You can enable the following features on the Other Settings tab: global log filtering,
security control, and access control. This topic describes the features and how to
enable the features.
Global Log Filter
Security Center provides the global log filtering feature to ensure security. The
feature helps you effectively use your log storage and improves operational efficiency.
How global log filtering works
The global log filtering feature filters logs of the Security Center agent by using
the following methods:
- Filter logs within a specified period of time by using specified fields
The specified fields that are used to collect data are combined into keys in a specific
order. The fields include command lines, usernames, and the command lines of parent
processes. Then, events that have the same key are aggregated and filtered in a specific
period of time. The occurrence of events that have the same characteristics is counted.
If the number of occurrences does not exceed the specified threshold, the events are
reported. Otherwise, the events are filtered out.
- Filter logs by using process chains
The process chains of collected events are normalized, and the characteristics of
the events are extracted as keys to filter logs. During a specified period of time
within which logs are filtered, the occurrence of events that have the same characteristics
is counted. If the number of occurrences does not exceed the specified threshold,
the events are reported. Otherwise, the events are filtered out.
Prerequisites
The log analysis feature is enabled. For more information, see Enable log analysis.
Note If you have not enabled the log analysis feature, the Global Log Filter section is not displayed in the console.
Enable global log filtering
- Log on to the Security Center console.In the left-side navigation pane, choose .
- On the Other Settings tab of the Settings tab, turn on Log Filter in the Global Log Filter section.
Security Control
The security control feature allows you to create a whitelist of IP addresses. After
you add IP addresses to the whitelist, Security Center allows the requests that are
initiated from the IP addresses. If Security Center identifies a normal IP address
as malicious and blocks requests from the IP address, your business may be affected.
To prevent false positives, you can add the IP address to the whitelist. Security
Center no longer generates alerts for or blocks the requests that are initiated from
IP addresses in a whitelist.
Important After you add an IP address to a whitelist, requests that are initiated from the IP
address are directly forwarded to the destination servers. Make sure that you add
only necessary IP addresses to the whitelist.
- Log on to the Security Center console.In the left-side navigation pane, choose .
- On the Other Settings tab of the Settings tab, click Configuration in the Security Control section to go to the Security Control console.
- In the left-side navigation pane, choose .
- On the Access Whitelist page, click Add.
- In the Add dialog box, enter an IP address in the Source IP field, select the Elastic Compute Service (ECS) instances on which you want the whitelist
to take effect, and then click OK. Do not enter an IP address within the current Alibaba Cloud account.
After you perform this step, the specified source IP address is added to the whitelist
of the specified ECS instances. The security control feature no longer limits the
access from the specified source IP address to the specified ECS instances.
- Optional:After the whitelist is created, view the IP addresses in the whitelist or remove an
IP address from the whitelist.
Access control
You can use Resource Access Management (RAM) to create and manage RAM users, such
as employees, systems, and applications. You can also use RAM to control the access
from RAM users to resources. RAM is suitable for scenarios in which multiple users
in an enterprise must collaboratively manage cloud resources. RAM allows you to grant
permissions to RAM users based on the principle of least privilege. This way, you
do not need to share the AccessKey pair of your Alibaba Cloud account, which minimizes
security risks.
Note If multiple users in your enterprise collaboratively use cloud resources, grant the
users only the required permissions. This avoids threats that may be posed to your
assets. We recommend that you check the permissions at regular intervals in the
RAM console. We recommend that you follow the principle of least privilege when you grant permissions
to the users.
- Log on to the Security Center console.In the left-side navigation pane, choose .
- On the Other Settings tab of the Settings tab, view the service-linked role description and perform operations supported for
Data Delivery of ActionTrail, Permission policy management, User Management, and Role
Management in the RAM section.
- Before you can use the check items of the Cloud Infrastructure Entitlement Management
(CIEM) type provided by the configuration assessment feature, you must turn on Data Delivery of ActionTrail. After you turn on Data Delivery of ActionTrail, Security Center can access the log
data of ActionTrail to check whether risks exist in the CIEM-related configurations.
- View the description of the service-linked role AliyunServiceRoleForSas that is created
for Security Center. For more information, see Service-linked roles for Security Center.
- Click Manage for Permission policy management to go to the RAM console. In the RAM console, manage all policies within the current Alibaba Cloud account.
For more information, see Policy management.
- Click Manage for User Management to go to the RAM console. In the RAM console, manage all RAM users within the current Alibaba Cloud account.
For more information, see RAM user management.
- Click Manage for Role Management to go to the RAM console. In the RAM console, manage all RAM roles within the current Alibaba Cloud account.
For more information, see RAM role management.