What are security incidents - Security Center - Alibaba Cloud Documentation Center

The host and container protection features of Security Center generate alerts based on your asset protection rules. These alerts are displayed on the Cloud Workload Protection Platform (CWPP) tab of the Alert page. This topic describes the basic concepts of CWPP security incidents.

Overview

Source of CWPP security incidents

Alerts are generated based on the asset protection rules that you configure for host protection and container protection in Security Center. Security Center then uses graph computing technology to aggregate related CWPP alerts into security incidents. For example, it groups alerts that share the same MD5 hash or parent process ID. The overview section of the incident details page lists Security Center as the alert source.

Note

You can view CWPP alert information on the CWPP tab of the Detection and Response > Alert page.

CWPP security incident generation rules

By default, all CWPP alerts generate security incidents, except for Precision-Defense alerts. If a host alert is not related to any other ones, it generates a single incident.

Important

If you configure incident whitelisting rules, alerts that hit a rule do not generate a security incident.

Incident retention period

The Security Incident page only displays incidents from the last 180 days.

Incident risk levels and handling instructions

Risk Level	Description	Handling Instructions
Serious	The behavior described in the incident causes a service interruption. Key features are inaccessible or the network is completely down. This severely affects service availability, and no workarounds are available. Clear malicious behavior or entities and a definite intrusion were detected. The impact is widespread and involves multiple servers.	Review and handle this incident immediately.
High Risk	Clear malicious behavior or entities were detected. The incident is highly likely to be a successful intrusion that has already affected your assets. Example: an abnormal process behavior, such as a reverse shell. Such incidents usually only involve a single machine.	Review and handle this incident immediately.
Medium Risk	Suspected malicious behavior or entities were detected. The incident might be a successful intrusion that has affected your assets. It could also be caused by unusual O&M operations, such as an abnormal logon.	This risk level indicates a possibility that your assets are under attack. Review the incident details to determine whether a threat exists and take appropriate action.
Low Risk	It's possible that the incident is a successful intrusion. It could also mean your assets are undergoing continuous attack probes from an external source, such as access from 106.11.XX.XX.	You should follow security incidents at this level if your assets have high security requirements.
Reminder	These are typically alerts from job automation software. They only indicate that certain jobs have run or reached a specific milestone.	Such incidents are no cause for concern.

Objects to be handled

You can handle security incidents by addressing the aggregated alerts and extracted alert entities.

CWPP security alerts

CWPP security incidents are generated by aggregating CWPP security alerts using graph computing technology. If an incident is a false positive, you can add it and its associated alerts to a whitelist.

The alert aggregation rules are as follows:

A CWPP security incident can aggregate a maximum of 2,000 alerts using graph computing technology.
For incidents in the Unhandled state, new alerts can be aggregated into the incident.
For incidents in the Handling, Handled, or Handling Failed state, new alerts are not aggregated into the incident. Instead, a new incident is generated in the Unhandled state.

Entities

In a security incident, an entity is a specific object or actor associated with the incident. Security Center extracts and aggregates entities from security alerts. Security Center classifies entities as either malicious or non-malicious based on whether they have malicious tags. You can also view entity details, run playbooks, and query Alibaba Cloud threat intelligence. Security Center can identify the following types of entities:

Entity Name	Is Asset Entity	Can Be Identified as Malicious
Host	✅	❌
IP address	✅	✅
Alibaba Cloud account	✅	❌
AccessKey pair	✅	❌
Domain name	✅	✅
File	❌	✅
Host process	❌	✅
Host account	❌	❌
URL	❌	❌
Registry	❌	✅
Container	✅	❌
Cluster	✅	❌
Object Storage Service (OSS)	✅	❌

Security incident handling flowchart

More services

If you activate the Cloud Threat Detection and Response (CTDR) service, you gain access to additional capabilities for security incident analysis and response. The following table compares the services:

Differences	With CTDR	Without CTDR
Supported incident types for handling	Analyzes the context of multiple CTDR security alerts and aggregates them into a complete incident using predefined or custom CTDR rules. Security incidents generated from CWPP security alerts are migrated to CTDR for handling.	Security incidents are generated by aggregating CWPP security alerts using graph computing. Examples include intrusion detection and defense alerts for Security Center hosts and containers.
Incident handling methods	Recommended handling policies Update incident status Add to whitelist Important For incidents generated by predefined or custom CTDR rules, only Add Event to Whitelist is supported. For CWPP incidents, both Add Event to Whitelist and Add Alert to Whitelist are supported. Run playbooks Use Security Orchestration and Automation Response (SOAR) for automatic handling	Recommended handling policies Update incident status Add to whitelist Important For CWPP incidents, only Add Alert to Whitelist is supported. Run playbooks