The threat analysis and response feature provides log management feature. The feature allows you to store and query logs of cloud services that are added to the feature. The feature helps you precisely identify alerts and trace attack sources to improve the efficiency of response to potential threats, simplify log management across environments, and strengthen the overall defense system. The feature is compliant with the Cybersecurity Law and Multi-Level Protection Scheme (MLPS) 2.0 standards. This topic describes how to use the log management feature.
How the feature work
The threat analysis and response feature and Simple Log Service jointly launched the log management feature to provide centralized log storage and analysis capabilities for logs of different cloud platforms, accounts, and cloud services.
After you purchase the log storage capacity for the threat analysis and response feature, the feature automatically creates a project named aliyun-cloudsiem-data-Alibaba Cloud account ID-Region ID and a dedicated Logstore named cloud_siem in the Simple Log Service console to store all logs collected by the feature. The log storage region of the threat analysis and response feature varies based on the data management center that you select in the top navigation bar of the Security Center console.
If you select China, logs are stored in the China (Shanghai) region.
If you select Outside China, logs are stored in the Singapore region.
You can log on to the Simple Log Service console to view the project and Logstore that are dedicated to the threat analysis and response feature. Do not delete the project or Logstore.
If you accidentally delete the Logstore, the system prompts that the cloud_siem Logstore does not exist. All log data in the Logstore is lost. In this case, submit a ticket to undo the operation. After you undo the operation, you must re-enable the threat analysis and response feature to continue using the feature. You cannot restore deleted log data.
After you enable data delivery for logs of specific types, the threat analysis and response feature automatically delivers the logs to the cloud_siem Logstore. The system retains the logs until the specified storage duration ends. When the duration ends, the system automatically deletes the logs. If the log storage capacity is exhausted, new logs are no longer delivered for storage. When the size of logs exceeds 80% of the log storage capacity that you purchased for the feature, Security Center sends a notification. For more information about how to configure notification settings, see Configure notification settings.
Billing
The subscription billing method is supported. You are charged based on the log storage capacity and storage duration that you purchased. When you query and export logs in the Security Center console, no fees are generated.
After logs are delivered to the dedicated Logstore, you may be charged for the operations that you perform in the Simple Log Service console, such as transforming and shipping logs.
If the Logstore uses the pay-by-feature billing mode, you are charged when you transform or ship logs. You are also charged for read traffic over the Internet when you read logs in stream mode over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.
If the Logstore uses the pay-by-ingested-data billing mode, you are not charged when you transform or ship data. You are charged only for read traffic over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.
Multi-account management
If you configure the multi-account management feature and use the global administrator account to log on to the Security Center console, you must select the appropriate view before you can manage logs on the Log Management page. The following list describes the supported views:
Current Account View: You can view and manage logs within the current account.
Global Account View: You can view and manage data within the Alibaba Cloud accounts that are managed by the threat analysis and response feature.
If you enable log delivery in Current Account View and Global Account View, the log storage capacity that is purchased by using the global administrator account is used, and delivered log data is stored within the global administrator account.
If your Alibaba Cloud account is managed by the global administrator account and you want to manage logs by using your account, you must separately purchase the log storage capacity of the threat analysis and response feature and enable log delivery by using your account. To enable log delivery, go to the page in the Security Center console.
Prerequisites
Simple Log Service is activated. For more information, see Getting Started.
Logs of cloud services are added to the threat analysis and response feature. For more information, see Add logs of cloud services.
Step 1: Enable log delivery
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
In the upper-right corner of the Service Integration page, click Log Settings.
In the Log Delivery Management section of the panel that appears, find a type of log that you want to deliver for storage, and turn on the switch in the Deliver Log to Hot Data/Enabled and Disabled At column.
You can select multiple log types, click Batch Deliver Log To.
You can also go to the Log Management page, find the type of log that you want to deliver for storage from the All Data Sources drop-down list, and then turn on the switch next to the log type.
Optional. In the left-side navigation pane, choose . On the Log Management page, turn on the switch next to Deliver All Data to enable log delivery for all types of logs that belong to added data sources.
If you do not want to store a specific type of log for a cloud service, you can turn off the switch for the log type. New logs of the log type are no longer delivered for log management.
Step 2: Query logs
In the left-side navigation pane, choose .
On the Log Management page, click All Data Sources in the upper-left corner. In the All Data Sources drop-down list, specify cloud services and log types as log data sources.
Specify a query time range and use query statements to query and analyze logs.
You can use the log management feature of threat analysis and response in the same manner as you use the log analysis feature of Security Center. For more information, see Use custom log query and analysis.
More operations
Change the log storage duration
By default, logs of cloud services that you deliver for storage are stored for 180 days. You can change the storage duration based on your business requirements.
In the left-side navigation pane, choose .
In the upper-right corner of the Service Integration page, click Log Settings.
In the Log Management panel, click Modify in the Retention Days column to change the storage duration.
Manage the log storage capacity
You can view the log storage that is used and the total capacity that you purchased on the page. You can increase the current log storage capacity or clear the log storage based on your business requirements.
Click Scale Out to purchase additional log storage capacity.
Make sure that you have sufficient log storage capacity. If you do not have sufficient log storage capacity, new logs cannot be stored.
Click Clear to clear the log storage.
WarningYou cannot restore logs after you clear the log storage. Proceed with caution. We recommend that you export logs and store the logs on your on-premises computer before you clear the log storage.
References
For more information about cold data storage, see Cold data storage solution.
You can download logs or query and analysis results to your computer by using the Security Center console, Cloud Shell, or a CLI. For more information, see Export logs.
You can deliver logs that are stored to OSS for storage. For more information, see Create an OSS data shipping job (new version).
If you do not have sufficient storage capacity, new logs cannot be stored. You can enable notifications for insufficient log storage capacity of the log analysis and response feature. After you receive a notification for insufficient log storage capacity, you can increase the log storage capacity. For more information, see Notification settings.
Am I charged for log analysis of hot data in the threat analysis and response feature?