In the increasingly complex network security environment, organizations and enterprises face challenges on how to effectively monitor and manage large amounts of alerts and logs in distributed systems. To handle these challenges, Security Center provides the Cloud Threat Detection and Response (CTDR) feature. You can use the feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency and respond to potential risks.
Background
How it works
The CTDR feature provides a cloud-native management solution for security information and events. The feature provides capabilities such as log standardization, alert generation, event aggregation and analysis, and event response and orchestration.
The feature collects logs from different accounts and cloud services of multiple cloud service providers. The feature also analyzes the collected logs based on predefined and custom detection rules to identify attacks, build complete attack chains, and generate security events with detailed information. When the feature detects security threats, it enables Security Orchestration Automation Response (SOAR) and handles threat sources in collaboration with related Alibaba Cloud services. The handling operation includes blocking and quarantine. This helps improve the handling efficiency of security events.
Benefits
Standardized data collection
The feature collects various logs, such as alert logs, network logs, system logs, and application logs, across services, accounts, and cloud platforms. This way, data is standardized and context is enhanced.
Multi-dimension threat detection
The feature strengthens the single-point threat detection capabilities of southbound security devices by using threat detection methods, such as multi-source data association analysis, AI image-based computing and inference, and threat intelligence that is updated in real time. The feature provides predefined cross-data-source threat detection rules and the following types of event analysis models: expert rule, graph computing, alert transmission, and same-type aggregation.
Efficient event investigation
The feature aggregates related alerts to generate security events, and automatically reconstructs the attack timeline and path. The error rate of security events triggered by alerts is only 0.0001%. This enriches event investigation context and accelerates alerting and event handling.
Automated response and orchestration
The feature automatically handles malicious entities based on automatic response rules and playbooks in collaboration with multiple services. The malicious entities include malicious IP addresses, files, and processes. This way, the emergency response experience is streamlined, normalized, and automated.
Supported services and log types
The CTDR feature supports more than 30 cloud services and more than 60 log types. The following table describes the supported cloud services and log types.
Service provider | Service | Log type |
Alibaba Cloud | Security Center |
|
Web Application Firewall (WAF) | Alert logs, CDN flow logs (only supported in China), full/block/block and monitor logs of WAF 2.0, and full/block/block and monitor logs of WAF 3.0 | |
Cloud Firewall | Alert logs, real-time alert logs, and traffic logs of Cloud Firewall | |
Anti-DDoS | Anti-DDoS Proxy full logs, Anti-DDoS Proxy flow logs (previous version), and Anti-DDoS Origin logs | |
Bastionhost | Bastionhost logs | |
CDN | Flow logs of Alibaba Cloud CDN (CDN) and flow logs of CDN WAF | |
Edge Security Acceleration (ESA) | EdgeRoutine logs, access logs, and WAF logs of DCDN | |
API Gateway | API Gateway logs | |
Container Service for Kubernetes (ACK) | Audit logs of Kubernetes resources | |
PolarDB | PolarDB-X 1.0 SQL audit logs and PolarDB-X 2.0 SQL audit logs | |
ApsaraDB for MongoDB | Operational logs and audit logs of ApsaraDB for MongoDB | |
ApsaraDB RDS | RDS SQL audit logs | |
Virtual Private Cloud (VPC) | Flow logs of VPC | |
Elastic IP Address (EIP) | EIP logs | |
Server Load Balancer (SLB) | ALB access logs, CLB access logs | |
Object Storage Service (OSS) | OSS access logs, OSS batch deletion logs, OSS hourly metering logs | |
File Storage NAS | Operation logs of NAS NFS | |
Function Compute (FC) | Operational logs of Function Compute | |
ActionTrail | ActionTrail event logs | |
CloudConfig | Cloud Config logs | |
Tencent Cloud | WAF | Tencent Cloud WAF alert logs |
Cloud Firewall | Tencent Cloud Cloud Firewall alert logs | |
Huawei Cloud | WAF | Huawei Cloud WAF alert logs |
Cloud Firewall | Huawei Cloud Cloud Firewall alert logs |
Purchase and enable the CTDR feature
CTDR enables you to add services, detect threats, handle events, and leverage Security Orchestration Automation Response (SOAR) capabilities. It offers both subscription and pay-as-you-go billing methods. To enable the log management feature, you must purchase Log Storage Capacity, available only through subscription. Select the billing method that best suits your needs.
Subscription
Log on to the Security Center console.
In the left-side navigation pane, select .
On the CTDR page, click Subscription.
On the Quick Purchase tab, keep the Billing Method as the default option Subscription. Set Cloud Threat Detection and Response to Yes, and configure the required billable items, Log Data to Add and Log Storage Capacity.
For more information about the configuration, see Purchase Security Center.
Log Data to Add: Select the log data that needs to be added to CTDR, measured in GB per day. After purchasing this item, you can use all features of CTDR except log management, rule management (custom rules), and dashboard.
ImportantLog Data to Add is a required parameter unless you enable the pay-as-you-go billing method.
If you purchase CTDR using pay-as-you-go, Log Data to Add option will no longer be displayed.
You can use one of the following methods to evaluate the value of the Log Data to Add parameter:
Evaluate the value based on the log storage capacity that you purchased.
Value of the Log Data to Add parameter (GB-day) = Log storage capacity/TTL
The log storage capacity specifies the storage capacity used by logs that you want to add to the CTDR feature.
Time to live (TTL) specifies the log retention period.
Evaluate the value based on the Event Per Second (EPS) of logs that you want to add to the CTDR feature.
Value of the Log Data to Add parameter (GB-day) = EPS × 86,400s × SIZE/(1,024 × 1,024)
EPS specifies the number of raw logs that are added to the CTDR feature within one day.
SIZE specifies the size of each log. In most cases, the size ranges from 3 KB to 7 KB.
Log Storage Capacity: optional. Specify the amount of log data that you want to store. We recommend that you purchase 120 GB of log storage capacity for each server. If you purchased the log storage capacity for the log analysis feature, we recommend that you set the Log Storage Capacity parameter of the CTDR feature to a value that is three times the purchased log storage capacity for the log analysis feature. For more information, see Manage logs.
Read and select Security Center Terms of Service, click Buy Now, and then complete payment.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, select .
On the CTDR page, click Authorize Now.
The Enable the recommend log ingestion policies to identify cloud security events. option is selected by default. After you select this option and complete the authorization, CTDR automatically accesses the logs of Security Center, Web Application Firewall (WAF), Cloud Firewall, and ActionTrail in your current Alibaba Cloud account. For more information, see Recommended log ingestion policies. If you choose not to select this option, you must manually add logs to CTDR.
Following this step, Security Center automatically creates the service-linked role AliyunServiceRoleForSasCloudSiem, which permits CTDR to access resources in your other Alibaba Cloud services. For more details, see Service-linked roles for Security Center.
Pay-as-you-go
Log on to the Security Center console.
In the left-side navigation pane, select .
On the CTDR page, click Activate Pay-as-you-go.
In the Enabling dialog box, read the billing rules carefully, select or deselect Enable Policy, and click Activate and Authorize.
After selecting Enable Policy and completing the operation, CTDR will automatically add logs from Security Center, Web Application Firewall (WAF), Cloud Firewall, and ActionTrail within your current Alibaba Cloud account. For further information, see Recommended log ingestion policies.
Following this operation, Security Center will automatically create the service-linked role AliyunServiceRoleForSasCloudSiem, enabling CTDR to access resources across your Alibaba Cloud services. For more details, see Service-linked roles for Security Center.
Recommended log ingestion policies
Security Center offers recommended log ingestion policies to help you with configuration. When purchasing or enabling CTDR, you can select these policies to quickly add commonly used Alibaba Cloud services. The table below outlines the specific services included in these policies, the standardized log categories, and the security capabilities supported.
No. | Alibaba Cloud service | Data source | Standardized log category | Supported security capability |
1 | Security Center | Alert logs | Security log - alert log |
|
2 | Vulnerability logs | Security log - vulnerability log | Event investigation and tracing | |
3 | Baseline logs | Security log - host baseline log | Event investigation and tracing | |
4 | Logon logs | Logon log - host logon log | Event investigation and tracing | |
5 | Web access logs | Network log - HTTP log | Predefined analysis rules | |
6 | File read and write logs | Host log - process file read and write log | Event investigation and tracing | |
7 | Process startup logs | Host log - process startup log | Event investigation and tracing | |
8 | DNS query logs | Host log - process DNS query log | Event investigation and tracing | |
9 | Network connection logs | Host log - process network connection log | Event investigation and tracing | |
10 | Web Application Firewall | WAF alert logs | Security log - WAF alert log |
|
11 | Full/block/block and monitor logs of WAF 2.0 | Network log - HTTP log | Predefined analysis rules | |
12 | Full/block/block and monitor logs of WAF 3.0 | Network log - HTTP log | Predefined analysis rules | |
13 | Cloud Firewall | Real-time alert logs of Cloud Firewall | Security log - firewall alert log |
|
14 | ActionTrail | ActionTrail event logs | Audit log - cloud platform operation audit log | Event investigation and tracing |
Changes in the console after enabling CTDR
After you enable the CTDR feature, the layout of some modules in the Security Center console is changed.
Module | Description |
Detection and Response | The navigation bar directory name is changed from Detection and Response to CTDR. New module pages for CTDR are added, such as Security Event Handling and Log Management. Additionally, the following pages are changed:
|
On the Multi-account Management page, a new Account Monitored by Threat Analysis module is added to the Configure tab. The global administrator of CTDR can use this module to manage other Alibaba Cloud accounts that need to be added to the feature. |
icon to enter the Investigation page. For more information, see 
Terms
Before you use the CTDR feature, you must understand the terms that are related to the feature. The following table describes the terms.
Term | Description |
handling policy | A handling policy describes the details of scenario-specific alert handling. A handling policy is generated based on the handling result of an entity in a scenario. |
handling task | A handling task describes the details of scope-specific alert handling. The event handling process of an entity in a scenario is divided into multiple handling tasks based on scopes. |
entity | An entity is the core object of an alert, which can be an IP address, a file, or a process. |
SOAR | SOAR is a solution that provides automated tools and procedures to organize and manage event response measures. SOAR helps enterprises efficiently respond to security events, reduces manual interference, and improves the handling efficiency of events. |
playbook | A playbook provided by SOAR is an automated security management process that consists of predefined response policies. A playbook can be automatically executed after specific events are triggered. You can create a playbook in the same manner as you draw a flowchart. A playbook contains start, judgment, action, and end nodes. You can define actions for each component on a canvas in a visualized manner. For example, you can define the network disabling action for the terminal management component. |
component | A component is used to connect to an external system or service, such as WAF, Cloud Firewall, a database service, or a notification service. To serve as a connector to an external system or service, a component does not process complex logic. Complex logic is processed by the connected external system or service. After you select a component, you must select resource instances and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components. |
resource instance | A resource instance specifies an external service to which a component is connected. For example, if you want to use a MySQL component and your enterprise has multiple MySQL databases, you must specify the database to which you want to connect the MySQL component. |
action | An action specifies the execution capability of a component. A component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications. |
References
After you enable the CTDR feature, you can add logs of cloud services to the feature to monitor and analyze alerts and logs across resources in a centralized manner. For more information, see Add logs of cloud services and Add logs of security services.
Is the number of alerts reduced after the CTDR feature is enabled?