After the Security Center agent is installed on your servers, it collaborates with Alibaba Cloud to protect your servers. Security Center provides a wide array of features, including security alerts, vulnerability management, antivirus, baseline checks, and attack analysis.

This topic describes the information that can be collected by Security Center.
Note Changes in the following information will be posted on the Alibaba Cloud international site. If you do not accept the changes, you can stop using Alibaba Cloud Security Center. In this case, you can uninstall the agent from your servers. For more information, see Uninstall the Security Center agent. If you continue using Alibaba Cloud Security Center, you are deemed to have accepted these changes.

Suspicious files

Security Center detects suspicious files on your servers. After a suspicious file is detected by Security Center, information about the file is uploaded to Alibaba Cloud for further verification. The file information includes but is not limited to the file path, MD5 hash value, and creation time. If the suspicious file is determined as a malicious file, Security Center sends you an alert.

Suspicious processes

Security Center detects suspicious processes on your servers. After a suspicious process is detected by Security Center, information about the process is uploaded to Alibaba Cloud for further verification. The process information includes but is not limited to the process name, parameters used to start the process, file path of the process, and start time of the process. If the suspicious process is determined as a malicious process, Security Center sends you an alert.

Accounts

Security Center provides features such as logon audit, suspicious account alerting, and brute-force attack prevention. Security Center regularly analyzes and uploads account and logon information about protected servers. The account information includes but is not limited to the usernames and user permissions. The logon information includes but is not limited to the usernames and IP addresses that are used for logons. If the logon is determined as an usual logon, Security Center sends you an alert.

Suspicious connections

Security Center detects suspicious network connections to your servers. After a suspicious network connection is detected by Security Center, information about the connection is uploaded to Alibaba Cloud for further verification. The connection information includes but is not limited to the source IP address, source port, destination IP address, and destination port. If the suspicious network connection is determined as malicious, Security Center sends you an alert.

Server assets

Security Center supports server asset management. Security Center regularly collects information about servers, including but not limited to the software information, port listening information, and information about the websites running on your servers. You can log on to the Security Center console and view the information on the Assets page.

Container image security

Security Center scans container images. Security Center regularly scans containers to detect whether vulnerabilities and malicious files exist. You can log on to the Security Center console, choose Image Security, and view detected vulnerabilities and malicious files.

Container security during runtime

To ensure container security during runtime, Security Center dynamically detects threats, including viruses, malicious programs, intrusions, container escapes, and high-risk operations in running containers. If risks are detected during container runtime, Security Center sends you an alert.