Security Center generates alerts when it detects web page tampering, suspicious processes, webshells, unusual logons, and malicious processes. These alerts help you learn about potential threats to your assets and the security status of your assets in real time.

Alert statistics

Security Center provides alert statistics based on enabled alert types. This allows you to learn about asset security overview, enabled alert types, and disabled alert types. You can view alert statistics and types on the Alerts page in the Security Center console.

Enabled and disabled alert types

Alert statistics are displayed as follows:

  • Servers With Alerts: the number of servers on which alert events are detected.

    Click the number under Servers With Alerts to go to the Assets > Server tab to view the servers that have triggered alerts.

    Servers With Alerts
  • All Alerts: the total number of unhandled alerts.

    By default, the Alerts page displays all Unhandled alerts. For more information, see View and handle security events.

  • Urgent Alerts: the number of Urgent alerts.

    You can click the number under Urgent Alerts to filter and view Urgent alerts on the Alerts page.

    We recommend that you handle Urgent alert events at the earliest opportunity.

    Security Center classifies alerts into the following severity levels.
    • Urgent: high severity risks. This level of risk indicates that intrusion events have been detected on your servers, such as reverse shells. We recommend that you view the details of the alert events and handle the events in a timely manner.
    • Warning: medium severity risks. This level of risk indicates that suspicious events have been detected on you servers, such as suspicious CMD command sequences. We recommend that you view the details of the alert events, determine whether your servers are at risk, and handle the events as needed.
    • Notice: low severity risks. This level of risk indicates that low-risk events have been detected on you servers, such as suspicious port listening behaviors. We recommend that you view the details of the alert events.
  • Precise Defense: the number of viruses that are automatically quarantined by the virus scan feature.

    Click the number under Precise Defense to filter alerts detected by Precise Defense on the Alerts page and view details of quarantined viruses.

    For more information about how to configure precise defense, see Virus detection.

  • IP blocking/All: Security Center provides default policies and supports custom policies to block IP addresses. Based on the actual scenario, you can enable or disable specific anti-brute force rules to block or unblock potentially malicious IP addresses. After you disable a rule, XX no longer blocks IP addresses based on this rule. This IP address is allowed to access your servers.
    • IP blocking: the number of blocked IP addresses after the anti-brute-force attack rule is enabled.
    • All: the total number of IP addresses blocked by all anti-brute-force attack rules.
    The IP policy library

    For more information about creating anti-brute-force attack rules, see Anti-brute-force attack rules.

  • Number Of Quarantined Files: the total number of files quarantined by Security Center based on relevant alerts.

    Click the number under Number Of Quarantined Files to go to the Quarantine page and view the quarantined files. For more information, see Quarantine.

For more information about the alert types supported by Security Center, see Alert types.

Security Center enables all defense capabilities except application whitelist and webpage anti-tampering by default.
  • Security Center Basic Edition enables only the capability of detecting unusual logons by default. To use other defense capabilities, you must upgrade Security Center to Advanced Edition or Enterprise Edition. For more information about how to upgrade Security Center, see Renewal and upgrade.
  • Webpage anti-tampering is a value-added service of Security Center. To use this service, you must purchase and activate it. Webpage anti-tampering is supported by Advanced Edition and Enterprise Edition, and is not supported by Basic Edition. For more information about webpage anti-tampering, see Activate service.
  • Security Center Enterprise Edition supports and enables cloud threat detection by default. To use cloud threat detection in Security Center, you must upgrade Advanced Edition to Enterprise Edition.

Alert types

  • Beginning December 20, 2018, the Basic edition of Security Center only generates alerts when unusual logons or DDoS attacks are detected. To enable more alert types, you must upgrade the Basic edition to the Advanced or Enterprise edition.
  • For more information about alert types supported by the Basic, Advanced, and Enterprise editions, see Features.
Alert type Description
Webpage Tampering Tamper protection is a value-added service provided by Security Center. This service monitors website directories in real time and backs up and restores tampered files or directories. This service prevents drive-by downloads, hidden links, and uploads of violent or illicit content. Tamper protection can detect the following activities:
  • Suspicious file adding
  • Modifying files
  • Deleting files
Note Tamper protection is a value-added service provided by Security Center. To use this service, you must purchase the service and activate it. Tamper protection is supported by the Advanced and Enterprise editions. It is not supported by the Basic edition. For more information about tamper protection, see Website tamper-proofing.
Suspicious Process Security Center can detect unusual process activities, including:
  • Writing configuration files for Linux cron jobs
  • Modifying files of Linux cron jobs
  • Running unusual commands in Linux
  • Reverse shells
  • Running unusual commands in Python applications
  • Downloading malicious code by using Windows system files
  • Running commands to insert JavaScript into an HTML page by using the Windows mshta utility
  • Creating unusual scheduled tasks in Windows
  • Windows regsvr32.exe running unusual commands
  • Visiting malicious download sources
  • Modifying registry configuration
  • Unusual use of system tools
  • Running malicious commands
  • Container starting in the privileged mode
  • Modifying startup programs
Webshell Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quickly quarantines webshell files.
  • Any change made to files under the web directory triggers dynamic detection. Security Center scans the entire web directory early in the morning on a daily basis.
  • You can specify the assets on which Security Center scans for webshells.
  • You can quarantine, restore, and ignore detected Trojan files.
Unusual Logon Security Center can detect unusual logons to your servers. You can set approved logon IP addresses, time, and accounts. Logons from unapproved IP addresses, accounts, or time trigger alerts. You can manually add approved logon locations or set the system to automatically update approved logon locations. You can also specify assets on which alerts are triggered when unusual logon locations are detected.

Security Center can detect the following logon events:

  • Logons to Elastic Compute Service (ECS) instances from unapproved IP addresses
  • Logons to ECS instances from unapproved locations
  • Unusual command running after logons to ECS instances based on the Secure Shell protocol
  • ECS instances passwords cracked due to brute-force attacks based on the Secure Shell protocol
For more information, see How can I detect unusual logons and receive alerts in the Security Center console?.
Suspicious Event Security Center can detect suspicious process activities.
Sensitive File Tampering Security Center can check whether sensitive files on your servers are maliciously modified, such as pre-loaded configuration file tampering in Linux shared libraries.
Malicious Process Process information is collected by Security Center and uploaded to Alibaba Cloud. Based on the collected information, Security Center dynamically scans the assets and generates alerts in real time when malicious processes are detected. You can log on to the Security Center console to manage the detected malicious processes.

Security Center can detect the following malicious activities and processes:

  • Visiting malicious IP addresses
  • Mining programs
  • Automatic mutating Trojans
  • Malicious programs
  • Trojans
For more information, see Cloud threat detection.
Unusual Network Connection Security Center can detect unusual network connections and disconnections.

Security Center can detect the following unusual network activities:

  • Proactive connections to malicious download sources
  • Visiting malicious domains
  • Connections to mining pools
  • Unusual external network connections
  • External reverse shell connections
  • Unusual connections in Windows systems
  • Lateral movement attacks
  • Suspicious scan activities targeting sensitive ports such as port 22, 80, 443, and 3389
Suspicious Account Logons to your assets from unapproved accounts
Cloud Threat Detection Security Center can detect suspicious activities in the other Alibaba Cloud services you have purchased, including:

Deleting ECS security group rules

Precision Defense The Precision Defense feature provides precise protection against major ransomware, DDoS Trojans, mining programs, Trojan programs, malicious processes, webshells, and worms. For more information, see Virus detection.
Application Intrusion Event Security Center can detect intrusion activities that use system application components.
Persistence Security Center can detect suspicious scheduled tasks on the servers and generates alerts when persistent threats against the servers are detected.
Application Whitelist You can create a whitelist policy for servers that require reinforced protection. The policy identifies suspicious and malicious processes and generates alerts.
Web Application Threat Security Center can detect intrusion activities on the servers that use web applications.
Malicious Script Security Center can check whether the system services of your assets are attacked or modified by malicious scripts. Alerts are generated if potential script attacks are detected.
Other Other attack types that can be detected by Security Center, such as DDoS attacks.