Cloud Threat Detection and Response (CTDR) in Security Center analyzes the context of multiple security alerts based on predefined or custom rules. CTDR aggregates the alerts into complete events, reconstructs attack chains, and extracts malicious entities to help you quickly respond to and handle security risks in the cloud. This topic describes how to handle security events that CTDR generates.
Notes
After you activate the Cloud Threat Detection and Response (CTDR) service, security events that are generated from Cloud Workload Protection Platform (CWPP) security alerts are migrated to CTDR for handling. The handling process is the same as that for security events generated by CTDR. For more information about CWPP security events, see Overview of CWPP security events.
Concepts of CTDR security events
Source of CTDR security events
Cloud Threat Detection and Response (CTDR) in Security Center generates multiple security alerts based on predefined or custom rules. CTDR then analyzes the context of these security alerts and aggregates them into complete events.
To view CTDR alert information, go to and click the Aggregate and Analyze Alerts or Custom Alert Analysis tab.
For more information about how to configure predefined and custom rules, see Configure threat detection rules.
Generation mechanism of CTDR security events
CTDR security events are generated by aggregating multiple related security alerts based on predefined or custom rules. This lets you quickly detect and respond to security threats. Security events are classified into the following two types based on the device that generates the alerts:
Network-side: CTDR focuses on hacker reconnaissance activities, such as scans or probes. It generates events from network-side alerts based on predefined rules to prevent attackers from probing your information further.
Host-side: CTDR uses graph computing to aggregate related host-side alerts, such as alerts that have the same MD5 hash or parent process ID. This helps you quickly locate the attack entry point and respond.
Not all alerts generate security events. An alert triggers event generation only if it meets the following conditions:
All host-side alerts generate security events. If a host-side alert has no correlation with other alerts, a single alert can generate an event. Network-side alerts generate security events only if they hit an event aggregation policy in a predefined or custom rule.
If you configure a whitelist rule for events, alerts that hit the rule do not generate events.
If only predefined rules are enabled, events are generated only from alerts that hit the Graph Computing or Expert Rule event generation method in a predefined rule.
Event retention period
The Security Incident page displays events from the last 180 days only.
Security event risk levels and handling instructions
Risk level | Description | Handling instructions |
Serious |
| Review and handle this event immediately. |
High Risk |
| Review and handle this event immediately. |
Medium Risk | The behavior indicates a suspected malicious behavior or entity. The event might be a successful intrusion that has affected your assets. The event could also be caused by unusual O&M activities, such as an abnormal logon. | This risk level indicates a probability that your assets are under attack. Review the event details to determine if a risk exists and handle it accordingly. |
Low Risk | The behavior indicates a possibility of a successful intrusion. The behavior could also indicate that your assets are undergoing continuous external attack probes, such as access from 106.11.XX.XX. | If you have high security requirements for your assets, you can follow security events at this level. |
Reminder | These are alerts from job automation software. The alerts indicate only that certain jobs have run or reached specific milestones. | These events can be ignored. |
Objects for handling CTDR security events
Handling a security event involves addressing the aggregated alerts and the extracted alert entities.
CTDR security alerts
CTDR generates multiple security alerts based on predefined or custom rules. CTDR then analyzes the context of these alerts and aggregates them into security events.
The alert aggregation rules are as follows:
For security events generated by graph computing, the maximum number of alerts is 2,000. For other event generation methods, such as aggregation of similar items, the maximum is 10,000.
For events in the Unhandled state, new alerts can be continuously aggregated into the event.
For events in the Handling, Handled, or Handling Failed state, new alerts are not aggregated into the existing event. Instead, a new event is generated in the Unhandled state.
Entities
In a security event, an entity is a specific object or actor that is associated with the event. Security Center can extract and aggregate entities from security alerts. An entity is classified as malicious or non-malicious based on whether it has a malicious tag. You can view entity details, run playbooks, and query Alibaba Cloud Threat Intelligence. Security Center can identify the following types of entities:
Entity name | Is asset entity | Can be marked as malicious |
Host | Yes | No |
IP address | Yes | Yes |
Alibaba Cloud account | Yes | No |
AccessKey pair | Yes | No |
Domain name | Yes | Yes |
File | No | Yes |
Host process | No | Yes |
Host account | No | No |
URL | No | No |
Registry | No | Yes |
Container | Yes | No |
Cluster | Yes | No |
Object Storage Service | Yes | No |
Event handling
Difference | With the CTDR value-added service | Without the CTDR value-added service |
Supported event types |
| Security events are generated by aggregating Cloud Workload Protection Platform (CWPP) security alerts, such as intrusion detection and defense alerts for Security Center hosts and containers, using graph computing. For more information, see Overview of CWPP (Cloud Workload) security events. |
Event handling methods |
|
|