CWPP (cloud workload protection platform) security incidents

更新时间:
复制 MD 格式

Security Center generates alerts from its host protection and container protection features based on your configured rules. Security Center then displays these alerts on the cloud workload protection platform (CWPP) page. Using graph computing technology, Security Center correlates related alerts—such as those sharing the same MD5 hash or parent process ID—and aggregates them into a single security incident. This topic explains the fundamental concepts of CWPP security incidents.

Key concepts of CWPP security incidents

Source of CWPP security incidents

Security Center generates alerts based on the asset protection rules that you configure for its host protection and container protection features. It then uses graph computing technology to aggregate related CWPP alerts, such as those with the same MD5 hash or parent process ID, into a security incident. In the overview section of the incident details page, the alert source appears as "Security Center".

Note

You can view CWPP alerts on the CWPP tab of the Detection and Response > Alert page.

CWPP security incident generation rules

By default, Security Center generates a security incident for each CWPP alert, except for precision defense alerts. If a host alert is not correlated with any others, it will form a security incident on its own.

Important

If you configure incident whitelisting rules, alerts that match a rule do not generate a security incident.

Incident retention period

The Security Events page displays only incidents from the last 180 days.

Security incident risk levels and handling

Risk level

Description

Handling

Serious

  • The activity described in the incident causes a service interruption, making critical functions inaccessible or causing a complete network outage. This severely impacts service availability, and no workarounds are available.

  • The activity indicates a definite intrusion involving confirmed malicious behavior or entities.

  • The impact is widespread, affecting multiple servers.

We recommend that you investigate and handle this incident immediately.

High Risk

  • The activity indicates the discovery of confirmed malicious behavior or entities. The incident is highly likely a successful intrusion that has already compromised your assets, such as abnormal process behavior like a reverse shell.

  • The impact is typically limited to a single machine.

We recommend that you investigate and handle this incident immediately.

Medium Risk

The activity indicates suspected malicious behavior or entities. The incident may be a successful intrusion that has affected your assets. It could also result from unusual operations and maintenance (O&M) activities, such as an abnormal logon.

This risk level suggests a possibility that your assets are under attack. We recommend that you review the incident details to assess the risk and take appropriate action.

Low Risk

The activity suggests a possible intrusion or that an external source is continuously probing your assets, such as access from an IP address like 106.11.XX.XX.

You should pay attention to incidents at this risk level if your assets have high security requirements.

Reminder

These are typically high-volume alerts from workflow automation software, indicating that certain jobs have completed or reached a specific milestone.

No action is typically required.

Incident components

You can respond to security incidents by handling the aggregated alerts and their associated entities.

CWPP security alerts

Security Center generates CWPP security incidents by aggregating CWPP security alerts with graph computing technology. If you determine an incident is a false positive, you can add the entire incident or its underlying alerts to a whitelist.

The alert aggregation rules are as follows:

  • A single CWPP security incident can aggregate a maximum of 2,000 alerts.

  • For incidents in the Unhandled state, Security Center can aggregate new, related alerts into the existing incident.

  • For incidents in the Handling, Handled, or Handling Failed state, Security Center does not aggregate new alerts. Instead, it creates a new incident for them in the Unhandled state.

Entities

In a security incident, an entity is a specific object or actor associated with the event. Security Center extracts and aggregates entities from security alerts. Based on whether an entity has a malicious tag, Security Center classifies it as either malicious or non-malicious. For each entity, you can view its details, run playbooks, and query Alibaba Cloud threat intelligence. Security Center can identify the following types of entities:

Entity name

Asset entity

Malicious

Host

Yes

No

IP address

Yes

Yes

Alibaba Cloud account

Yes

No

AccessKey pair

Yes

No

Domain name

Yes

Yes

File

No

Yes

Host process

No

Yes

Host account

No

No

URL

No

No

Registry

No

Yes

Container

Yes

No

Cluster

Yes

No

Object Storage Service (OSS)

Yes

No

Security incident handling process

image

Additional services

Activating the Agentic SOC service provides more advanced features for security incident analysis and response. The following table compares the features with and without Agentic SOC.

Feature

With Agentic SOC

Without Agentic SOC

Supported incident types

  • Analyzes the context of multiple Agentic SOC security alerts and aggregates them into a comprehensive incident by using predefined or custom rules.

  • Security incidents from cloud workload protection platform (CWPP) alerts are migrated to Agentic SOC for handling.

Aggregates security alerts from the cloud workload protection platform (CWPP), such as intrusion detection and defense alerts for hosts and containers in Security Center, using graph computing. For more information, see Overview of CWPP (cloud workload protection platform) security incidents.

Incident investigation reports and AI analysis

Supported.

Not supported.

Incident handling methods

  • Recommended response policies (Agent Recommended Policy or System Recommended Policy)

  • Update incident status

  • Add to whitelist

    Important
  • Run playbooks

  • Automated response (SOAR)

  • Recommended response policies (System Recommended Policy)

  • Update incident status

  • Add to whitelist

    Important

    For CWPP incidents, you can only Add Alert to Whitelist.

  • Run playbooks