The Cloud Threat Detection and Response (CTDR) feature of Security Center analyzes multiple security alerts based on predefined or custom rules, aggregating them into complete incidents. It reconstructs attack chains and identifies malicious entities to help you quickly respond to and manage cloud security risks. This topic describes how to view and handle these security incidents.
Introduction to security incidents
Incident generation mechanism
Security incidents are created by aggregating multiple related security alerts according to predefined or custom rules, allowing for quick identification and response to security threats. Security incidents are classified based on their origin as follows:
Network: CTDR focuses on hacker reconnaissance behaviors (such as scanning or probing) and generates incidents from network alerts using predefined rules to prevent further probing of user information.
Host: CTDR uses graph computing technology to aggregate correlated host-side alerts (such as the same MD5 hash or parent process ID) into incidents, helping you quickly locate attack entry points and respond.
Not all alerts generate security incidents. Only alerts that meet the following conditions trigger incident generation:
All host-side alerts generate security incidents. If host-side alerts lack correlations, a single alert can still generate an incident.
Network-side alerts only generate security incidents when they match predefined rules or custom incident aggregation policies.
Alerts that match any configured incident whitelist rules will not generate incidents.
If only predefined rules are in effect, only alerts that match the generation methods Graph Compute and Expert Rules in the predefined rules will generate incidents.
Incident aggregation rules
A security incident can aggregate up to 10,000 alerts.
For incidents in the unhandled state, newly generated alerts can be added. However, for incidents in the handling, handled, or failed states, new alerts will not be aggregated. Instead, they will generate a new incident in the unhandled state.
Incident risk levels
Risk level | Description |
High Risk | High-risk incidents indicate clear malicious behavior or entities have been detected, suggesting a strong likelihood of successful intrusion that has adversely impacted your assets, such as Suspicious Process Behavior - Reverse Shell. We recommend immediate investigation and remediation of these incidents. |
Medium Risk | Medium-risk incidents indicate some suspicious behaviors or entities have been detected. These may represent successful intrusions affecting your assets or could be the result of unusual operations and maintenance, such as Unusual Logon. A medium-risk incidents suggests a probability of attack. We recommend reviewing the incident details and assessing whether any risks are present. If risks exist, take appropriate action. |
Low Risk | Low-risk incidents indicate a possibility of successful intrusion or continuous probing of your assets by external attacks, such as Access from 106.11.XX.XX. If your assets have high security requirements, pay attention to low-risk incidents. |
Incident retention period
You can view incidents only in the last 180 days on the Security Incident page.
Entity description
In security incidents, an Entity refers to a specific object or actor associated with the security incident. CTDR supports extracting and aggregating entities from security alerts. Entities are classified as malicious or non-malicious based on whether they have a malicious tag. CTDR also supports viewing entity details, running playbooks, and querying Alibaba Cloud threat intelligence. The following entities can be identified by CTDR:
Entity | Asset entity | Can be tagged as malicious |
Host | Yes | No |
IP address | Yes | Yes |
Alibaba Cloud account | Yes | No |
AccessKey pair | Yes | No |
Domain name | Yes | Yes |
File | No | Yes |
Host process | No | Yes |
Host account | No | No |
URL | No | No |
Registry | No | Yes |
Container | Yes | No |
Cluster | Yes | No |
Object Storage Service (OSS) | Yes | No |
Multi-account management
In multi-account management scenarios, if you log on to the Security Center console as a global account administrator, you must switch views on the Security Incident page before handling security incidents. The following list describes the views:
Current Account View: View and handle security incidents detected in the current account.
Global Account View: View and handle security incidents detected in Alibaba Cloud accounts within the control scope of CTDR.
For more information, see Centrally manage multiple accounts.
Prerequisites
You have purchased and enabled the CTDR feature.
You have added logs of cloud services.
You have configured threat detection rules.
View incident details and decide whether to handle incidents
If the same security incident is detected multiple times and is in the Unhandled state, new alerts are added to the existing incident. If the incident is in Handling, Handled, or Failed state, a new security incident is created.
Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the left-side navigation pane, choose .
On the Security Incident page, use Occurred Within to specify the incident time range.
You can filter security incidents by risk level (High, Medium, Low), status (Unhandled, Handling, Failed, Handled), and incident name, ID, or asset ID.
In the Actions column of the target incident, click Details.
You can determine the urgency of handling security incidents based on their risk levels.
On the incident details page, view the detailed information about the incident on different tabs. The following table describes the tabs:
Section
Description
Overview
This section provides basic information about the incident and the ATT&CK stages, including the number of affected assets, generation method, associated alerts, detection rules, associated accounts, occurrence time, and alert sources.
Timeline tab
You can view the attack timeline and tracing diagram. Full-screen mode displays the complete timeline and diagram. Click an alert icon to view alert details.
The tracing diagram is an incident chain representation created by CTDR, aggregating logs from multiple cloud services. This visualization helps you quickly identify the cause of the incident and develop a handling strategy.
To view the detailed node information, click the node in the diagram. Click
,
, or
icon in the upper-right corner of the Provenance Graph to download the incident tracing diagram, set its style, or view the node legend.
NoteTracing diagrams are supported for security incidents that meet the following criteria:
Alerts aggregated into the incidents are reported by Security Center.
Context log records associated with the entities (such as IP addresses, processes, and files) involved in the alerts can reconstruct the attack path.
Alert tab
You can view a list of all security alerts aggregated into the incident. Multi-dimensional alert statistics (including the number of alerts, defense measures, and occurrence time) provide insights into the attack methods and stages, helping you determine the appropriate handling strategy.
Click Details in the Actions column of the target alert to view detailed information about the alert.
Entity tab
This tab displays the entities extracted from the incident, including hosts, files, processes, IP addresses, and host accounts. You can manage entities based on the following dimensions:
All Entities: Displays all extracted entities, with only malicious entities shown by default. To view all or non-malicious entities, update the filter conditions above the entity list.
NoteOnly malicious entities support viewing Alibaba Cloud threat intelligence and running playbooks. Non-malicious entities only support viewing related incidents and alerts from the last 30 days.
Affected Asset: Displays assets affected by the incident, enabling a quick assessment of the impact on your assets.
Response Activity tab
Response activities document the complete process of incident investigation, risk analysis, and response handling. They provide clear guidelines for key strategies and tasks, enabling team members to share information during collaboration and review incident activities afterward to build valuable experience.
Follow these steps to assess whether the current incident is an attack and needs handling.
This guide uses a network attack event as an example to determine if a specified IP address is an attack IP. If it is an attack IP address, we recommend that you handle the incident promptly.
In the Overview section, learn about the basic information about the incident.
On the Timeline tab, view the tracing diagram of the incident. In some cases, you can see the specific attack entry points.
On the Alert tab, view the detailed information of alerts.
On the Entity tab of the incident details page, click Details in the Actions column for the corresponding IP address to view the basic information, Alibaba Cloud threat intelligence, incidents and alerts associated with the IP address in the last 30 days, and any handling tasks related to that entity.
Handle security incidents
Promptly handling security incidents from CTDR can improve system security. We recommend handling security incidents classified as High Risk without delay. You can choose between manual and automatic incident handling:
Manual: Review and manage security incidents based on their risk levels and business scenarios. This approach is best for complex incidents or new, unknown threats requiring professional expertise.
Automatic: The system automatically manages security incidents using configured playbooks and rules, such as quarantining infected hosts or blocking suspicious IP addresses. This method is effective for known, well-defined security incidents and low-complexity threats requiring quick resolution, such as large volumes of similar low-risk alerts.
After handling incidents aggregated from Security Center alerts through CTDR, the status of related alerts is automatically updated on the CWPP tab. Manual updates are not required. For more information, see View and handle alerts.
Manual
In the left-side navigation pane, choose .
On the Security Incident page, in the Actions column of the target incident, click
.In the
panel, select the malicious entities that you want to handle, and click Confirm and update the incident status.You can modify the entities and action validity period for the recommended policy. In the Use Recommended Handling Policy panel, click Edit in the Actions column of the corresponding entity. In the Edit Policy panel, modify parameters such as the destination account and action validity period for the blocking rule.
NoteYou can also click Run Playbook in the Actions column of the corresponding entity on the Entity tab of the incident details page to manage the entity, such as blocking an IP address or terminating and isolating a high-risk process.
In the Update Incident Status dialog box, set Incident Status to Handling or Handled, and click OK.
Handling: Select this if additional actions are required beyond the current operation, such as immediate remediation, tracing, or fixing vulnerabilities.
Handled: Select this if no further actions are needed after the current operation.
Once completed, CTDR automatically creates a handling policy and executes the task. If the task fails, the incident status updates to Failed. Otherwise, it updates to the status you selected.
Automatic
The CTDR feature supports Security Orchestration Automation Response (SOAR). You can create playbooks and configure automated response rules to enable the system to handle multiple security incidents at a time.
View incident handling results
You can centrally view incident handling details in the Disposal Center, which displays incident handling policies and tasks based on the handling entity, allowing for effective management of these policies and tasks.
Handling policy: This includes incident handling details for each scenario (playbook) related to the handling entity. It provides insights into the handling entity, scenario, scope, and other relevant information about the security incident. Data sources for handling policies include:
Results from manually handling incidents on the Security Incident page.
Results from automated SOAR playbook execution.
Handling task: This refers to incident handling details defined by the scope (the Alibaba Cloud account managing the incident).
Example: If you handle 2 scenarios under 1 entity and select 3 accounts for the scope, the results would be:
Number of Handling Policies Generated: 1 handling entity × 2 scenarios = 2 policies.
Number of Handling Tasks Generated: 1 handling entity × 2 scenarios × 3 accounts = 6 tasks.
View incident handling policies
You can choose
and view security incident handling policy on the Handling Policies tab.Click the entity in the Entity Object/Characteristic column to view the context, Alibaba Cloud threat intelligence, related alerts, and other details.
Click the source of the handling policy in the Associated Source column to view the alerts, security incidents, or playbooks associated with the handling policy.
Click View Task in the Actions column to go to the Handling Tasks page to view task information associated with the corresponding handling policy.
View incident handling tasks
You can monitor handling tasks to understand the detected malicious entities and their handling status in real time, coordinating with other cloud services. For example, you can check the status of a blocked malicious attack IP address through Cloud Firewall, determining whether it is in the status of blocking, failed, successful, or unblocking failed.
You can choose
and view handling task information on the Handling Tasks tab.If the handling policy associated with a handling task is updated or the task handling fails, you can click Retry in the Actions column to re-execute the task.
After a task is executed, if a cloud service has blocked an IP address for the handling entity, and you confirm that the IP address does not need to be blocked, click Unblock in the Actions column.
More operations
Whitelist an alert
To prevent certain alerts from being aggregated into a security incident, configure a whitelist rule for those alerts. New alerts matching the whitelist will not be aggregated.
In the left-side navigation pane, choose .
Configure an alert whitelist rule by using the following methods:
Global rule: In the upper-right corner of the Security Incident page, click Incident Whitelist Settings, select the scenario type of Incident Whitelist Rule, and click Edit in the Actions column.
Rule for a single incident: On the Security Incident page, locate the target incident, and in the Actions column, click
. In the Incident Whitelist Settings, click Create Policy Group in the upper-right corner.
Configure a whitelist rule.
NoteYou can configure multiple whitelist rules within a policy group, where the rules operate with a logical "AND." Additionally, you can create multiple policy groups, which operate with a logical "OR."
Parameter
Description
Example
Scenario
CTDR provides scenarios in which you can add alerts to the whitelist for the incident.
NoteClick Create Policy to add multiple matching rules under the current policy group.
Policy group 1
Scenario: Rootkit
Object 1: host UUID
Condition: Equal to
Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2****
Object 2: File path
Condition: Contains
Condition Value: /root/md5/4ff73477a06a3412145d1a7e6d9c****
Policy group 2
Scenario: Contaminated basic software
Object: host UUID
Condition: Equal to
Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2****
Object
Select an object on which you want the whitelist rule to take effect. CTDR provides the objects that you can select based on the value of the Scenario parameter.
Condition
Condition Value
Select a condition of the whitelist rule and enter a condition value.
Export security incident details
You can export security incident details as an Excel file to your computer for improved cross-department collaboration, information sharing, and incident tracing.
You can export the details of up to 1,000 security incidents in a file, which consists of the Incident, Asset, and Entity tabs.
In the left-side navigation pane, choose .
Optional: Configure filter conditions such as the risk level, status, and occurrence time of security incidents.
In the upper-right corner of the incident list, click the
icon.
After the file is exported, click Download.
References
For well-defined security incidents or simple threats requiring quick action, use the SOAR feature of CTDR to automatically execute security response measures. This is achieved through predefined playbooks and rules in coordination with related cloud services.
You can call security incident handling APIs to query and manage security incidents.