All Products
Search
Document Center

Security Center:Overview

Last Updated:Sep 19, 2023

If you want to manage alerts and logs of multiple Alibaba Cloud services that belong to different Alibaba Cloud accounts, you can use the threat analysis feature of Security Center. The services include Cloud Firewall and Virtual Private Cloud (VPC). The threat analysis feature allows you to perform closed-loop cloud security operations in a centralized manner. For example, you can continuously monitor your assets, analyze detected risks, inspect events, and handle the risks and events.

Background information

With the rapid development of cloud computing technology, an increasing number of enterprises are migrating workloads to the cloud. They must ensure the security and compliance of cloud resources. These enterprises must also handle various complex attacks that increase with the development of network attack techniques because traditional security solutions cannot provide the required protection capabilities. They are also aware that security is essential to information development. They focus more on the identification and prevention of security risks.

To help resolve the preceding issues, Alibaba Cloud offers the threat analysis feature in Security Center. This can help you harden the security of services and identify and respond to security events at the earliest opportunity.

How threat analysis works

Threat analysis provides a cloud-native management solution for security information and events. The feature collects security logs and alerts from different Alibaba Cloud accounts and services, aggregates and analyzes related alerts and logs based on predefined and custom detection rules, and generates security events that contain complete attack chains.

Threat analysis also supports Security Orchestration Automation Response (SOAR). You can create playbooks to handle, block, and quarantine specific resources in coordination with Alibaba Cloud services. This helps you quickly handle security events.

Supported services and log types

Service

Log type

Security Center

  • Alert logs of Security Center, configuration assessment logs of Security Center, vulnerability logs, and baseline logs

  • Logon logs, network connection logs, process startup logs, file read and write logs, failed host logon logs, and failed MySQL and FTP logon logs

  • Account snapshot logs, network snapshot logs, account snapshot logs, process snapshot logs, and port snapshot logs

  • Internet HTTP logs, Internet session logs, Internet DNS logs, and DNS logs

Web Application Firewall (WAF)

Alert logs of WAF, flow logs of WAF, and flow logs of WAF 3.0

Cloud Firewall

Alert logs and flow logs of Cloud Firewall

Anti-DDoS

Flow logs of Anti-DDoS Pro, flow logs of Anti-DDoS Pro and Anti-DDoS Premium, and logs of Anti-DDoS Origin

Bastionhost

Bastionhost logs

CDN

Flow logs of CDN and flow logs of CDN WAF

API Gateway

API Gateway logs

Container Service for Kubernetes (ACK)

Audit logs of Kubernetes resources

PolarDB

Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0

ApsaraDB for MongoDB

Operation logs and audit logs of ApsaraDB for MongoDB

ApsaraDB RDS

Audit logs of ApsaraDB RDS

Virtual Private Cloud (VPC)

Flow logs of VPC

Elastic IP Address (EIP)

Flow logs of elastic network interfaces (ENIs)

Server Load Balancer (SLB)

Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB)

Object Storage Service (OSS)

Batch deletion logs of OSS, metering logs of OSS, and flow logs of OSS

Apsara File Storage NAS

Operation logs of NAS NFS

Function Compute (FC)

Operation logs of Function Compute

ActionTrail

ActionTrail logs

CloudConfig

Cloud Config logs

Benefits

  • Centralized management of threats in the cloud

    The feature helps you manage the alerts that are generated for multiple accounts and services, displays the overall security status in the cloud, monitors the security status of workloads in the cloud in real time, and helps improve the efficiency of security operations.

  • Various detection rules

    The feature supports various predefined rules and custom rules, and uses the experience of cloud security experts. The feature performs association analysis on the logs and behavior data of multiple services to identify behavior characteristics of lateral movement in the preliminary attack phase or after intrusions. This way, the feature can detect unknown threats.

  • Rapid response to threat events

    The feature helps you rapidly respond to threat events based on built-in event handling processes and common automated orchestration.

  • AI algorithm-based capabilities

    The feature uses AI models for threat investigation and visual traceability, and uses threat intelligence to reduce false positives. The feature performs automated closed-loop operations during detection, response, and tracing, and improves O&M efficiency without affecting overall business security.

Changes in the console after threat analysis is enabled

After you enable the threat analysis feature, Security Center automatically aggregates the security logs of multiple Alibaba Cloud accounts and Alibaba Cloud services that are added to the feature for monitoring and analysis. In this case, some pages in the Security Center console are changed.

Page

Type

Description

Detection and Response in the navigation pane

Changed

The entry point in the left-side navigation pane is renamed Threat Analysis.

Alert Handling

Changed

The page is renamed Alerts. On the Alerts page, you can view the alerts that are generated for the added accounts and services.

In the upper-right corner of the Alerts page, you can click Alerts on Host and Container or Global security alert to view the security alert data of Security Center or the security alert data that is aggregated by the threat analysis feature.

Incidents Management

New

On the Incidents Management page, you can view and handle threat events that are aggregated by the threat analysis feature.

Log analysis

Changed

On the Log analysis page, you can view the logs of the added accounts and services.

In the upper-right corner of the Log analysis page, you can click Go to Log Analysis or Go to Global Log Analysis to go to the original Log Analysis page or the Log Analysis page after the threat analysis feature is enabled.

Rule management

New

On the Rule management page, you can view the predefined rules to generate alerts and events and configure custom rules to generate alerts and events.

SOAR

New

On the SOAR page, you can define event handling actions based on your business requirements and add components such as notification and event forwarding. This helps improve O&M efficiency.

Disposal Center

New

On the Disposal Center page, you can monitor the handling results of events in real time based on handling policies and handling tasks.

Multi-account Control

Changed

The Account Monitored by Threat Analysis tab is added. On the tab, you can specify the accounts that you want to monitor by using the threat analysis feature.

Attack Awareness

Hidden

After you enable the threat analysis feature, you can click View Attack Analysis Results Within Current Account in the upper-right corner of the Alerts page to go to the Attack Awareness Page. For more information, see Attack awareness.

Investigation

Hidden

After you enable the threat analysis feature, you can perform the following operations to go to the Investigation page: On the Alerts page, click Alerts on Host and Container in the upper-right corner. On the Alert Handling page, click the image.png icon in the Event column to go to the Investigation page. For more information, see View and handle alert events.