Use the threat analysis and response feature to centrally manage multiple accounts - Security Center

Security Center provides the threat analysis and response feature. You can use this feature to centrally manage alerts and logs of multiple cloud services within different accounts in a multi-cloud environment. The feature helps you improve O&M efficiency. To centrally manage multiple accounts and resources within an enterprise, you can use the Resource Directory service of Resource Management and configure the multi-account management feature. This topic describes how to configure the multi-account structure for the threat analysis and response feature.

Terms

Before you use the threat analysis and response feature to centrally manage multiple accounts and resources within an enterprise, you must understand the related terms.

Term	Description	Service
management account	A management account is an Alibaba Cloud account that has passed enterprise real-name verification. After you use this Alibaba Cloud account to enable a resource directory, the account becomes the management account of the resource directory. The management account is the super administrator of the resource directory. It has all administrative permissions on the resource directory and the folders and members in the resource directory. Each resource directory has only one management account.	Resource Management
member	A member is a resource account that is created in a resource directory. A member is used to isolate the resources of a project or an application on Alibaba Cloud from other resources. You can invite existing Alibaba Cloud accounts to join your resource directory. After the owners of the Alibaba Cloud accounts accept the invitations, the accounts become the members of the resource directory. These members are cloud accounts.
delegated administrator account	You can use the management account of a resource directory to specify a member in the resource directory as a delegated administrator account of a trusted service. After a member is specified as a delegated administrator account of a trusted service, the member can be used to access information about the resource directory in the trusted service. The information includes the structure and members of the resource directory. The member can also be used to manage business within the resource directory.
global administrator account	If you log on to the Security Center console by using the global administrator account, you can switch to the global account view to configure log access policies for Alibaba Cloud accounts that are managed by the threat analysis and response feature, configure threat detection rules, and handle security events.	Security Center

Multi-account structure

You can use the threat analysis and response feature to centrally manage multiple Alibaba Cloud accounts and establish a multi-account structure. The examples in the following scenario and flowchart show how to establish a multi-account structure:

Scenario: Account A, Account B, Account C, Account D, and Account E belong to the same resource directory. Account A is the management account of the resource directory, and the other accounts are the members of the resource directory. Account A specifies Account B as the delegated administrator account of the trusted service named Security Center - Threat Analysis to centrally manage Account B, Account C, Account D, and Account E that perform operations supported by the threat analysis and response feature. The operations include log access, threat detection configuration, and security event handling.

Step 1: Purchase the threat analysis and response feature

Before you can add logs of an Alibaba Cloud account to the threat analysis and response feature, you must purchase a volume of log data that can be added to the feature for the account. After you purchase the volume of log data for each Alibaba Cloud account, the accounts can be managed by the global administrator account in a centralized manner. For more information, see Purchase and enable the threat analysis and response feature.

Important

If your Alibaba Cloud account is used to purchase the threat analysis and response feature before the billing rules are changed, the members that belong to the same resource directory do not need to purchase the feature. For more information, see [Notice] Billing rules of the threat analysis and response feature are changed.

Step 2: Establish a multi-account structure

The Alibaba Cloud accounts that can be added to a resource directory must belong to the same enterprise and pass enterprise real-name verification. You must enable a resource directory and specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as the delegated administrator account.

Log on to the Resource Management console by using the management account of your resource directory.
The first time you use Resource Directory, choose Resource Directory > Overview in the left-side navigation pane and click Enable Resource Directory. Then, follow the on-screen instructions to enable a resource directory. For more information, see Enable a resource directory.
Create a member or invite an Alibaba Cloud account to join the resource directory.
- Create a member: In the left-side navigation pane, choose Resource Directory > Create Member Account to create a member. For more information, see Create a member.
- Invite a member: Choose Resource Directory > Invite Member to invite an Alibaba Cloud account to join the resource directory. For more information, see Invite an Alibaba Cloud account to join a resource directory.
Specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as the delegated administrator account.
In the left-side navigation pane, choose Resource Directory > Trusted Services. On the page that appears, click Manage in the Actions column of Security Center and Security Center - Threat Analysis. On the page that appears, specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as the delegated administrator account of these trusted services. For more information, see Add a delegated administrator account.

Step 3: Add accounts to the threat analysis and response feature for management

Log on to the Security Center console by using the Alibaba Cloud account that is used to purchase the threat analysis and response feature. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose System Configuration > Multi-account Management.
The first time you use the multi-account management feature, click Enable Management in Security Center.
After you enable the multi-account management feature, the system automatically creates a service-linked role named AliyunServiceRoleForSasRd for the member. The delegated administrator account of Security Center can assume this role to access the Security Center console of the members in the resource directory. This way, you can protect resources for multiple members of your enterprise in a centralized manner and monitor the security status of the members in real time.
On the Multi-account Management > Configure tab, click the Account Monitored by Threat Analysis tab.
If the Configure tab is not displayed, click the Account Monitored by Threat Analysis tab.
In the Total Monitored Accounts section, click Account Management.
In the Multi-account Management Settings panel, select your resource directory in the Resource Directory Node section and the Alibaba Cloud accounts that you want to add to the threat analysis and response feature from the member list, and click OK.
If the AliyunServiceRoleForSasRd and AliyunServiceRoleForSasCloudSiem service-linked roles are not created for the selected member, the system automatically creates the roles for the member to enable related features when you select the member. For more information, see Service-linked roles for Security Center.

Step 4: Specify the global administrator account

The global administrator account can switch between the global account view and the current account view to use the threat analysis and response feature. In the global account view, you can configure access policies for managed Alibaba Cloud accounts, configure threat detection rules, and handle security events. In the current account view, you can configure threat analysis and response policies for the current account. You can perform the following operations to specify the Alibaba Cloud account that is used to purchase the threat analysis and response feature as the global administrator account:

Important

You can specify only one account as the global administrator account for the threat analysis and response feature in each resource directory.
You cannot change the global administrator account after you specify the account. Proceed with caution.

In the Global Administrator Account section of the Account Monitored by Threat Analysis tab, click Settings.
In the Specify Global Administrator Account dialog box, select the required Alibaba Cloud account as the global administrator account and click OK.
The specified global administrator account must be a management account or a delegated administrator of the trusted service named Security Center - Threat Analysis in the Resource Management console and must be used to purchase the threat analysis and response feature.

Step 5: Add cloud service logs to the threat analysis and response feature

After you log on to the Security Center console by using the global administrator account, you can add the logs of cloud services that belong to the current logon account and managed accounts, and logs of cloud services that belong to third-party cloud accounts to the threat analysis and response feature for centralized monitoring and analysis of alerts and log data.

For more information about how to add logs of Alibaba Cloud services, see Add logs of Alibaba Cloud services.
For more information about how to add logs of third-party cloud services, see Add logs of third-party cloud services.

Step 6: Use the threat analysis and response feature

After you complete the preceding operations, you can perform operations supported by the threat analysis and response feature. For example, you can use the event analysis and Security Orchestration Automation Response (SOAR) features. The global administrator account can switch between the global account view and the current account view to manage the current account and all managed accounts.

For more information about how to use the threat analysis and response features, see the following topics:

Use detection rules: You can use predefined and custom detection rules.
Handle security events: You can handle security events to improve the security of your system.
Use SOAR: You can use SOAR to implement orchestration in different systems and services based on specific logic. SOAR supports automated orchestration and quick response during security O&M.
Manage logs: You can use the log management feature to store and query standardized logs of cloud services. The feature helps you precisely identify alerts and trace attack sources to improve the efficiency of response to potential threats and simplify log management across environments.

References

Security Center provides the multi-account management feature. For more information, see Use the multi-account management feature.
For more information about Resource Directory, see Resource Directory overview.