When security teams need to coordinate incident response across multiple cloud products and accounts, response activities provide a centralized view for managing and auditing all security actions through standardized disposal policies and tasks. From a single location, view and manage both manual and automated security operations.
Core concepts
Entity Object — A core object involved in alerts or incidents, such as an IP address, domain name, file hash, process, host, container, cloud resource ID (for example, an ECS instance ID), or user account.
Handling Component — An atomic tool that performs a specific security operation. Each component handles one independent task, such as blocking an IP address or isolating a file.
Script — An automated security workflow composed of one or more Handling Component. It defines a complete response path: trigger conditions, conditional logic, and execution actions.
Handling Policies — A security response rule that specifies which entity to respond to (What), which playbook to execute (How), and which scope it applies to (Where).
Handling Tasks — The execution record of a disposal policy on a specific target, such as a cloud account or resource. Each task details the execution result (success or failure) of the associated operation.
A disposal policy has a one-to-many relationship with disposal tasks. One policy may generate multiple tasks.
Example: When a suspicious IP alert is detected, a disposal policy is created to block that IP using the Cloud Firewall component. If the policy targets three cloud accounts, three disposal tasks are generated — one for each account.
When to use
Response activities are most effective in the following scenarios:
Multi-account environments: Manage security responses across multiple cloud accounts from a single console, avoiding the need to switch between individual product consoles.
Automated SOAR workflows: Use Security Orchestration, Automation, and Response (SOAR) playbooks to automate repetitive response actions, such as IP blocking or process termination, reducing mean time to response.
Audit and compliance: Track all security response actions — both manual and automated — through centralized disposal policies and tasks for audit trails.
For isolated, single-account incidents with low volume, manual handling through individual cloud product consoles may be sufficient.
How it works
Data sources
The system generates disposal policies and tasks in the following scenarios. The available data sources depend on whether you have activated the Security Information and Event Management (SIEM) service.
Agentic SOC not activated
Source | Description |
Manual Handling Event | Handle security events through Use Recommended Handling Policy, Run Playbook, or Add to Whitelist (automatic response rules). For more information, see Assess and handle CWPP events. |
Alert Trigger Playbook | Handle security alerts through AI-Powered Remediation. For more information, see Automated alert handling (AI-Powered Alert Triage). |
Agentic SOC activated
Source | Description |
Manual Handling Event | Handle security events through Use Recommended Handling Policy, Run Playbook, or Add to Whitelist (automatic response rules). For more information, see Assess and handle Agentic SOC security incidents. |
Incident Trigger Playbook | Trigger Run Playbook through automatic response rules configured in Response Rules (triggered by Event Occurrence or Event Update, with Run Playbook as the action). For more information, see Automated response rules. |
Alert Trigger Playbook |
|
Manual Execution Playbook | Manually Run Custom Playbook or Predefined Playbook in Response Rules. For more information, see Playbook configuration. |
Data retention
Disposal policy and task data is retained for the following periods:
Default retention: 90 days.
After SIEM expires or is unsubscribed: 15 days for data generated by SIEM-dependent features.
Back up or migrate your data before the retention period expires.
Prerequisites
Before you use the response activities feature, make sure that you have:
Activated a paid version of Security Center. Subscription users must activate any paid version. Pay-as-you-go users must activate any post-paid module.
Activated the SIEM service (required to view playbook details).
Granted the required RAM role permissions for the target cloud products (such as WAF or Cloud Firewall) that the disposal components interact with.
(For cross-account operations) Verified that both accounts belong to the same enterprise legal entity and are managed through a resource directory.
Operations guide
View disposal policies
Navigate to the Disposal Center:
Log on to the Security Center console.
In the left navigation pane, choose . In the upper-left corner of the console, select the region where the assets to be protected are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated Agentic SOC, the navigation path changes to .
On the Handling Policies tab, view the following information:
Column
Description
Entity Object
Click the entity object name to view its context, Alibaba Cloud threat intelligence, related alerts, and more.
Associated Source
Click the Associated Source column data to view the alerts, security events, or playbooks associated with the disposal policy. Source values indicate how the policy was triggered:
- System-generated: triggered by automatic response rules.
- User-initiated: triggered through manual handling.
- Playbook-triggered: triggered through SOAR (Security Orchestration, Automation, and Response) execution.View Task
Click View Task in the Actions column to navigate to the Disposal task tab and view the tasks associated with the corresponding disposal policy.
View playbook
Click the playbook name to view playbook details, such as run and publish history, basic descriptions, and playbook configuration process components.
View and handle disposal tasks
On the Handling Tasks tab, view the following information:
Column | Description |
Entity Object | Same as the Disposal policy tab, but at the task level. |
Target account | The cloud account where the disposal task runs. In a multi-account management scenario, this column shows the account name that the task affects, helping you distinguish records across accounts. |
Handling Component | The cloud product or security service that the disposal task uses to execute the remediation action. |
View playbook | Same as the Disposal policy tab. |
Task Status | If the status is Failed, hover over the icon next to the failure status to view the reason. |
The following actions are available for disposal tasks:
Retry: If a task fails, click Retry in the Actions column to re-execute it. If the Retry button is unavailable, the task does not support retry due to the irreversible or special nature of its operation.
Unblock: After confirming that a blocked entity IP no longer poses a threat, click Unblock in the Actions column to remove the IP block. Verify that the IP is removed from the target product's blocklist.
Billing
The response activities feature is not charged separately. It is included in paid versions of Security Center:
Subscription users: Activate any paid version to use this feature.
Pay-as-you-go users: Activate any post-paid module to use this feature.
Some disposal actions may involve other paid cloud products (such as WAF, CDN, or Anti-DDoS Pro) or incur additional API call fees. For billing details, see the documentation for the corresponding cloud product.
Appendix: Common security disposal components
The following table lists the common disposal components used in response activities, grouped by target product.
The component identifiers listed below are API and playbook-level identifiers. In the Security Center console, look for the corresponding descriptive names (such as "Process termination" or "IP blocking") rather than the API identifiers.
Security Center
Component ID (API) | Description |
AegisKillProcess | Process termination component |
AegisDeepCleanUp | Deep cleanup component |
AegisQuaraFile | File quarantine component |
AegisKillQuara | Process termination and file quarantine component |
SasOfflineCheck | Host offline troubleshooting component |
AegisStopContainer | Container stop component |
AliNetBlockIP | Malicious behavior defense IP blocklist component |
AliNetBlockDNS | Malicious behavior defense domain blocklist component |
AliNetWhiteIP | Malicious behavior defense IP allowlist component |
AliNetWhiteDNS | Malicious behavior defense domain allowlist component |
Cloud Firewall
Component ID (API) | Description |
AliyunFirewallProcess | Inbound IP blocking component |
CfwWhiteListBatch | Inbound IP allowlist component |
AliyunCFWBlockDNS | Outbound malicious domain blocking component |
AliyunFirewallMonitorIPin | Observe-mode inbound IP component |
AliyunFirewallMonitorIPOut | Observe-mode outbound IP component |
WAF
Component ID (API) | Description |
AliyunWafBlockIP | Inbound IP blocking component |
WafWhiteListBatch | IP allowlist component |
AliYunWafMonitorIP | Observe-mode IP component |
Anti-DDoS Pro
Component ID (API) | Description |
AliyunDDoSProxyBlockIP | IP blocking component |
AliyunDDoSProxyWhiteIP | IP allowlist component |
CDN and DCDN
Component ID (API) | Description |
CDNProcess | CDN blocking component |
DcdnWafBanIP | DCDN-WAF IP blocking component |
CLB and ALB
Component ID (API) | Description |
RegionCLBProcess | CLB blocking component |
RegionALBProcess | ALB blocking component |
Third-party cloud
Component ID (API) | Description |
TencentCFWBlockIP | Tencent Cloud CFW high-risk IP blocking component |
HuaWeiRegionCfwBlockIP | Huawei Cloud CFW high-risk IP blocking component |
TencentWafBlockIP | Tencent Cloud WAF high-risk IP blocking component |
HuaWeiWafBlockIP | Huawei Cloud WAF high-risk IP blocking component |
Security groups
Component ID (API) | Description |
SecurityPolicyBlockIP | Security group inbound IP blocking component |
FAQ
Why did the disposal task fail?
Insufficient permissions: The RAM role performing the operation lacks permissions for the target cloud product (such as WAF or Cloud Firewall). Grant the required permissions and retry the task.
Resource does not exist: The entity being disposed (such as a host or container) has been destroyed, or the rule has been manually deleted. Verify that the target resource still exists and retry.
Quota exceeded: The number of rules in the target cloud product (such as a WAF IP blocklist) has reached the upper limit. Increase the quota or clean up unused rules in the target product, then retry the task.
Cross-account operation restrictions: To operate on resources under other cloud accounts, both accounts must belong to the same enterprise legal entity and be managed through a resource directory. Accounts under different legal entities do not support this operation.
Why is the Retry button unavailable?
Some disposal tasks do not support retry due to the irreversible or special nature of their operations. If retry is unavailable, verify the task result manually or contact support.