one condition is met. Make rules precise to avoid an overly broad scope. For example, "Path contains: /data/" might inadvertently whitelist sensitive subdirectories.
Click OK.
Potential impacts
After whitelisting an alert, notifications for the same or matching alerts stop. Use this feature with caution.
Current alert: What counts as the same alert? Alerts are considered the same when they report a security threat with highly consistent features:
Virus alerts: the asset, virus file path, and virus file MD5 must match.
Abnormal logon alerts: the asset and logon IP address must match.
Subsequent alerts:
Alerts matching the whitelist rule are no longer associated with the security event.
When a matching alert occurs again, its status automatically changes to Automatically Add to Whitelist and no notification is sent.
Other alerts: The whitelist rule applies only to alerts with the specified alert name that meet the rule conditions. Other alerts are not affected.
Cancel whitelisting
Cancel an automatic whitelist rule:
Log on to the console. In the left-side navigation pane, choose Detection and Response > Alert. > Note: If you have Agentic SOC, choose Agentic SOC > Alert instead.
On the CWPP tab, click Cloud Workload Alert Management in the upper-right corner and select Alert Settings.
On the Alert Settings page, in the Alert Handling Rule section, select Automatically Add to Whitelist as the handling method.
Find the target rule and click Delete in the Actions column.
ImportantThis only affects future alerts. Alerts that already matched the rule are no longer automatically whitelisted going forward, but previously handled alerts remain unchanged.
Remove an alert from the whitelist:
Log on to the console. In the left-side navigation pane, choose Detection and Response > Alert. > Note: If you have Agentic SOC, choose Agentic SOC > Alert instead.
On the CWPP tab, set the Handled or Not filter to Handled.
Find the alert and click Remove from Whitelist in the Actions column. To remove multiple alerts at once, select them and click Remove from Whitelist at the bottom of the list.
ImportantAfter removal, the alert reappears in the Unhandled alert list and requires re-evaluation.
Add to Whitelist (automated response rule)
Procedure
In the Security Events list, find the target incident. In the Actions column, choose Response > Add to Whitelist.
Alternatively, go to the incident details page. On the Alerts tab, click Add to Whitelist in the Actions column for the alert.
Configure the rule and click OK.
Rule Name: Use a clear, descriptive name — for example, "Incident Handling Whitelist_Backdoor Shell".
Trigger: Defaults to Alert Occurrence (cannot be changed).
Rule Action: Defaults to Add Alert to Whitelist (cannot be changed).
Other configurations: See Configure trigger and execution rules.
Potential impacts
Current incident: The incident status is unchanged. To update it, use Update Incident Status separately.
Current alert: No impact.
Subsequent alerts: For alerts matching the whitelist rule:
CWPP alerts: status automatically updates to Automatically Add to Whitelist. Agentic SOC alerts: the Add to Whitelist field updates to Yes. In both cases, no more notifications are sent.
Matching alerts are no longer associated with the current incident.
Cancel a whitelisting policy
To allow subsequent alerts to associate with the incident or generate new incidents, cancel the whitelisting policy.
For the original Add Event to Whitelist, go to Agentic SOC > Security Events and use Incident Whitelist Settings in the upper-right corner.
Go to Agentic SOC > Response Rules > Automated Rules.
Find the target rule and turn off the Enabling Status switch.
Click Delete in the Actions column.
Update incident status
Procedure
On the event details page, click the Incident Response drop-down list in the upper-right corner and select Update Incident Status. Alternatively, on the Security Events page, find the event, click the Response drop-down list in the Actions column, and select Update Incident Status.
In the Update Incident Status dialog box, select Handled, Unhandled, or Handling.
(Optional) Add a remark — for example, "Handled manually", "Ignore", "Manually whitelisted", or "Re-handle".
Potential impacts
Handled:
All unhandled alerts associated with the event change to Handled in the security incident. Event handling information is added to the alert details. > Important: CWPP "Precision Defense" alerts default to Handled (defend only, no notification). Updating the incident status does not affect these alerts.
Subsequent alerts generate a new security event instead of associating with this one.
Unhandled or Handling: The incident remains open for further action.
Run a playbook
Procedure
Go to the event details page. On the Entity tab, find the entity to handle.
In the Actions column, click Handle. On the Handle page, configure the playbook:
Playbook: The system automatically selects the appropriate built-in playbook based on the entity type. > Important: If built-in playbooks don't meet your needs, create custom playbooks using the Response Orchestration feature of Agentic SOC.
Action validity period: The duration for which the playbook runs. The playbook stops executing after this period.
Destination account: The current account and the member accounts you manage. For more information, see Multi-account security management.
Click Resolve.
Potential impacts
The event is handled based on the playbook configuration — for example, blocking an IP address — and the event status changes to Handled.
Automatically handle security incidents
Use the response rule orchestration feature of Agentic SOC to handle security incidents automatically and in batches. Configure playbooks and automated response rules to respond to threat incidents without manual intervention. For more information, see Response rules.
Manage event properties
| Operation | When to use |
|---|---|
| Update Owner | Security incident response often involves multiple teams. Assign or transfer the event owner at different stages to maintain a clear workflow. |
| Update Incident Level | If the automatically assigned risk level is too high or too low, adjust it manually. This helps your team prioritize responses and allocate resources effectively. |
Update Owner
Procedure
On the event details page, click Incident Response > Update Owner in the upper-right corner. Alternatively, on the Security Events page, find the event, click Response in the Actions column, and select Update Owner.
In the dialog box, fill in the following and click OK:
Owner: Select the current account or a Resource Access Management (RAM) user of the account. > Important: The target Owner (RAM user) must have the necessary permissions to handle security events.
Remarks: Enter handover instructions or context to help the new owner start quickly.
Potential impacts
The system creates a change record. View it in Response Activity > Activity Log on the event details page.
Update Incident Level
Procedure
On the event details page, click Incident Response > Update Incident Level in the upper-right corner. Alternatively, on the Security Events page, find the event, click Response in the Actions column, and select Update Incident Level.
Modify Incident Severity and add Remarks.
Potential impacts
The system records the level change. View it in Response Activity > Activity Log on the event details page.
Export security events
Export security event details to a local Excel file for cross-team collaboration, internal information sharing, and event tracking.
(Optional) On the Security Events page, apply filter conditions such as event risk level, status, and occurrence time.
Select the security events to export (up to 1,000 records), then click the
icon in the upper-right corner.After the export completes, click Download to save the file.
The exported file contains three tabs: security event records, assets involved in the events, and entities involved in the events.
Harden your servers against future attacks
After handling an incident, take the following steps to make it harder for attackers to compromise your systems again.
Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus quarantine and provide more security check items.
Restrict access: Open only necessary service ports (80 and 443). Configure strict IP address whitelists for management ports (22 and 3389) and database ports (3306).
For Alibaba Cloud ECS servers, see Manage security groups.
Use strong passwords: Set passwords with uppercase letters, lowercase letters, digits, and special characters for servers and applications.
Keep software up to date: Update application software to the latest official version to avoid vulnerabilities in unsupported or outdated releases.
Back up data regularly: Create an automatic snapshot policy for important data and system disks.
For Alibaba Cloud ECS servers, see Create an automatic snapshot policy.
Fix vulnerabilities promptly: Use the Vulnerability Fixing feature to patch important system and application vulnerabilities regularly.
Reset the operating system (use with caution): If a virus has deeply infiltrated the system and is associated with underlying components, back up your data and reset the server's OS.
Create a snapshot to back up important data. See Create a snapshot for a disk.
Reinitialize the OS. See Re-initialize a system disk.
Create a cloud disk from the snapshot. See Create a disk from a snapshot.
Attach the cloud disk to the server after reinstalling the OS. See Attach a data disk.
Limitations
| Constraint | Detail |
|---|---|
| Data retention | The Security Events page shows incidents from the last 180 days only. |
| Entity details | Counts of associated incidents, alerts, and handling tasks reflect the last 30 days only. |
| Export limit | Up to 1,000 security incident records per export. |
| Status synchronization | Updating a security incident's status does not affect CWPP Precision Defense alerts. These alerts default to Handled (defend only, no notification). |