Handle and manage security events generated by threat analysis after aggregation - Security Center

The threat analysis feature uses predefined or custom detection rules to aggregate multiple related alerts into a security event. This helps you identify and respond to the alerts generated for cloud services in an efficient manner. To improve the security of cloud services and ensure the integrity of your system, we recommend that you check and handle security events on a regular basis.

Prerequisites

The threat analysis feature is purchased and enabled. For more information, see Overview.
Logs of cloud services are added to the threat analysis feature. For more information, see Add logs of cloud services.
A detection rule used to detect alerts and analyze logs is created. For more information, see Create detection rules.

View the details of a security event

Note

If the status of an existing security event is Unhandled and the security event is detected several times, the system adds an alert to the event and does not generate a new security event. If the status of an existing security event is Handling, Handled, or Failed, and the security event is detected several times, the system generates a new security event.

Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.
In the left-side navigation pane, choose Threat Analysis and Response > Security Event Handling.

On the Security Event Handling page, find the security event whose details you want to view and click Details in the Actions column.

You can determine the priority of handling a security event based on its risk level. The following table describes the risk levels of security events.

Risk levels of security events

Risk level	Description
High Risk	If a high-risk event is generated, malicious behavior or objects are detected on your assets. A high-risk event is probably a successful intrusion event. We recommend that you check and handle the event at the earliest opportunity. Example: Suspicious process - Reverse shell.
Medium Risk	If a medium-risk event is generated, suspected malicious behavior or objects are detected on your assets. A medium-risk event may be a successful intrusion event. The event may also be triggered by unusual O&M behavior. Example: Unusual logon. A medium-risk event indicates that your assets have a certain probability of being attacked. We recommend that you view the details of the event and check whether risks exist. If risks exist, handle the risks.
Low Risk	If a low-risk event is generated, a successful intrusion may have been performed, or your assets are under continuous external scans and attacks. Example: Access from 106.11.XX.XX. If you have high security requirements for your assets, pay attention to low-risk events.

On the Details page, view the information about the security event on different tabs. The following table describes the tabs.

Tab	Description
Incident Information	This tab displays information such as the Alibaba Cloud account to which the security event belongs, the risk level, description, and occurrence time of the event, and the assets that are affected by the event. To view information about an affected asset, find the asset in the Affected Assets section and move the pointer over Details in the Actions column. In the tooltip that appears, view the asset information such as the asset name, the public and private IP addresses, and the operating system.
Attack Timeline	This tab displays the timeline of alerts that are aggregated into the event. You can view the development process of the event on this tab. This helps you handle and prevent such events. You can click an alert icon to view information about the alert.
Alert	This tab displays the alerts that are aggregated into the event. To view information about an alert and the associated exceptions of the alert, find the alert and click Details in the Actions column.
Incident Source Tracing	This tab displays the event tracing diagram and the preview of original data. The event source tracing feature processes, aggregates, and visualizes logs from various cloud services by using a big data analytics engine. Then, the feature generates an event tracing diagram based on the analysis result. This helps you identify the causes of events and configure event handling policies at the earliest opportunity. To view information about a node, click the node in the diagram. To download the event tracing diagram displayed on the current page, specify the tracing image style, and view the node legend, click the , , and Legend icons in the upper-right corner of the Incident Source Tracing tab. Note The event source tracing feature supports security events that meet all the following conditions: The alerts that are aggregated into the events are reported by Security Center. The event tracing diagrams can be reproduced from the contextual logs of entities involved in the alerts that are aggregated into the events. Entities include IP addresses, processes, files, file paths, logon events, and attack payloads.

Handle security events

To reinforce the security of your system, we recommend that you handle security events that are detected by the threat analysis feature at the earliest opportunity. We also recommend that you handle High Risk security events at the earliest opportunity. You can manually handle security events or initiate automatic event handling.

Manually handle security events: You can review and handle security events based on the risk levels of the events and business scenarios. This method is suitable for complex security events and new types of unknown threats that you need to identify and handle by using professional knowledge.
Initiate automatic event handling: The system automatically handles security events based on the configured playbooks and rules. For example, the system quarantines infected hosts or blocks suspicious IP addresses. This method is suitable for security events that are known and well-defined, and low-complexity threats that you need to handle quickly. For example, the system can automatically handle large amounts of similar low-risk alerts.

Manually handle a security event

In the left-side navigation pane, choose Threat Analysis and Response > Security Event Handling.
On the Security Event Handling page, find the event that you want to handle and click Handle in the Actions column.

In the panel that appears, configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Event Status	Configure the status of the event and specify a description for the event. You cannot manually set the Event Status parameter to Failed. If the threat analysis feature fails to take the specified event handling action for an event, the feature changes the status of the event to Failed. If you already handled the event or you confirm that the event does not need to be handled, you can set the Event Status parameter to Handled. In this case, you do not need to specify an event handling action or notification policy.
Action Settings	The threat analysis feature provides built-in scenarios for different entities that you want to handle. A scenario defines the cloud service whose event you want to handle and the action for the event. You can select a scenario based on the entities that you want to handle. Use recommended handling policies: Click the IP, File, or Process tab and click Use Recommended Handling Policy. If no scenarios are selected for an entity after you click Use Recommended Handling Policy, no policies are recommended for the entity. You must manually configure a handling policy. Manually configure a handling policy: Click the IP, File, or Process tab, select the entity that you want to handle, click the icon to the left of the entity, and then specify a scenario, a scope, and an action validity period. Scenario: Select a scenario for the entity. Scope: Select the Alibaba Cloud account for which the scenario is used. Action Validity Period: Specify a validity period for the handling action. You can configure this parameter only for specific scenarios.
Event Handling Notification	Configure the notification policy after the event is handled. After you configure the notification policy, you can preview the notification content in the Message Preview section on the right side.

Initiate automatic event handling

Threat analysis supports Security Orchestration Automation Response (SOAR). You can create playbooks and configure automated response rules to enable the system to handle multiple security events at the same time. For more information, see Use SOAR.

What to do next

Configure an alert whitelist rule

If you confirm that some alerts do not need to be handled and you do not want the alerts to be aggregated into a security event, you can configure a whitelist rule for the alerts. If new alerts match the whitelist rule, the alerts are not aggregated into a security event.

In the left-side navigation pane, choose Threat Analysis and Response > Security Event Handling.
Configure an alert whitelist rule by using the following methods:
- Configure a global whitelist rule: On the Security Event Handling page, click Incident Whitelist Settings in the upper-right corner. In the Event Whitelist Rule panel, select a scenario from the drop-down list below Event Whitelist Rule. Click Edit in the Actions column of the required scenario.
- Configure a whitelist rule for a single event: On the Security Event Handling page, find the event that you want to manage and click Add to Whitelist in the Actions column. In the panel that appears, click Create Policy Group in the upper-right corner.

Configure the parameters.

Note

You can configure multiple whitelist rules in a scenario. Multiple whitelist rules in a scenario are evaluated by using a logical AND.
You can create multiple scenarios. Multiple scenarios are evaluated by using a logical OR.

Parameter	Description	Sample configuration
Scenario	The threat analysis feature provides scenarios in which you can add alerts to the whitelist for the event. Note Click Create Policy to create multiple rules in the current scenario.	Whitelist rule group 1 Scenario: Rootkit Object 1: host uuid Condition: Equal to Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2** Object 2: File path Condition: Include Condition Value: /root/md5/4ff73477a06a3412145d1a7e6d9c Whitelist rule group 2 Scenario: compromised basic software Object: host uuid Condition: Equal to Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2**
Object	Select an object on which you want the whitelist rule to take effect. The threat analysis feature provides the objects that you can select based on the value of the Scenario parameter.
Condition Condition Value	Select a condition of the whitelist rule and enter a condition value.

Export the details of security events

You can export the details of security events as an Excel file to your computer. This facilitates cross-department collaboration on handling security events and improves the efficiency of internal information sharing and event tracing.

You can export the details of up to 1,000 security events in a file. The file consists of the Incident, Asset, and Entity tabs.

In the left-side navigation pane, choose Threat Analysis and Response > Security Event Handling.
Optional. Configure filter conditions such as the risk level, status, and occurrence time of security events.
In the upper-right corner of the security event list, click the icon.
Wait until the file is exported and click Download to save the file to your computer.

View the disposal center

You can centrally view event handling details in the disposal center supported by threat analysis. The disposal center displays event handling policies and tasks from the handling entity dimension, and allows you to manage the policies and tasks.

A handling policy describes the details of scenario-specific event handling for a handling entity. A handling task describes the details of scope-specific event handling. A scenario is a playbook, and a scope is a cloud account to which the handled event belongs.

Note

For example, if you handle an event for an entity in two scenarios and specify three accounts as scopes, the number of handling policies that are generated after the event is handled is 2, and the number of handling tasks is 6. The number of handling policies is calculated based on the following formula: 1 × 2 = 2. The number of handling tasks is calculated based on the following formula: 1 × 2 × 3 = 6.

Handling policies

A handling policy describes the event handling details of an entity for which an alert is generated. The entity can be an IP address, file, or process. You can view a handling policy to obtain the entity, scenario, and scope of a security event.

Data sources for handling policies:

The result when you manually handle an event on the Security Event Handling page. For more information, see Handle security events.
The result of an automated execution of an SOAR playbook. For more information, see Use SOAR.

To view the information about handling policies, you can choose Threat Analysis and Response > Disposal Center in the left-side navigation pane. Then, click the Handling Policies tab.

In the Entity Object/Characteristic column, you can click an entity to view the context, Alibaba Cloud threat intelligence, and related alerts of the entity.
In the Associated Source column, you can click the source of a handling policy to view the alerts, events, or playbooks that are related to the handling policy.
In the Actions column, you can click View Task. On the Handling Tasks page, you can view the information about the tasks that are related to the handling policy.

Handling tasks

You can view a handling task to obtain the malicious entities that are detected and the event handling status of related cloud services. For example, you can view the status of malicious IP addresses that are blocked by Cloud Firewall. You can check whether the IP addresses are being blocked, fail to be blocked, fail to be unblocked, or are blocked.

To view the information about handling tasks, you can choose Threat Analysis and Response > Disposal Center in the left-side navigation pane. Then, click the Handling Tasks tab.

If the handling policy that is associated with a handling task is updated or the handling task fails to be run, you can click Retry in the Actions column to run the task again.
After a task is run, if a cloud service blocks the IP address of the entity and you confirm that the block action is not required, you can click Unblock in the Actions column to unblock the IP address.

View security alerts

After the alert logs of Security Center, Web Application Firewall (WAF), and Cloud Firewall are added to the threat analysis feature, you can view the raw data of the alerts in real time. This way, you can manage cross-platform alerts in a centralized manner. This simplifies the monitoring process of security logs and improves the efficiency of security O&M. This also improves security and optimizes the response mechanism.

In the left-side navigation pane, choose Threat Analysis and Response > Alert.
Note
If the Alerts page of Security Center is displayed, you can click Global security alert in the upper-right corner to switch to the Alert page of threat analysis.
Optional. On the Alert page, configure filter conditions.
You can select data sources of alerts from the Cloud Service drop-down list, such as Aliyun Cloud Firewall, Aliyun Security Center, Aliyun Siem, and Aliyun Web Application Firewall.
Note
If you select Aliyun Siem, you can view the alerts that are generated based on the predefined and custom detection rules.
Find the alert whose information you want to view and click Details in the Actions column.
The information includes Affected assets, Occurred At, Data source, Account Receiving Alert, and Association exception.

References

For well-defined security events or threats that require quick handling, you can use SOAR of threat analysis to enable the system to automatically handle security events by collaborating with cloud services by using the configured playbooks and rules. For more information, see Use SOAR.
You can call API operations to query information about security event handling and handle security events. For more information about the supported API operations, see Event Response.