All Products
Search

This Product

    Security Center:Observation lists

    Document Center

    Security Center:Observation lists

    Last Updated:Mar 31, 2026

    Observation lists (also called datasets) let you store reference data — IP addresses, domain names, user IDs — in a central location and reference it by name in security detection rules and SOAR playbooks. Instead of hardcoding data directly into rule logic, you update the list and all referencing rules reflect the change immediately.

    Use cases

    • Whitelist exclusion: Add trusted IP address ranges to global_ip_whitelist so detection rules skip traffic from known-safe sources, reducing false positives.

    • Blocklist detection: Maintain a list of malicious IP addresses or domains and reference it in rules to flag or block matching traffic automatically.

    • Business entity tagging: Upload user ID lists — such as privileged accounts or terminated employees — and reference them in SOAR playbooks to apply different response actions based on business context.

    • Alert noise reduction: Suppress alerts from authorized IP ranges that perform actions which would otherwise trigger rules.

    Limitations

    Review these constraints before creating observation lists:

    ConstraintDetail
    Max file size3 MB per upload
    Max records per file5,000
    Max field length200 bytes per field
    Primary key fieldSet at creation; cannot be changed afterward
    Duplicate primary keysThe system keeps the last record and discards earlier ones — verify data uniqueness before uploading
    SQL retrievalOnly the primary key field can be retrieved in SQL; other fields are not accessible

    How observation lists work

    An observation list stores structured data as rows, with one field designated as the primary key. The primary key is the field that rules use to look up data at runtime — for example, an IP address in an IP whitelist or a user ID in a user list. Choose the primary key carefully: it cannot be changed after the list is created.

    When a rule executes, it queries the observation list by name and matches against primary key values. The SQL syntax for referencing a list in a custom detection rule is:

    SELECT key FROM common_data_set WHERE data_set_name = '<observation_list_name>'

    key is a fixed keyword that maps automatically to the primary key field you specified when creating the list.

    Example — IP whitelist filtering. This rule returns all log entries whose source IP is not in global_ip_whitelist:

    -- Check if the source IP is not in the office network IP address whitelist
* | SELECT * FROM log
WHERE src_ip NOT IN (
    SELECT key FROM common_data_set
    WHERE data_set_name = 'global_ip_whitelist'
)

    Manage the predefined observation list

    Security Center includes a built-in observation list named global_ip_whitelist. It centrally manages trusted IP addresses from Alibaba Cloud services and acts as a shared whitelist across detection rules.

    The following Alibaba Cloud services can contribute IP addresses to this list:

    IP address sourceUpdate methodSupports multi-account management
    Security Center vulnerability web scanner IP addressesStatically built into the listNo
    Web Application Firewall (WAF) back-to-origin IP addressesDynamically retrieved from the cloud productNo
    Anti-DDoS back-to-origin IP addressesDynamically retrieved from the cloud productNo
    Edge Security Acceleration (ESA) back-to-origin node IP addressesDynamically retrieved from the cloud productNo
    Elastic Computing Service (ECS) public IP addressesDynamically retrieved from the cloud productYes
    Classic Load Balancer (CLB) public IP addressesDynamically retrieved from the cloud productSupported
    Elastic IP addresses (EIPs)Dynamically retrieved from the cloud productYes
    Content Delivery Network (CDN) back-to-origin IP addressesDynamically retrieved from the cloud productNo
    Global Accelerator (GA) back-to-origin IP addressesDynamically retrieved from the cloud productYes
    Supports multi-account management indicates whether the source can sync IP addresses from member accounts managed by the current account. For details, see Multi-account security management.

    Enable automatic updates

    1. Log on to the Security Center console. In the left navigation pane, choose Agentic SOC > Integration Center. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

    2. On the Observation List tab, click Edit in the Actions column for global_ip_whitelist.

    3. In the Scheduled Update List area, turn on Automatic Update for each cloud product you want to sync. After you enable automatic update, data syncs immediately. Subsequent syncs run daily between 02:00 and 06:00 (UTC+8).

    4. To include IP addresses from member accounts, turn on Manage Multi-account.

    Add or edit individual entries

    1. On the Observation List tab, click Edit for global_ip_whitelist.

    2. In the Data List area, click Add to create a new entry, or click Edit in the Actions column to modify an existing one. Fill in the following fields:

      FieldDescriptionExample
      ipIP address range in CIDR notation47.XXX.XXX.32/27 (range: 47.XXX.XXX.32 to 47.XXX.XXX.63)
      typeIP address type — customizablewaf_back_source_ip
      descriptionDescription of the IP addressWAF back-to-origin IP of aliUid: 135******357

    3. To delete an entry, click Delete in the Actions column. You can re-add a deleted entry by clicking Add.

    Update entries in bulk

    1. On the Observation List tab, click Batch Update in the Actions column for global_ip_whitelist.

    2. Download the file template and prepare your data file:

      • The first row must contain the field names: ip, type, and description.

      • The primary key is ip and cannot be changed.

      • If an IP address already exists in the list, the system updates its type and description values.

      • The file cannot exceed 3 MB or 5,000 records. Each field cannot exceed 200 bytes.

    3. Upload the file and click Next.

    4. On the verification page, click OK.

    Create and manage custom observation lists

    Custom observation lists let you define any data structure and reference it in rules or SOAR playbooks.

    Create an observation list

    1. On the Observation List tab, click Add.

    2. On the Initialize tab, enter a name and description for the list.

    3. Download the file template and prepare your data file:

      • The first row must contain the field names, for example: userid,department,risk_level.

      • Primary key values cannot be empty or duplicated.

      • The file cannot exceed 3 MB or 5,000 records. Each field cannot exceed 200 bytes.

      Important

      If the uploaded data contains duplicate primary key values, the system keeps the last record and discards earlier ones. Verify data uniqueness before uploading to avoid data loss.

    4. Select a List Primary Key — the field that rules use to match data — and click Next.

    5. On the verification page, click OK.

    Add or edit individual entries

    1. On the Observation List tab, click Edit for the target list.

    2. In the Data List area, click Add to create a new entry, or click Edit in the Actions column to modify an existing one. The form fields are populated from the list's defined schema.

    3. To delete an entry, click Delete in the Actions column.

    Update entries in bulk

    1. On the Observation List tab, click Batch Update for the target list.

    2. Download the file template and prepare your data file:

      • The first row must contain the field names of the observation list.

      • The primary key field cannot be changed.

      • The file cannot exceed 3 MB or 5,000 records. Each field cannot exceed 200 bytes.

      Important

      If the uploaded data contains duplicate primary key values, the system keeps the last record and discards earlier ones. Verify data uniqueness before uploading to avoid data loss.

    3. Upload the file, click Next, then click OK on the verification page.

    Delete an observation list

    On the Observation List tab, click Delete in the Actions column for the target list.

    Warning

    Deletion is permanent and cannot be undone.

    Use observation lists in rules and playbooks

    Rule Management

    When writing a custom threat detection rule with a SQL-based Rule Body, reference an observation list's primary key data with:

    SELECT key FROM common_data_set WHERE data_set_name = '<observation_list_name>'

    Replace <observation_list_name> with the exact name of your observation list.

    SOAR

    Automatic Response Rules: When creating an Automatic Response Rule, add filter conditions based on observation lists in the Filter Condition section. For details, see Add a custom automatic response rule.

    ConditionDescription
    not in ip DatasetSource is not in the IP observation list
    in ip datasetSource is in the IP observation list
    not in datasetSource is not in the observation list
    in datasetSource is in the observation list

    Custom Playbooks: In the filter component of the playbook editor, add filter rules based on observation lists to redirect data streams. For details, see The filter component.

    Rule nameDescription
    NOT IN IP DatasetSource is not in the IP observation list
    IN IP DatasetSource is in the IP observation list
    NOT IN DatasetSource is not in the observation list
    IN DatasetSource is in the observation list