Alibaba Cloud Security Center’s Threat Detection and Response (CTDR) is a cloud-native SIEM solution that addresses the security operations challenges of complex IT environments—fragmented security data, slow response times, difficulty detecting sophisticated attacks, and compliance requirements. CTDR aggregates alerts and log data from multicloud environments, multiple Alibaba Cloud accounts, and multiple services, and provides log standardization, alert generation, aggregation and analysis, and incident response orchestration.
Feature Overview
Core Processing Workflow
CTDR ingests logs from multicloud platforms, multiple Alibaba Cloud accounts, multiple Alibaba Cloud services, and third-party security vendors. Using predefined and custom detection rules, it analyzes collected logs to identify threats, reconstruct attack chains, and generate security incidents. When a threat is detected, CTDR triggers automated response orchestration and integrates with related cloud services to perform security actions—such as blocking malicious IP addresses or fencing malicious files.
Usage Flow
1. Purchase and activate CTDR
You can activate CTDR using either the subscription or pay-as-you-go billing method. This topic uses the subscription method as an example. For pay-as-you-go activation, see Step 1: Activate Agentic SOC on a pay-as-you-go basis. For CTDR billing details, see Billing Details.
Log on to the Security Center console.
In the navigation pane on the left, choose .
On the Agentic SOC page, click Subscription.
On the purchase page, configure the parameters as described below. Then click Order Now and complete payment.
The following items are required. You may select or configure other items as needed. For more information, see Purchase Security Center.
Purchase method: Subscription
Version: Value-added Plan
Threat Detection and Response:
Purchase: Select Yes.
Log ingestion traffic: Set to 100 GB/day.
Log storage capacity: Set to 1000 GB.
Service-linked role: Click Create Service-linked Role.
Ingestion policy: Select After you enable the recommended log collection policy, the Agentic SOC service automatically collects logs and bills you the next day based on actual log volume.
2. Ingest cloud service logs
If you enable the recommended log ingestion policy, CTDR automatically ingests logs from Security Center, Web Application Firewall (WAF), Cloud Firewall, and ActionTrail in your current Alibaba Cloud account. The following table lists the supported data sources and security capabilities.
ActionTrail event logs are automatically ingested only if you have purchased Security Center Anti-virus Edition, Premium Edition, Enterprise Edition, or Ultimate Edition. If you have not purchased a paid version of Security Center, ActionTrail event logs are not ingested automatically.
If you do not enable the recommended log ingestion policy—or if you want to ingest logs from third-party cloud services—see Ingest Cloud Service Logs.
Ordinal number | Alibaba Cloud service | Data source | Standardized log category | Supported security capabilities |
1 | Security Center | Security alert logs | Security logs – Alert logs |
|
2 | Vulnerability logs | Security logs – Vulnerability logs | Incident investigation and traceability | |
3 | Baseline logs | Security logs – Host baseline logs | Incident investigation and traceability | |
4 | Login audit logs | Login logs – Host login logs | Incident investigation and traceability | |
6 | File read/write logs | Host logs – Process file read/write logs | Incident investigation and traceability | |
7 | Process startup logs | Host logs – Process startup logs |
| |
8 | DNS request logs | Host logs – Process DNS request logs |
| |
9 | Network connection logs | Host logs – Process outbound network connection logs |
| |
10 | Web Application Firewall | WAF alert logs | Security logs – Web Application Firewall alert logs |
|
11 | WAF 2.0 full/intercept/intercept-and-monitor logs | Network logs – HTTP logs | Predefined analysis rules | |
12 | WAF 3.0 full/intercept/intercept-and-monitor logs | Network logs – HTTP logs | Predefined analysis rules | |
13 | Cloud Firewall | Cloud Firewall real-time alert logs | Security logs – Firewall alert logs |
|
14 | ActionTrail | ActionTrail event logs | Audit logs – Platform operation audit logs | Incident investigation and traceability |
3. Enable log delivery (Optional)
Logs ingested into CTDR can be stored using the Log Management feature. To use log analysis, traceability, or classified protection compliance, enable log delivery for the required log types. You must enable log delivery before you can use CTDR Log Management, Rule Management (custom rules), and Dashboard features. For more information, see Log Management.
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Service Integration page, click Log Settings in the upper-right corner.
In the Log Delivery Management section, turn on the toggle under the Deliver Log to Hot Data/Enabled and Disabled At column for each log type you want to deliver.
Select multiple log types, then click Batch Deliver Log To.
On the Log Management page, turn on the toggle next to a target log type to deliver that log type directly to a bucket.
4. Manage threat detection rules
CTDR uses built-in predefined detection rules and custom detection rules to analyze ingested logs, identify threat attack chains and timelines, and generate security incident reports.
Predefined rules
CTDR enables all predefined rules by default. Predefined rules detect threats only within the specified Log Scope. You can view and adjust the enabled status of predefined rules on the page.
Custom rules
If you enabled log delivery in Step 3, you can create custom threat detection rules based on your business needs. For instructions, see Create a Custom Rule.
5. Generate security alerts
When a threat or attack matches an enabled predefined or custom rule, CTDR generates a security alert. You can view alerts generated by predefined and custom rules on the page, under the Aggregate and Analyze Alerts and Custom Alert Analysis tabs.
6. Generate and handle security incidents
How security incidents are generated
A security incident is generated when predefined or custom rules aggregate multiple related security alerts, enabling rapid identification and response. Security incidents fall into two categories based on the source device:
Network side: CTDR detects attacker reconnaissance activities—such as scanning or probing—and generates incidents from network-side alerts using predefined rules to prevent further information gathering.
Host side: CTDR uses graph computing to aggregate host-side alerts that share relationships—such as matching MD5 hashes or parent process IDs—to generate incidents and help you locate the attack entry point.
Not all alerts generate security incidents. Only alerts meeting the following conditions trigger incident generation:
Host-side alerts always generate security incidents. Network-side alerts generate security incidents only if they match the event aggregation policy in a predefined or custom rule.
If you configure a whitelist rule, alerts matching that rule do not generate incidents.
If only predefined rules are enabled, only alerts matching the Graph Compute or Expert Rules in predefined rules generate incidents.
View security incidents
On the page, click Details in the Actions column for a target incident. View incident details, timeline, security alerts, associated entities, and AI assistant explanations to determine whether the incident requires handling. For more information, see Security Incidents.
Region | Description |
Overview section | Displays basic incident information and the MITRE ATT&CK phase. You can view the number of affected assets, how the incident was generated, the number of associated alerts, detection rules, linked accounts, occurrence time, and alert sources. |
Timeline tab | View the alert timeline and traceability graph for this security incident. Click Full Screen to view the timeline and traceability graph in full screen. In full-screen mode, click an alert icon to view its details. In some cases, you can see the specific attack entry point in the traceability graph. |
Alert tab | View the list of security alerts aggregated into this incident. Use multi-dimensional alert statistics—including alert count, defense measures, and occurrence time—to understand the attack method, stage, and appropriate response. |
Entity tab | Lists entities involved in the incident. Supported entity types include hosts, files, processes, IP addresses, and host accounts. By reviewing all entities, you can view basic information about an IP address, Alibaba Cloud threat intelligence, related incidents from the last 30 days, related alerts from the last 30 days, and associated response tasks. This helps you identify malicious entities and affected assets. |
Response Activity tab | Shows a detailed record of responses and actions taken for this incident. |
Security AI Assistant section | An AI-powered chat interface powered by Security Center’s Large Language Model (LLM). It summarizes security incidents, provides threat intelligence for related IP addresses, and details affected assets. |
Handle security incidents
Security Center supports manual handling using recommended response policies or automatic handling using automated response orchestration.
Manually handle security incidents: Review incidents and apply security measures based on severity and context. Use this approach for high-complexity incidents requiring expert judgment or for unknown threats.
Automatically handle security incidents: Run preconfigured playbooks and rules to execute responses—such as fencing infected hosts or blocking suspicious IP addresses. Use this approach for known, well-defined incidents or low-complexity threats requiring rapid response.
Manually handle security incidents
For identified malicious entities, CTDR provides one-click creation of recommended response policies that automatically generate response tasks and run playbooks. By integrating with multiple Alibaba Cloud security services, CTDR can block high-risk inbound IP addresses through WAF or fence high-risk files through Security Center.
The following table lists the entities supported by recommended response policies and the integrated cloud service modules.
Entity type | Recommended response playbook | Integrated Products | Integrated service module |
IP address | Block high-risk inbound IPs using built-in Alibaba Cloud WAF | Alibaba Cloud Web Application Firewall | |
Block high-risk outbound IPs using built-in Alibaba Cloud Cloud Firewall | Alibaba Cloud Cloud Firewall | ||
Block high-risk inbound IPs using built-in Alibaba Cloud Cloud Firewall | |||
File | Fence high-risk files using built-in Alibaba Cloud Security Center | Alibaba Cloud Security Center | |
Process | Terminate high-risk processes using built-in Alibaba Cloud Security Center | ||
Terminate high-risk processes using CMD via built-in Alibaba Cloud Security Center | |||
Terminate and fence high-risk processes using built-in Alibaba Cloud Security Center | |||
Terminate high-risk processes by MD5 hash using built-in Alibaba Cloud Security Center | |||
Container | Stop high-risk containers using built-in Alibaba Cloud Security Center | ||
Host | Block high-risk inbound IPs using built-in Alibaba Cloud ECS security group | Alibaba Cloud Elastic Computing Service security group | |
Block all outbound traffic from the host using built-in Alibaba Cloud ECS security group | |||
Domain name | Block malicious domain names using built-in Alibaba Cloud Security Center Malicious Behavior Defense | Alibaba Cloud Security Center |
Procedure
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Security Incidents page, click in the Actions column for a target incident.
In the panel, select the malicious entities to handle, then click Confirm and update the incident status..
To modify parameters such as the destination account and action duration, click Edit in the Actions column for a target entity in the Use Recommended Handling Policy panel, and then update them in the Edit Policy panel.
In the Update Incident Status dialog box, set Event Status to Handling or Handled, then click OK.
Handling: Select this option if additional incident response actions remain—such as immediate remediation, traceability, or vulnerability patching.
Handled: Select this option if no further incident response actions are needed beyond the current action.
After completing this step, CTDR automatically creates and executes the response policy. If execution fails, the incident status updates to Failed. Otherwise, the status updates to the value you selected.
On the tab of the incident details page, view the recommended response policy automatically generated by CTDR.
Automatically handle security incidents
Automated response rules execute predefined actions when triggered by alerts or incidents—for example, fencing malicious files or terminating network connections in response to malware infection or intrusion attempts. After you create a rule, the system matches new security incidents against your configured policy. On a match, CTDR runs the predefined playbook to accelerate threat response. For more information, see Response Rules.
If you need professional guidance from security experts while configuring automated response rules, consider purchasing Managed Security Service Enterprise Edition. For more information, see Managed Security Service.
The following example uses an automated response rule to handle an incident generated by a WAF network attack alert and deploy an IP block rule in WAF.
Prerequisites
You have ingested Alibaba Cloud WAF alert logs into CTDR. For instructions, see Ingest Alibaba Cloud Service Logs.
You have configured a whitelist for business-related requests to prevent them from being blocked. For instructions, see Security Incidents.
Procedure
In the navigation pane on the left, choose . In the upper-left corner of the console, select the region where your protected assets reside: Chinese Mainland or Outside Chinese Mainland.
On the Response Rules page, click the Automated Rules tab. Then click Add Rule.
In the Create Automation Rule panel, configure the response rule as shown in the figure below. Then click OK.
On the Response Rules page, in the Automated Rules tab, toggle the switch in the Enabled Status column to enable the created rule.
Wait for an attack to occur on a domain name already ingested into WAF. After an attack, view the corresponding incident on the Security Incidents page.
On the Incident Response tab, view the response policy and task deployed by the playbook after the incident matches the automated response rule.
Response policy created by the automated response rule
Response task created by the automated response rule
In the Web Application Firewall console, view the IP block rule automatically added by CTDR.
The following steps use the WAF 3.0 console as an example.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Core Web Protection page, go to the Custom Rule section. View the IP block rule automatically deployed by CTDR.
-
References
To manage data across multiple Alibaba Cloud accounts using CTDR, use the multi-account management feature. For more information, see Multi-account Management.
In addition to Alibaba Cloud, Tencent Cloud, and Huawei Cloud logs, CTDR also supports logs from third-party security vendors. For more information, see Ingest Security Vendor Logs.