All Products
Search
Document Center

Security Center:Handle security incidents

Last Updated:Apr 29, 2025

The Cloud Threat Detection and Response (CTDR) feature of Security Center analyzes multiple security alerts based on predefined or custom rules, aggregating them into complete incidents. It reconstructs attack chains and identifies malicious entities to help you quickly respond to and manage cloud security risks. This topic describes how to view and handle these security incidents.

Introduction to security incidents

Incident generation mechanism

Security incidents are created by aggregating multiple related security alerts according to predefined or custom rules, allowing for quick identification and response to security threats. Security incidents are classified based on their origin as follows:

  • Network: CTDR focuses on hacker reconnaissance behaviors (such as scanning or probing) and generates incidents from network alerts using predefined rules to prevent further probing of user information.

  • Host: CTDR uses graph computing technology to aggregate correlated host-side alerts (such as the same MD5 hash or parent process ID) into incidents, helping you quickly locate attack entry points and respond.

Not all alerts generate security incidents. Only alerts that meet the following conditions trigger incident generation:

  • All host-side alerts generate security incidents. If host-side alerts lack correlations, a single alert can still generate an incident.

  • Network-side alerts only generate security incidents when they match predefined rules or custom incident aggregation policies.

  • Alerts that match any configured incident whitelist rules will not generate incidents.

  • If only predefined rules are in effect, only alerts that match the generation methods Graph Compute and Expert Rules in the predefined rules will generate incidents.

Incident aggregation rules

  • A security incident can aggregate up to 10,000 alerts.

  • For incidents in the unhandled state, newly generated alerts can be added. However, for incidents in the handling, handled, or failed states, new alerts will not be aggregated. Instead, they will generate a new incident in the unhandled state.

Incident risk levels

Risk level

Description

High Risk

High-risk incidents indicate clear malicious behavior or entities have been detected, suggesting a strong likelihood of successful intrusion that has adversely impacted your assets, such as Suspicious Process Behavior - Reverse Shell. We recommend immediate investigation and remediation of these incidents.

Medium Risk

Medium-risk incidents indicate some suspicious behaviors or entities have been detected. These may represent successful intrusions affecting your assets or could be the result of unusual operations and maintenance, such as Unusual Logon. A medium-risk incidents suggests a probability of attack. We recommend reviewing the incident details and assessing whether any risks are present. If risks exist, take appropriate action.

Low Risk

Low-risk incidents indicate a possibility of successful intrusion or continuous probing of your assets by external attacks, such as Access from 106.11.XX.XX. If your assets have high security requirements, pay attention to low-risk incidents.

Incident retention period

You can view incidents only in the last 180 days on the Security Incident page.

Entity description

In security incidents, an Entity refers to a specific object or actor associated with the security incident. CTDR supports extracting and aggregating entities from security alerts. Entities are classified as malicious or non-malicious based on whether they have a malicious tag. CTDR also supports viewing entity details, running playbooks, and querying Alibaba Cloud threat intelligence. The following entities can be identified by CTDR:

Entity

Asset entity

Can be tagged as malicious

Host

Yes

No

IP address

Yes

Yes

Alibaba Cloud account

Yes

No

AccessKey pair

Yes

No

Domain name

Yes

Yes

File

No

Yes

Host process

No

Yes

Host account

No

No

URL

No

No

Registry

No

Yes

Container

Yes

No

Cluster

Yes

No

Object Storage Service (OSS)

Yes

No

Multi-account management

In multi-account management scenarios, if you log on to the Security Center console as a global account administrator, you must switch views on the Security Incident page before handling security incidents. The following list describes the views:

  • Current Account View: View and handle security incidents detected in the current account.

  • Global Account View: View and handle security incidents detected in Alibaba Cloud accounts within the control scope of CTDR.

For more information, see Centrally manage multiple accounts.

Prerequisites

View incident details and decide whether to handle incidents

Note

If the same security incident is detected multiple times and is in the Unhandled state, new alerts are added to the existing incident. If the incident is in Handling, Handled, or Failed state, a new security incident is created.

  1. Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.

  2. In the left-side navigation pane, choose CTDR > Security Incident.

  3. On the Security Incident page, use Occurred Within to specify the incident time range.

    You can filter security incidents by risk level (High, Medium, Low), status (Unhandled, Handling, Failed, Handled), and incident name, ID, or asset ID.

  4. In the Actions column of the target incident, click Details.

    You can determine the urgency of handling security incidents based on their risk levels.

  5. On the incident details page, view the detailed information about the incident on different tabs. The following table describes the tabs:

    Section

    Description

    Overview

    This section provides basic information about the incident and the ATT&CK stages, including the number of affected assets, generation method, associated alerts, detection rules, associated accounts, occurrence time, and alert sources.

    Timeline tab

    You can view the attack timeline and tracing diagram. Full-screen mode displays the complete timeline and diagram. Click an alert icon to view alert details.

    The tracing diagram is an incident chain representation created by CTDR, aggregating logs from multiple cloud services. This visualization helps you quickly identify the cause of the incident and develop a handling strategy.

    To view the detailed node information, click the node in the diagram. Click 下载图标, 设置图标, or image icon in the upper-right corner of the Provenance Graph to download the incident tracing diagram, set its style, or view the node legend.

    Note

    Tracing diagrams are supported for security incidents that meet the following criteria:

    • Alerts aggregated into the incidents are reported by Security Center.

    • Context log records associated with the entities (such as IP addresses, processes, and files) involved in the alerts can reconstruct the attack path.

    Alert tab

    You can view a list of all security alerts aggregated into the incident. Multi-dimensional alert statistics (including the number of alerts, defense measures, and occurrence time) provide insights into the attack methods and stages, helping you determine the appropriate handling strategy.

    Click Details in the Actions column of the target alert to view detailed information about the alert.

    Entity tab

    This tab displays the entities extracted from the incident, including hosts, files, processes, IP addresses, and host accounts. You can manage entities based on the following dimensions:

    • All Entities: Displays all extracted entities, with only malicious entities shown by default. To view all or non-malicious entities, update the filter conditions above the entity list.

      Note

      Only malicious entities support viewing Alibaba Cloud threat intelligence and running playbooks. Non-malicious entities only support viewing related incidents and alerts from the last 30 days.

    • Affected Asset: Displays assets affected by the incident, enabling a quick assessment of the impact on your assets.

    Response Activity tab

    Response activities document the complete process of incident investigation, risk analysis, and response handling. They provide clear guidelines for key strategies and tasks, enabling team members to share information during collaboration and review incident activities afterward to build valuable experience.

  6. Follow these steps to assess whether the current incident is an attack and needs handling.

    This guide uses a network attack event as an example to determine if a specified IP address is an attack IP. If it is an attack IP address, we recommend that you handle the incident promptly.

    1. In the Overview section, learn about the basic information about the incident.

    2. On the Timeline tab, view the tracing diagram of the incident. In some cases, you can see the specific attack entry points.

    3. On the Alert tab, view the detailed information of alerts.

    4. On the Entity tab of the incident details page, click Details in the Actions column for the corresponding IP address to view the basic information, Alibaba Cloud threat intelligence, incidents and alerts associated with the IP address in the last 30 days, and any handling tasks related to that entity.

Handle security incidents

Promptly handling security incidents from CTDR can improve system security. We recommend handling security incidents classified as High Risk without delay. You can choose between manual and automatic incident handling:

  • Manual: Review and manage security incidents based on their risk levels and business scenarios. This approach is best for complex incidents or new, unknown threats requiring professional expertise.

  • Automatic: The system automatically manages security incidents using configured playbooks and rules, such as quarantining infected hosts or blocking suspicious IP addresses. This method is effective for known, well-defined security incidents and low-complexity threats requiring quick resolution, such as large volumes of similar low-risk alerts.

Note

After handling incidents aggregated from Security Center alerts through CTDR, the status of related alerts is automatically updated on the CWPP tab. Manual updates are not required. For more information, see View and handle alerts.

Manual

  1. In the left-side navigation pane, choose CTDR > Security Incident.

  2. On the Security Incident page, in the Actions column of the target incident, click Response > Use Recommended Handling Policy.

  3. In the Use Recommended Handling Policy panel, select the malicious entities that you want to handle, and click Confirm and update the incident status.

    You can modify the entities and action validity period for the recommended policy. In the Use Recommended Handling Policy panel, click Edit in the Actions column of the corresponding entity. In the Edit Policy panel, modify parameters such as the destination account and action validity period for the blocking rule.image

    Note

    You can also click Run Playbook in the Actions column of the corresponding entity on the Entity tab of the incident details page to manage the entity, such as blocking an IP address or terminating and isolating a high-risk process.

  4. In the Update Incident Status dialog box, set Incident Status to Handling or Handled, and click OK.

    • Handling: Select this if additional actions are required beyond the current operation, such as immediate remediation, tracing, or fixing vulnerabilities.

    • Handled: Select this if no further actions are needed after the current operation.

    Once completed, CTDR automatically creates a handling policy and executes the task. If the task fails, the incident status updates to Failed. Otherwise, it updates to the status you selected.

Automatic

The CTDR feature supports Security Orchestration Automation Response (SOAR). You can create playbooks and configure automated response rules to enable the system to handle multiple security incidents at a time.

View incident handling results

You can centrally view incident handling details in the Disposal Center, which displays incident handling policies and tasks based on the handling entity, allowing for effective management of these policies and tasks.

  • Handling policy: This includes incident handling details for each scenario (playbook) related to the handling entity. It provides insights into the handling entity, scenario, scope, and other relevant information about the security incident. Data sources for handling policies include:

    • Results from manually handling incidents on the Security Incident page.

    • Results from automated SOAR playbook execution.

  • Handling task: This refers to incident handling details defined by the scope (the Alibaba Cloud account managing the incident).

Note

Example: If you handle 2 scenarios under 1 entity and select 3 accounts for the scope, the results would be:

  • Number of Handling Policies Generated: 1 handling entity × 2 scenarios = 2 policies.

  • Number of Handling Tasks Generated: 1 handling entity × 2 scenarios × 3 accounts = 6 tasks.

View incident handling policies

You can choose CTDR > Disposal Center and view security incident handling policy on the Handling Policies tab.

  • Click the entity in the Entity Object/Characteristic column to view the context, Alibaba Cloud threat intelligence, related alerts, and other details.

  • Click the source of the handling policy in the Associated Source column to view the alerts, security incidents, or playbooks associated with the handling policy.

  • Click View Task in the Actions column to go to the Handling Tasks page to view task information associated with the corresponding handling policy.

View incident handling tasks

You can monitor handling tasks to understand the detected malicious entities and their handling status in real time, coordinating with other cloud services. For example, you can check the status of a blocked malicious attack IP address through Cloud Firewall, determining whether it is in the status of blocking, failed, successful, or unblocking failed.

You can choose CTDR > Disposal Center and view handling task information on the Handling Tasks tab.

  • If the handling policy associated with a handling task is updated or the task handling fails, you can click Retry in the Actions column to re-execute the task.

  • After a task is executed, if a cloud service has blocked an IP address for the handling entity, and you confirm that the IP address does not need to be blocked, click Unblock in the Actions column.

More operations

Whitelist an alert

To prevent certain alerts from being aggregated into a security incident, configure a whitelist rule for those alerts. New alerts matching the whitelist will not be aggregated.

  1. In the left-side navigation pane, choose CTDR > Security Incident.

  2. Configure an alert whitelist rule by using the following methods:

    • Global rule: In the upper-right corner of the Security Incident page, click Incident Whitelist Settings, select the scenario type of Incident Whitelist Rule, and click Edit in the Actions column.

    • Rule for a single incident: On the Security Incident page, locate the target incident, and in the Actions column, click Response > Add to Whitelist. In the Incident Whitelist Settings, click Create Policy Group in the upper-right corner.

      image.png

  3. Configure a whitelist rule.

    Note

    You can configure multiple whitelist rules within a policy group, where the rules operate with a logical "AND." Additionally, you can create multiple policy groups, which operate with a logical "OR."

    Parameter

    Description

    Example

    Scenario

    CTDR provides scenarios in which you can add alerts to the whitelist for the incident.

    Note

    Click Create Policy to add multiple matching rules under the current policy group.

    • Policy group 1

      • Scenario: Rootkit

      • Object 1: host UUID

        • Condition: Equal to

        • Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2****

      • Object 2: File path

        Condition: Contains

        Condition Value: /root/md5/4ff73477a06a3412145d1a7e6d9c****

    • Policy group 2

      • Scenario: Contaminated basic software

      • Object: host UUID

      • Condition: Equal to

      • Condition Value: f6170c02-d55f-4c42-b73f-a394d7a2****

    Object

    Select an object on which you want the whitelist rule to take effect. CTDR provides the objects that you can select based on the value of the Scenario parameter.

    Condition

    Condition Value

    Select a condition of the whitelist rule and enter a condition value.

Export security incident details

You can export security incident details as an Excel file to your computer for improved cross-department collaboration, information sharing, and incident tracing.

You can export the details of up to 1,000 security incidents in a file, which consists of the Incident, Asset, and Entity tabs.

  1. In the left-side navigation pane, choose CTDR > Security Incident.

  2. Optional: Configure filter conditions such as the risk level, status, and occurrence time of security incidents.

  3. In the upper-right corner of the incident list, click the image.png icon.

  4. After the file is exported, click Download.

References

  • For well-defined security incidents or simple threats requiring quick action, use the SOAR feature of CTDR to automatically execute security response measures. This is achieved through predefined playbooks and rules in coordination with related cloud services.

  • You can call security incident handling APIs to query and manage security incidents.