All Products
Search
Document Center

Security Center:Use detection rules

Last Updated:Nov 20, 2024

The threat analysis and response feature provides predefined detection rules that can be used to detect security alerts, analyze collected logs, identify attack chains, and generate security events. You can enable or disable predefined detection rules. You can also create custom detection rules to ensure that generated security events meet your business requirements.

Multi-account management

If you configure the multi-account management feature and use the global administrator account to log on to the Security Center console, you must select an appropriate view before you can create custom detection rules or manage datasets on the Rule Management page. The following list describes the supported views:

  • Current Account View: The detection rules and datasets that are created take effect only on the log data within the current account.

  • Global Account View: The detection rules and datasets that are created take effect on the log data within the Alibaba Cloud accounts managed by the threat analysis and response feature.

image

For more information, see Centrally manage multiple accounts.

Manage detection rules

You can use detection rules to detect alerts and analyze logs of cloud services. You can specify a log range, matching fields, and aggregation fields in a rule to define the logic of automatic detection and log analysis for threat analysis and response. This helps identify security risks in your business systems in an efficient manner. The threat analysis and response feature supports predefined detection rules and custom detection rules. You can enable or disable predefined detection rules based on your business requirements. You can also create custom alert and event detection rules.

Enable or disable a predefined detection rule

Security Center provides a variety of predefined detection rules to generate alerts and events. The types of rules are Process Abnormal Behavior, Web Attack Successfully, Malicious Domain Query, Abnormal Login, Abnormal Network Flow, Malicious Network Access, and Abnormal Web Access. You can view the details of, enable, or disable a predefined detection rule. You cannot modify or delete predefined detection rules.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose CTDR > Rule Management.

  3. On the Predefined tab, view the predefined detection rules.image

  4. Optional. Find the required predefined detection rule and click Details in the Actions column to view the basic information, logic, and event generation settings of the rule.

  5. Find the predefined detection rule that you want to manage and turn on or turn off the switch in the Rule Status column.

    image

Create a custom detection rule

If predefined detection rules cannot meet your business requirements, you can perform the following steps to create a custom detection rule:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose CTDR > Rule Management.

  3. On the Custom tab, click Create Rule.

  4. On the Create Rule page, configure the parameters.

    Parameter

    Description

    Basic information

    Specify the basic information about the rule.

    • Rule Name: Enter a name for the rule.

    • Rule Description: Enter a description for the rule for easy identification.

    • Threat Level: Select a risk level of the alerts or events that you want to generate by using the rule from the drop-down list. For more information about risk levels, see Risk levels.

    • Threat Type: Select a type of the threats that you want to identify by using the rule from the drop-down list. For more information about alert types, see Alert types.

    Rule Logic Settings

    Configure aggregation settings for security alerts.

    • Log Scope: Select the category and types of logs on which you want the rule to take effect.

      Security Center displays available log types based on the cloud services that are added to the threat analysis feature.

    • Match Field: Specify the fields and field values based on which alerts and events are matched. Security Center displays available fields based on the settings that you specify in the Log Scope section.

      Descriptions of field operators

      • >: greater than. Fields of the numeric type are supported.

      • >=: greater than or equal to. Fields of the numeric type are supported.

      • <: less than. Fields of the numeric type are supported.

      • <=: less than or equal to. Fields of the numeric type are supported.

      • =: equal to. Fields of the numeric and string types are supported.

      • <>: not equal to. Fields of the numeric and string types are supported.

      • LIKE: This operator complies with the LIKE syntax in standard SQL. Fields of the string type are supported.

      • NOT LIKE: This operator complies with the NOT LIKE syntax in standard SQL. Fields of the string type are supported.

      • IN: This operator is used to check whether a specified value matches any value in a set. Separate multiple field values with commas (,). Field values of the string type are supported.

      • NOT IN: This operator is used to check whether a specified value does not match any value in a set. Separate multiple field values with commas (,). Field values of the string type are supported.

      • REGEXP: A regular expression is used as a field operator. Fields of the string type are supported.

      • NOT REGEXP: A regular expression is used as a field operator to identify a field that is not a match. Fields of the string type are supported.

      • THREAT DETECT: A threat detection rule is used. The rule takes effect only on the src_ip, dst_ip, domain, url, and md5 fields. If a field matches a specific field in the threat detection database, true is returned.

      • NOT_IN_IP_DATASET: This operator is used to identify fields that do not match the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only IP addresses and CIDR blocks.

      • IN_IP_DATASET: This operator is used to identify a field that matches the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only IP addresses and CIDR blocks.

      • NOT_IN_IDATASET: This operator is used to identify fields that do not match the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only string values.

      • IN_DATASET: This operator is used to identify a field that matches the primary key values in a specified dataset. Make sure that the primary key column in the dataset contains only string values.

      • You can add multiple fields to a field group for matching. To add another field, you can click Add Field. Multiple fields are evaluated by using a logical AND.

      • You can create multiple field groups. To create another field group, you can click Add Field Group. Multiple field groups are evaluated by using a logical OR.

    • Aggregation Field: Select the fields that you want to use for event aggregation.

    • Maximum Logs: Specify the condition based on which alerts are generated.

    • Statistical Period: Specify the time period of alerts that you want to aggregate.

      Security Center aggregates alerts from logs of the specified type within the specified statistical period based on the aggregation fields.

    Event Generation Settings

    Specify whether to aggregate the alerts that are generated based on the rule into events.

    If you select Yes, only the alerts that are generated based on the rule are aggregated into events. The following event aggregation methods are available:

    • Use Built-in Event Aggregation Rule: Alerts that are generated based on the rule are aggregated into predefined events. A predefined event refers to an event that is generated based on a predefined detection rule.

    • Aggregate Each Alert to Event: Each alert is aggregated into an event.

    • Aggregate All Rule-triggered Alerts into Event:

      If you select this method, you need to configure the Execution Cycle parameter. During the time period specified by the Execution cycle parameter, alerts that are generated based on the rule are aggregated into one event. The maximum time period that you can specify is 24 hours.

  5. Optional. Click Test and select a test method. The system tests whether the rule takes effect.

    The following test methods are available:

    • Simulation Data: If you select this test method, you need to write SQL statements to test whether the rule takes effect. When you write SQL statements, you can refer to the example provided in the Simulated data value section on the Test page. After you enter simulated data values, click Test.

    • Business Data: If you select this test method, your actual business data is used to test whether the rule takes effect. Click Test to view the following information: the line chart of the numbers of alerts and events that are generated based on the rule, the list of alerts, and the list of events.

    By default, the test is run for seven days. You can also click Publish or End Test to end the test in advance. After you click Publish, the rule immediately takes effect. After you click End Test, you need to click the 返回图标 icon to return to the Rule Management page. The rule is automatically created and disabled.

  6. If you do not test the rule, confirm the rule settings on the Create Rule page and click Publish.

    If you do not want the rule to immediately take effect, you can click Save as Draft to save the rule.

After the custom detection rule is created, you can view the details of, test, enable, disable, edit, and delete the rule on the Rule Management page.

Manage datasets

If you want to manage multiple data objects that are applicable to a specific scenario in a centralized manner, you can create a dataset and define the data objects in the dataset. Data objects include IP address blacklists and whitelists, lists of core assets, and indicators of compromise (IOC)-related custom threat intelligence. Datasets are two-dimensional tables that are used to maintain custom data lists. You can reference a dataset in a detection rule or Security Orchestration Automation Response (SOAR) playbook multiple times.

Create a dataset

  1. In the left-side navigation pane, choose CTDR > Rule Management.

  2. On the Dataset tab, click Add Dataset. The Add Dataset panel appears.

  3. In the Dataset section, click Download File Template to download the dataset template file to your computer. Enter the required information in the dataset template file and save it.

    Take note of the following items:

    • Before you upload the dataset template file, you must specify a primary key, which is used to search for and match logs. The primary key column cannot contain NULL or duplicate values.

      If the primary key column contains duplicate values, the system automatically removes the duplicates.

    • The size of the dataset template file cannot exceed 3 MB.

    • The dataset template file can contain no more than 5,000 rows.

    • Each value in the dataset template file cannot exceed 200 bytes in length.

  4. Return to the Add Dataset panel, configure the Dataset Name and Dataset Description parameters, upload the dataset template file, configure the Dataset Primary Key parameter, and then click Next.

    The system automatically checks the validity of the values in the uploaded file. If a value is invalid, modify the value as prompted.

  5. On the Verify and Create tab, confirm the information in the uploaded file and click OK.

What to do next

You can directly reference a dataset when you create a custom detection rule and SOAR playbook. For more information, see Handle security events and Step 1: Create a playbook.

You can view reference information about a dataset in the Referenced column of the dataset on the Dataset tab.

image.png

More operations

  • To add data to a dataset or remove data from a dataset, find the dataset and click Edit in the Actions column.

  • To update multiple rows in a dataset at a time, open and edit the dataset template file that is saved on your computer, find the dataset on the Dataset tab, and then click Batch Update in the Actions column to upload the file.

  • To delete a dataset that you no longer use, find the dataset and click Delete in the Actions column.

    Note

    You cannot delete a dataset that is referenced in a detection rule or playbook.

Configuration examples on custom detection rules

This section provides examples that you can refer to when you create custom detection rules in typical scenarios.

Union SQL injection

Parameter

Sample configuration

Basic information

Rule Name

sql_injection

Rule Description

Union SQL injection

Threat Level

High Risk

Threat Type

Abnormal network traffic

Rule Logic Settings

Log Scope

  • Select HTTP Activity from the log category drop-down list.

  • Select ALB Layer 7 Log, CLB Layer 7 Log, Internet HTTP Log, Anti-DDoS Pro Log, WAF Flow Log, CDN Flow Log, and Anti-DDoS Log from the log type drop-down list.

Match Field

In the Match Field Group 1 section, select request_parameters, select REGEXP, and then enter union\b[\s\S]+select\b.

Aggregation Field

Skip this parameter.

Maximum Logs

Skip this parameter.

Statistical Period

Skip this parameter.

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

Yes

Event Generation Method

Aggregate All Rule-triggered Alerts into Event

Execution Cycle

24 Hours

IP address of the scanner that attacks WAF

Parameter

Sample configuration

Basic information

Rule Name

web_scanner_ip

Rule Description

IP address of the scanner that attacks WAF

Threat Level

High Risk

Threat Type

Malicious Network Activity

Rule Logic Settings

Log Scope

  • Select HTTP Activity from the log category drop-down list.

  • Select WAF Flow Log from the log type drop-down list.

Match Field

Specify the following fields in the Match Field Group 1 section:

  • Field 1: status, =, and 405

  • Field 2: final_plugin, =, and waf

Aggregation Field

domain

Maximum Logs

Perform the following operations in sequence: Select Count, select final_rule_type, select >=, and then enter 2.

Statistical Period

2 Minutes

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

No

Suspicious sensitive command executed by a Java process

Parameter

Sample configuration

Basic information

Rule Name

java_exec_suspicious_command

Rule Description

Suspicious sensitive command executed by a Java process

Threat Level

High Risk

Threat Type

Suspicious Process

Rule Logic Settings

Log Scope

  • Select Process Activity from the log category drop-down list.

  • Select Process Startup Log from the log type drop-down list.

Match Field

  • Match Field Group 1

    • Field 1: parent_proc_path, LIKE, and %/java%

    • Field 2: proc_path, LIKE, and %/id%

  • Match Field Group 2

    • Field 1: parent_proc_path, LIKE, and %/java%

    • Field 2: proc_path, LIKE, and %/ifconfig%

  • Match Field Group 3

    • Field 1: parent_proc_path, LIKE, and %/java%

    • Field 2: proc_path, LIKE, and %/whoami%

  • Match Field Group 4

    • Field 1: parent_proc_path, LIKE, and %/java%

    • Field 2: proc_path, LIKE, and %/curl%

  • Match Field Group 5

    • Field 1: parent_proc_path, LIKE, and %/java%

    • Field 2: proc_path, LIKE, and %/wget%

Aggregation Field

Skip this parameter.

Maximum Logs

Skip this parameter.

Statistical Period

Skip this parameter.

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

No

Host brute-force attack

Parameter

Sample configuration

Basic information

Rule Name

host_crack

Rule Description

Host brute-force attack

Threat Level

High Risk

Threat Type

Unusual Logon

Rule Logic Settings

Log Scope

  • Select Logon Activity from the log category drop-down list.

  • Select Failed Host Logon Logs from the log type drop-down list.

Match Field

Specify the following fields in the Match Field Group 1 section:

  • Field 1: src_ip, NOT LIKE, and 10.%

  • Field 2: src_ip, NOT LIKE, and 192.168.%

  • Field 3: src_ip, NOT REGEXP, and 172\.1[6-9]\.

  • Field 4: src_ip, NOT REGEXP, and 172\.2[0-9]\.

  • Field 5: src_ip, NOT REGEXP, and 172\.3[0-1]\.

Aggregation Field

Select host_uuid and src_ip.

Maximum Logs

Perform the following operations in sequence: Select Sum, select connect_count, select>=, and then enter 5.

Statistical Period

3 Minutes

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

No

Host connected to mining domain names

Parameter

Sample configuration

Basic information

Rule Name

minner_domain

Rule Description

Host connected to mining domain names

Threat Level

High Risk

Threat Type

Unusual Network Connection

Rule Logic Settings

Log Scope

  • Select DNS Activity from the log category drop-down list.

  • Select Internet DNS Log and DNS Log from the log type drop-down list.

Match Field

Specify the following fields in the Match Field Group 1 section:

  • Field 1: dns_query_name, LIKE, and %cryptonight.net%

  • Field 2: dns_query_name, LIKE, and %minexmr.org%

  • Field 3: dns_query_name, LIKE, and %xmrpool.com%

Aggregation Field

Skip this parameter.

Maximum Logs

Skip this parameter.

Statistical Period

Skip this parameter.

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

No

HTTP request burst

Parameter

Sample configuration

Basic information

Rule Name

web_access_overload

Rule Description

HTTP request burst

Threat Level

High Risk

Threat Type

Abnormal network traffic

Rule Logic Settings

Log Scope

  • Select HTTP Activity from the log category drop-down list.

  • Select ALB Layer 7 Log, CLB Layer 7 Log, Internet HTTP Log, Anti-DDoS Pro Log, WAF Flow Log, CDN Flow Log, and Anti-DDoS Log from the log type drop-down list.

Match Field

In the Match Field Group 1 section, select status, select LIKE, and enter 2%.

Aggregation Field

domain

Maximum Logs

Perform the following operations in sequence: Select count, select request_url, select >=, and then enter 60000.

Statistical Period

1 Minute

Event Generation Settings

Aggregate Rule-triggered Alerts into Event

No

References

  • To ensure system security, we recommend that you view and handle security events that are generated by the threat analysis and response feature at the earliest opportunity. For more information, see Handle security events.

  • You can use the log management feature of threat analysis and response to quickly query logs and view information about logs. This helps reduce the difficulty of log management in a multi-resource environment. For more information, see Manage logs.

  • You can call rule management-related API operations to query rules, update the status of custom detection rules, and delete custom detection rules. For more information, see Rule Management.