Configure rules to aggregate alerts into security events - Security Center

The threat analysis and response feature provides predefined detection rules that can be used to detect security alerts, analyze collected logs, identify attack chains, and generate security events. You can enable or disable predefined detection rules. You can also create custom detection rules to ensure that generated security events meet your business requirements.

Multi-account management

If you configure the multi-account management feature and use the global administrator account to log on to the Security Center console, you must select an appropriate view before you can create custom detection rules or manage datasets on the Rule Management page. The following list describes the supported views:

Current Account View: The detection rules and datasets that are created take effect only on the log data within the current account.
Global Account View: The detection rules and datasets that are created take effect on the log data within the Alibaba Cloud accounts managed by the threat analysis and response feature.

For more information, see Centrally manage multiple accounts.

Manage detection rules

You can use detection rules to detect alerts and analyze logs of cloud services. You can specify a log range, matching fields, and aggregation fields in a rule to define the logic of automatic detection and log analysis for threat analysis and response. This helps identify security risks in your business systems in an efficient manner. The threat analysis and response feature supports predefined detection rules and custom detection rules. You can enable or disable predefined detection rules based on your business requirements. You can also create custom alert and event detection rules.

Enable or disable a predefined detection rule

Security Center provides a variety of predefined detection rules to generate alerts and events. The types of rules are Process Abnormal Behavior, Web Attack Successfully, Malicious Domain Query, Abnormal Login, Abnormal Network Flow, Malicious Network Access, and Abnormal Web Access. You can view the details of, enable, or disable a predefined detection rule. You cannot modify or delete predefined detection rules.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Threat Analysis and Response > Rule Management.
On the Predefined tab, view the predefined detection rules.
Optional. Find the required predefined detection rule and click Details in the Actions column to view the basic information, logic, and event generation settings of the rule.
Find the predefined detection rule that you want to manage and turn on or turn off the switch in the Status column.

Create a custom detection rule

If predefined detection rules cannot meet your business requirements, you can perform the following steps to create a custom detection rule:

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose Threat Analysis and Response > Rule Management.
On the Custom tab, click Create Rule.

On the Create Rule page, configure the parameters.

Parameter	Description
Basic information	Specify the basic information about the rule. Rule Name: Enter a name for the rule. Rule Description: Enter a description for the rule for easy identification. Threat Level: Select a risk level of the alerts or events that you want to generate by using the rule from the drop-down list. For more information about risk levels, see Risk levels. Threat Type: Select a type of the threats that you want to identify by using the rule from the drop-down list. For more information about alert types, see Alert types.
Rule Logic Settings	Configure aggregation settings for security alerts. Log Scope: Select the category and types of logs on which you want the rule to take effect. Security Center displays available log types based on the cloud services that are added to the threat analysis feature. Match Field: Specify the fields and field values based on which alerts and events are matched. Security Center displays available fields based on the settings that you specify in the Log Scope section. Descriptions of field operators >: greater than. Fields of the numeric type are supported. >=: greater than or equal to. Fields of the numeric type are supported. <: less than. Fields of the numeric type are supported. <=: less than or equal to. Fields of the numeric type are supported. =: equal to. Fields of the numeric and string types are supported. <>: not equal to. Fields of the numeric and string types are supported. LIKE: This operator complies with the LIKE syntax in standard SQL. Fields of the string type are supported. NOT LIKE: This operator complies with the NOT LIKE syntax in standard SQL. Fields of the string type are supported. IN: This operator is used to check whether a specified value matches any value in a set. Separate multiple field values with commas (,). Field values of the string type are supported. NOT IN: This operator is used to check whether a specified value does not match any value in a set. Separate multiple field values with commas (,). Field values of the string type are supported. REGEXP: A regular expression is used as a field operator. Fields of the string type are supported. NOT REGEXP: A regular expression is used as a field operator to identify a field that is not a match. Fields of the string type are supported. THREAT DETECT: A threat detection rule is used. The rule takes effect only on the src_ip, dst_ip, domain, url, and md5 fields. If a field matches a specific field in the threat detection database, true is returned. NOT_IN_IP_DATASET: This operator is used to identify fields that do not match the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only IP addresses and CIDR blocks. IN_IP_DATASET: This operator is used to identify a field that matches the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only IP addresses and CIDR blocks. NOT_IN_IDATASET: This operator is used to identify fields that do not match the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only string values. IN_DATASET: This operator is used to identify a field that matches the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only string values. You can add multiple fields to a field group for matching. To add another field, you can click Add Field. Multiple fields are evaluated by using a logical AND. You can create multiple field groups. To create another field group, you can click Add Field Group. Multiple field groups are evaluated by using a logical OR. Aggregation Field: Select the fields that you want to use for event aggregation. Maximum Logs: Specify the condition based on which alerts are generated. Statistical Period: Specify the time period of alerts that you want to aggregate. Security Center aggregates alerts from logs of the specified type within the specified statistical period based on the aggregation fields.
Event Generation Settings	Specify whether to aggregate the alerts that are generated based on the rule into events. If you select Yes, only the alerts that are generated based on the rule are aggregated into events. The following event aggregation methods are available: Use Built-in Event Aggregation Rule: Alerts that are generated based on the rule are aggregated into predefined events. A predefined event refers to an event that is generated based on a predefined detection rule. Aggregate Each Alert to Event: Each alert is aggregated into an event. Aggregate All Rule-triggered Alerts into Event: If you select this method, you need to configure the Execution Cycle parameter. During the time period specified by the Execution cycle parameter, alerts that are generated based on the rule are aggregated into one event. The maximum time period that you can specify is 24 hours.

Optional. Click Test and select a test method. The system tests whether the rule takes effect.
The following test methods are available:
- Simulation Data: If you select this test method, you need to write SQL statements to test whether the rule takes effect. When you write SQL statements, you can refer to the example provided in the Simulated data value section on the Test page. After you enter simulated data values, click Test.
- Business Data: If you select this test method, your actual business data is used to test whether the rule takes effect. Click Test to view the following information: the line chart of the numbers of alerts and events that are generated based on the rule, the list of alerts, and the list of events.
By default, the test is run for seven days. You can also click Publish or End Test to end the test in advance. After you click Publish, the rule immediately takes effect. After you click End Test, you need to click the icon to return to the Rule Management page. The rule is automatically created and disabled.
If you do not test the rule, confirm the rule settings on the Create Rule page and click Publish.
If you do not want the rule to immediately take effect, you can click Save as Draft to save the rule.

After the custom detection rule is created, you can view the details of, test, enable, disable, edit, and delete the rule on the Rule Management page.

Manage datasets

If you want to manage multiple data objects that are applicable to a specific scenario in a centralized manner, you can create a dataset and define the data objects in the dataset. Data objects include IP address blacklists and whitelists, lists of core assets, and indicators of compromise (IOC)-related custom threat intelligence. Datasets are two-dimensional tables that are used to maintain custom data lists. You can reference a dataset in a detection rule or Security Orchestration Automation Response (SOAR) playbook multiple times.

Create a dataset

In the left-side navigation pane, choose Threat Analysis and Response > Rule Management.
On the Dataset tab, click Add Dataset. The Add Dataset panel appears.
In the Dataset section, click Download File Template to download the dataset template file to your computer. Enter the required information in the dataset template file and save it.
Take note of the following items:
- Before you upload the dataset template file, you must specify a primary key, which is used to search for and match logs. The primary key column cannot contain NULL or duplicate values.
  If the primary key column contains duplicate values, the system automatically removes the duplicates.
- The size of the dataset template file cannot exceed 3 MB.
- The dataset template file can contain no more than 5,000 rows.
- Each value in the dataset template file cannot exceed 200 bytes in length.
Return to the Add Dataset panel, configure the Dataset Name and Dataset Description parameters, upload the dataset template file, configure the Dataset Primary Key parameter, and then click Next.
The system automatically checks the validity of the values in the uploaded file. If a value is invalid, modify the value as prompted.
On the Verify and Create tab, confirm the information in the uploaded file and click OK.

What to do next

You can directly reference a dataset when you create a custom detection rule and SOAR playbook. For more information, see Handle security events and Step 1: Create a playbook.

You can view reference information about a dataset in the Referenced column of the dataset on the Dataset tab.

More operations

To add data to a dataset or remove data from a dataset, find the dataset and click Edit in the Actions column.
To update multiple rows in a dataset at a time, open and edit the dataset template file that is saved on your computer, find the dataset on the Dataset tab, and then click Batch Update in the Actions column to upload the file.
To delete a dataset that you no longer use, find the dataset and click Delete in the Actions column.
Note
You cannot delete a dataset that is referenced in a detection rule or playbook.

Configuration examples on custom detection rules

This section provides examples that you can refer to when you create custom detection rules in typical scenarios.

Union SQL injection

Parameter	Sample configuration
Basic information
Rule Name	sql_injection
Rule Description	Union SQL injection
Threat Level	High Risk
Threat Type	Abnormal network traffic
Rule Logic Settings
Log Scope	Select `HTTP Activity` from the log category drop-down list. Select `ALB Layer 7 Log`, `CLB Layer 7 Log`, `Internet HTTP Log`, `Anti-DDoS Pro Log`, `WAF Flow Log`, `CDN Flow Log`, and `Anti-DDoS Log` from the log type drop-down list.
Match Field	In the Match Field Group 1 section, select `request_parameters`, select `REGEXP`, and then enter `union\b[\s\S]+select\b`.
Aggregation Field	Skip this parameter.
Maximum Logs	Skip this parameter.
Statistical Period	Skip this parameter.
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	Yes
Event Generation Method	Aggregate All Rule-triggered Alerts into Event
Execution Cycle	24 Hours

IP address of the scanner that attacks WAF

Parameter	Sample configuration
Basic information
Rule Name	web_scanner_ip
Rule Description	IP address of the scanner that attacks WAF
Threat Level	High Risk
Threat Type	Malicious Network Activity
Rule Logic Settings
Log Scope	Select `HTTP Activity` from the log category drop-down list. Select `WAF Flow Log` from the log type drop-down list.
Match Field	Specify the following fields in the Match Field Group 1 section: Field 1: `status`, `=`, and `405` Field 2: `final_plugin`, `=`, and `waf`
Aggregation Field	domain
Maximum Logs	Perform the following operations in sequence: Select `Count`, select `final_rule_type`, select `>=`, and then enter `2`.
Statistical Period	2 Minutes
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	No

Suspicious sensitive command executed by a Java process

Parameter	Sample configuration
Basic information
Rule Name	java_exec_suspicious_command
Rule Description	Suspicious sensitive command executed by a Java process
Threat Level	High Risk
Threat Type	Suspicious Process
Rule Logic Settings
Log Scope	Select `Process Activity` from the log category drop-down list. Select `Process Startup Log` from the log type drop-down list.
Match Field	Match Field Group 1 Field 1: `parent_proc_path`, `LIKE`, and `%/java%` Field 2: `proc_path`, `LIKE`, and `%/id%` Match Field Group 2 Field 1: `parent_proc_path`, `LIKE`, and `%/java%` Field 2: `proc_path`, `LIKE`, and `%/ifconfig%` Match Field Group 3 Field 1: `parent_proc_path`, `LIKE`, and `%/java%` Field 2: `proc_path`, `LIKE`, and `%/whoami%` Match Field Group 4 Field 1: `parent_proc_path`, `LIKE`, and `%/java%` Field 2: `proc_path`, `LIKE`, and `%/curl%` Match Field Group 5 Field 1: `parent_proc_path`, `LIKE`, and `%/java%` Field 2: `proc_path`, `LIKE`, and `%/wget%`
Aggregation Field	Skip this parameter.
Maximum Logs	Skip this parameter.
Statistical Period	Skip this parameter.
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	No

Host brute-force attack

Parameter	Sample configuration
Basic information
Rule Name	host_crack
Rule Description	Host brute-force attack
Threat Level	High Risk
Threat Type	Unusual Logon
Rule Logic Settings
Log Scope	Select `Logon Activity` from the log category drop-down list. Select `Failed Host Logon Logs` from the log type drop-down list.
Match Field	Specify the following fields in the Match Field Group 1 section: Field 1: `src_ip`, `NOT LIKE`, and `10.%` Field 2: `src_ip`, `NOT LIKE`, and `192.168.%` Field 3: `src_ip`, `NOT REGEXP`, and `172\.1[6-9]\.` Field 4: `src_ip`, `NOT REGEXP`, and `172\.2[0-9]\.` Field 5: `src_ip`, `NOT REGEXP`, and `172\.3[0-1]\.`
Aggregation Field	Select `host_uuid` and `src_ip`.
Maximum Logs	Perform the following operations in sequence: Select `Sum`, select `connect_count`, select`>=`, and then enter `5`.
Statistical Period	3 Minutes
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	No

Host connected to mining domain names

Parameter	Sample configuration
Basic information
Rule Name	minner_domain
Rule Description	Host connected to mining domain names
Threat Level	High Risk
Threat Type	Unusual Network Connection
Rule Logic Settings
Log Scope	Select `DNS Activity` from the log category drop-down list. Select `Internet DNS Log` and `DNS Log` from the log type drop-down list.
Match Field	Specify the following fields in the Match Field Group 1 section: Field 1: `dns_query_name`, `LIKE`, and `%cryptonight.net%` Field 2: `dns_query_name`, `LIKE`, and `%minexmr.org%` Field 3: `dns_query_name`, `LIKE`, and `%xmrpool.com%`
Aggregation Field	Skip this parameter.
Maximum Logs	Skip this parameter.
Statistical Period	Skip this parameter.
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	No

HTTP request burst

Parameter	Sample configuration
Basic information
Rule Name	web_access_overload
Rule Description	HTTP request burst
Threat Level	High Risk
Threat Type	Abnormal network traffic
Rule Logic Settings
Log Scope	Select `HTTP Activity` from the log category drop-down list. Select `ALB Layer 7 Log`, `CLB Layer 7 Log`, `Internet HTTP Log`, `Anti-DDoS Pro Log`, `WAF Flow Log`, `CDN Flow Log`, and `Anti-DDoS Log` from the log type drop-down list.
Match Field	In the Match Field Group 1 section, select `responseparameterKE` and enter `2%`.
Aggregation Field	domain
Maximum Logs	Perform the following operations in sequence: Select `count`, select `request_url`, select `>=`, and then enter `60000`.
Statistical Period	1 Minute
Event Generation Settings
Aggregate Rule-triggered Alerts into Event	No

References

To ensure system security, we recommend that you view and handle security events that are generated by the threat analysis and response feature at the earliest opportunity. For more information, see Handle security events.
You can use the log management feature of threat analysis and response to quickly query logs and view information about logs. This helps reduce the difficulty of log management in a multi-resource environment. For more information, see Manage logs.
You can call rule management-related API operations to query rules, update the status of custom detection rules, and delete custom detection rules. For more information, see Rule Management.