In this paper, we attempt to base on CIDS framework and initiate a Data Driven Detection Strategy Engine (3DSE), a new thinking on identifying suspected users by adopting Decision Tree and Logistic Regression techniques to mine the usage patterns (from audit log and alert log) of different cloud member. Moreover, according to the analytical mining results, we also propose a danger-coefficient ranking model, which allows system to adopt different security strategies to monitoring users of different security levels. Deploying this engine, cloud system can be automatically trained up and become more efficient and effective on intrusion detection.