If you want to manage alerts and logs of multiple Alibaba Cloud services that belong to different Alibaba Cloud accounts, you can use the threat analysis feature of Security Center. The services include Cloud Firewall and Virtual Private Cloud (VPC). The threat analysis feature allows you to perform closed-loop cloud security operations in a centralized manner. For example, you can continuously monitor your assets, analyze detected risks, inspect events, and handle the risks and events.
With the rapid development of cloud computing technology, an increasing number of enterprises are migrating workloads to the cloud. They must ensure the security and compliance of cloud resources. These enterprises must also handle various complex attacks that increase with the development of network attack techniques because traditional security solutions cannot provide the required protection capabilities. They are also aware that security is essential to information development. They focus more on the identification and prevention of security risks.
To help resolve the preceding issues, Alibaba Cloud offers the threat analysis feature in Security Center. This can help you harden the security of services and identify and respond to security events at the earliest opportunity.
How threat analysis works
Threat analysis provides a cloud-native solution for security information and event management. The feature collects security logs and alerts from different Alibaba Cloud accounts and services, aggregates and analyzes related alerts and logs based on predefined and custom detection rules to generate security events that contain complete attack chains.
Threat analysis also supports Security Orchestration Automation Response (SOAR). You can create playbooks to handle, block, and quarantine specific resources in coordination with Alibaba Cloud services. This helps you quickly handle security events.
Supported services and log types
Web Application Firewall (WAF)
Alert logs of WAF, flow logs of WAF, and flow logs of WAF 3.0
Alert logs and flow logs of Cloud Firewall
Flow logs of Anti-DDoS Pro, flow logs of Anti-DDoS Pro and Anti-DDoS Premium, and logs of Anti-DDoS Origin
Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF
API Gateway logs
Container Service for Kubernetes (ACK)
Audit logs of Kubernetes resources
Audit logs of PolarDB-X 1.0 and PolarDB-X 2.0
ApsaraDB for MongoDB
Operation logs and audit logs of ApsaraDB for MongoDB
Audit logs of ApsaraDB RDS
Virtual Private Cloud (VPC)
Flow logs of VPC
Elastic IP Address (EIP)
Flow logs of elastic network interfaces (ENIs)
Server Load Balancer (SLB)
Layer 7 logs of Classic Load Balancer (CLB) and flow logs of Application Load Balancer (ALB)
Object Storage Service (OSS)
Batch deletion logs of OSS, metering logs of OSS, and flow logs of OSS
Apsara File Storage NAS
Operation logs of NAS NFS
Function Compute (FC)
Operation logs of Function Compute
Cloud Config logs
Alert logs of WAF
Cloud Firewall (CFW)
Alert logs of CFW
Alert logs of WAF
Alert logs of CFW
Standardized data collection
The feature supports collection of alert logs, network logs, system logs, and application logs across services, accounts, and cloud platforms. Cloud platforms include Alibaba Cloud and third-party cloud service providers. This way, data can be standardized and context is enhanced. The feature supports more than 20 cloud services and more than 50 log types.
Multi-dimension threat detection
The feature strengthens the single-point threat detection capabilities of southbound security devices based on threat detection methods such as multi-source data association analysis, AI image-based computing and inference, and real-time updated threat intelligence. The feature provides more than 40 threat detection scenarios and 3 types of event analysis models.
Efficient event investigation
The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.
Automated response and orchestration
The feature automatically handles malicious entities based on automatic response rules, playbooks, and collaborates with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.
Changes in the console after threat analysis is enabled
After you enable the threat analysis feature, Security Center automatically aggregates the security logs of multiple Alibaba Cloud accounts and Alibaba Cloud services that are added to the feature for monitoring and analysis. In this case, some pages in the Security Center console are changed.
Detection and Response in the navigation pane
The entry point in the left-side navigation pane is renamed Threat Analysis.
The page is renamed Alerts. On the Alerts page, you can view the alerts that are generated for the added accounts and services.
In the upper-right corner of the Alerts page, you can click Alerts on Host and Container or Global security alert to view the security alert data of Security Center or the security alert data that is aggregated by the threat analysis feature.
On the Incidents Management page, you can view and handle threat events that are aggregated by the threat analysis feature.
On the Rule management page, you can view the predefined rules to generate alerts and events and configure custom rules to generate alerts and events.
On the SOAR page, you can define event handling actions based on your business requirements and add components such as notification and event forwarding. This helps improve O&M efficiency.
On the Disposal Center page, you can monitor the handling results of events in real time based on handling policies and handling tasks.
The Account Monitored by Threat Analysis tab is added. On the tab, you can specify the accounts that you want to monitor by using the threat analysis feature.
After you enable the threat analysis feature, you can click View Attack Analysis Results Within Current Account in the upper-right corner of the Alerts page to go to the Attack Awareness Page. For more information, see Attack awareness.
After you enable the threat analysis feature, you can perform the following operations to go to the Investigation page: On the Alerts page, click Alerts on Host and Container in the upper-right corner. On the Alert Handling page, click the icon in the Event column to go to the Investigation page. For more information, see View and handle alert events.