You can enable the following features on the Other Settings tab: global log filtering, security control, and access control. This topic describes the features and how to enable the features.

Global Log Filter

Security Center provides the global log filtering feature to ensure security. The feature helps you effectively use your log storage and improves operational efficiency.

How global log filtering works

The global log filtering feature filters logs of the Security Center agent by using the following methods:
  • Filter logs within a specified period of time by using specified fields

    The specified fields that are used to collect data are combined into keys in a specific order. The fields include command lines, usernames, and the command lines of parent processes. Then, events that have the same key are aggregated and filtered in a specific period of time. The occurrence of events that have the same characteristics is counted. If the number of occurrences does not exceed the specified threshold, the events are reported. Otherwise, the events are filtered out.

  • Filter logs by using process chains

    The process chains of collected events are normalized, and the characteristics of the events are extracted as keys to filter logs. During a specified period of time within which logs are filtered, the occurrence of events that have the same characteristics is counted. If the number of occurrences does not exceed the specified threshold, the events are reported. Otherwise, the events are filtered out.

Prerequisites

The log analysis feature is enabled. For more information, see Enable log analysis.

Note If you have not enabled the log analysis feature, the Global Log Filter section is not displayed in the console.

Enable global log filtering

  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Other Settings tab of the Settings tab, turn on Log Filter in the Global Log Filter section.

Security Control

The security control feature allows you to create a whitelist of IP addresses. After you add IP addresses to the whitelist, Security Center allows the requests that are initiated from the IP addresses. If Security Center identifies a normal IP address as malicious and blocks requests from the IP address, your business may be affected. To prevent false positives, you can add the IP address to the whitelist. Security Center no longer generates alerts for or blocks the requests that are initiated from IP addresses in a whitelist.
Important After you add an IP address to a whitelist, requests that are initiated from the IP address are directly forwarded to the destination servers. Make sure that you add only necessary IP addresses to the whitelist.
  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Other Settings tab of the Settings tab, click Configuration in the Security Control section to go to the Security Control console.
  3. In the left-side navigation pane, choose Whitelist > Access Whitelist.
  4. On the Access Whitelist page, click Add.
  5. In the Add dialog box, enter an IP address in the Source IP field, select the Elastic Compute Service (ECS) instances on which you want the whitelist to take effect, and then click OK. Do not enter an IP address within the current Alibaba Cloud account.
    After you perform this step, the specified source IP address is added to the whitelist of the specified ECS instances. The security control feature no longer limits the access from the specified source IP address to the specified ECS instances.
  6. Optional:After the whitelist is created, view the IP addresses in the whitelist or remove an IP address from the whitelist.
    • View the IP addresses in the whitelist

      On the Access Whitelist page, you can view the IP addresses that are added to the whitelist.

    • Remove an IP address from the whitelist
      If you want the security control feature to limit the access from an IP address in the whitelist again, find the IP address and click Invalid in the Operation column. In the message that appears, click OK.
      Note After you perform this operation, the security control feature limits the access that is initiated from the IP address.

Access control

You can use Resource Access Management (RAM) to create and manage RAM users, such as employees, systems, and applications. You can also use RAM to control the access from RAM users to resources. RAM is suitable for scenarios in which multiple users in an enterprise must collaboratively manage cloud resources. RAM allows you to grant permissions to RAM users based on the principle of least privilege. This way, you do not need to share the AccessKey pair of your Alibaba Cloud account, which minimizes security risks.
Note If multiple users in your enterprise collaboratively use cloud resources, grant the users only the required permissions. This avoids threats that may be posed to your assets. We recommend that you check the permissions at regular intervals in the RAM console. We recommend that you follow the principle of least privilege when you grant permissions to the users.
  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Other Settings tab of the Settings tab, view the service-linked role description and perform operations supported for Data Delivery of ActionTrail, Permission policy management, User Management, and Role Management in the RAM section.
    • Before you can use the check items of the Cloud Infrastructure Entitlement Management (CIEM) type provided by the configuration assessment feature, you must turn on Data Delivery of ActionTrail. After you turn on Data Delivery of ActionTrail, Security Center can access the log data of ActionTrail to check whether risks exist in the CIEM-related configurations.
    • View the description of the service-linked role AliyunServiceRoleForSas that is created for Security Center. For more information, see Service-linked roles for Security Center.
    • Click Manage for Permission policy management to go to the RAM console. In the RAM console, manage all policies within the current Alibaba Cloud account. For more information, see Policy management.
    • Click Manage for User Management to go to the RAM console. In the RAM console, manage all RAM users within the current Alibaba Cloud account. For more information, see RAM user management.
    • Click Manage for Role Management to go to the RAM console. In the RAM console, manage all RAM roles within the current Alibaba Cloud account. For more information, see RAM role management.