Security Center generates alerts when it detects web page tampering, suspicious processes, webshells, unusual logons, and malicious processes. These alerts help you learn about potential threats to your assets and the security status of your assets in real time.
Security Center provides alert statistics based on enabled alert types. This allows you to learn about asset security overview, enabled alert types, and disabled alert types. You can view alert statistics and types on the Alerts page in the Security Center console.
Alert statistics are displayed as follows:
- Servers With Alerts: the number of servers on which alert events are detected.
Click the number under Servers With Alerts to go to thetab to view the servers that have triggered alerts.
- All Alerts: the total number of unhandled alerts.
By default, the Alerts page displays all Unhandled alerts. For more information, see View and handle security events.
- Urgent Alerts: the number of Urgent alerts.
You can click the number under Urgent Alerts to filter and view Urgent alerts on the Alerts page.
We recommend that you handle Urgent alert events at the earliest opportunity.Security Center classifies alerts into the following severity levels.
- Urgent: high severity risks. This level of risk indicates that intrusion events have been detected on your servers, such as reverse shells. We recommend that you view the details of the alert events and handle the events in a timely manner.
- Warning: medium severity risks. This level of risk indicates that suspicious events have been detected on you servers, such as suspicious CMD command sequences. We recommend that you view the details of the alert events, determine whether your servers are at risk, and handle the events as needed.
- Notice: low severity risks. This level of risk indicates that low-risk events have been detected on you servers, such as suspicious port listening behaviors. We recommend that you view the details of the alert events.
- Precise Defense: the number of viruses that are automatically quarantined by the virus scan feature.
Click the number under Precise Defense to filter alerts detected by Precise Defense on the Alerts page and view details of quarantined viruses.
For more information about how to configure precise defense, see Virus detection.
- IP blocking/All: Security Center provides default policies and supports custom policies to block
IP addresses. Based on the actual scenario, you can enable or disable specific anti-brute
force rules to block or unblock potentially malicious IP addresses. After you disable
a rule, XX no longer blocks IP addresses based on this rule. This IP address is allowed
to access your servers.
- IP blocking: the number of blocked IP addresses after the anti-brute-force attack rule is enabled.
- All: the total number of IP addresses blocked by all anti-brute-force attack rules.
For more information about creating anti-brute-force attack rules, see Anti-brute-force attack rules.
- Number Of Quarantined Files: the total number of files quarantined by Security Center based on relevant alerts.
Click the number under Number Of Quarantined Files to go to the Quarantine page and view the quarantined files. For more information, see Quarantine.
For more information about the alert types supported by Security Center, see Alert types.
- Security Center Basic Edition enables only the capability of detecting unusual logons by default. To use other defense capabilities, you must upgrade Security Center to Advanced Edition or Enterprise Edition. For more information about how to upgrade Security Center, see Renewal and upgrade.
- Webpage anti-tampering is a value-added service of Security Center. To use this service, you must purchase and activate it. Webpage anti-tampering is supported by Advanced Edition and Enterprise Edition, and is not supported by Basic Edition. For more information about webpage anti-tampering, see Activate service.
- Security Center Enterprise Edition supports and enables cloud threat detection by default. To use cloud threat detection in Security Center, you must upgrade Advanced Edition to Enterprise Edition.
- Beginning December 20, 2018, the Basic edition of Security Center only generates alerts when unusual logons or DDoS attacks are detected. To enable more alert types, you must upgrade the Basic edition to the Advanced or Enterprise edition.
- For more information about alert types supported by the Basic, Advanced, and Enterprise editions, see Features.
|Webpage Tampering||Tamper protection is a value-added service provided by Security Center. This service
monitors website directories in real time and backs up and restores tampered files
or directories. This service prevents drive-by downloads, hidden links, and uploads
of violent or illicit content. Tamper protection can detect the following activities:
Note Tamper protection is a value-added service provided by Security Center. To use this service, you must purchase the service and activate it. Tamper protection is supported by the Advanced and Enterprise editions. It is not supported by the Basic edition. For more information about tamper protection, see Website tamper-proofing.
|Suspicious Process||Security Center can detect unusual process activities, including:
|Webshell||Security Center uses engines developed by Alibaba Cloud to scan for common webshell
files. Security Center supports scheduled scan tasks, provides real-time protection,
and quickly quarantines webshell files.
|Unusual Logon||Security Center can detect unusual logons to your servers. You can set approved logon
IP addresses, time, and accounts. Logons from unapproved IP addresses, accounts, or
time trigger alerts. You can manually add approved logon locations or set the system
to automatically update approved logon locations. You can also specify assets on which
alerts are triggered when unusual logon locations are detected.
Security Center can detect the following logon events:
|Suspicious Event||Security Center can detect suspicious process activities.|
|Sensitive File Tampering||Security Center can check whether sensitive files on your servers are maliciously modified, such as pre-loaded configuration file tampering in Linux shared libraries.|
|Malicious Process||Process information is collected by Security Center and uploaded to Alibaba Cloud.
Based on the collected information, Security Center dynamically scans the assets and
generates alerts in real time when malicious processes are detected. You can log on
to the Security Center console to manage the detected malicious processes.
Security Center can detect the following malicious activities and processes:
|Unusual Network Connection||Security Center can detect unusual network connections and disconnections.
Security Center can detect the following unusual network activities:
|Suspicious Account||Logons to your assets from unapproved accounts|
|Cloud Threat Detection||Security Center can detect suspicious activities in the other Alibaba Cloud services
you have purchased, including:
Deleting ECS security group rules
|Precision Defense||The Precision Defense feature provides precise protection against major ransomware, DDoS Trojans, mining programs, Trojan programs, malicious processes, webshells, and worms. For more information, see Virus detection.|
|Application Intrusion Event||Security Center can detect intrusion activities that use system application components.|
|Persistence||Security Center can detect suspicious scheduled tasks on the servers and generates alerts when persistent threats against the servers are detected.|
|Application Whitelist||You can create a whitelist policy for servers that require reinforced protection. The policy identifies suspicious and malicious processes and generates alerts.|
|Web Application Threat||Security Center can detect intrusion activities on the servers that use web applications.|
|Malicious Script||Security Center can check whether the system services of your assets are attacked or modified by malicious scripts. Alerts are generated if potential script attacks are detected.|
|Other||Other attack types that can be detected by Security Center, such as DDoS attacks.|