Security Center can monitor the security status of your servers and trigger alarms when it detects any network intrusions. This allows you to manage potential security risks and quickly respond to the risks.

Function Description

Security Center detects network intrusion behaviors such as:

  • Unusual logon: After you specify valid logon IP addresses, logon times, and accounts, Security Center can then monitor your logon behavior against these conditions and triggers an alarm when any unusual logon behavior is detected. Usual logon locations can also be added. Security Center can then trigger alarms when logons to a specified asset from an unfamiliar location are detected.
  • Webshell: Security Center detects common Webshells using an autonomous detection engine that supports scheduled detection, and real-time safeguard. You can then one click quarantine any detected Webshells.
    • Modifications made to scan targets will trigger a dynamic Webshell analysis. A static Webshell analysis is performed daily at 12:00 am.
    • You can customize scan targets for Trojan horse scanning and removal.
    • You can quarantine, restore, or ignore detected Trojan horse files.
  • Suspicious host: You can view suspicious processes, sensitive file tampering, and unusual network connections that are detected on your servers.
  • Virus: Security Center and the control center on the cloud collaborate to provide a virus scanning and removal mechanism. Security Center records information generated by running processes and reports the information to the control center on the cloud for virus scanning. When a virus is detected, Security Center determines the method to remove the virus, for example, by terminating the process and quarantining the file.

View and process security events

To view and process network intrusions that occur on your servers, follow these steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Events.
  3. In the event list, view all the network intrusions that are detected.
  4. You can quickly locate a specific event by search and selecting its event type, severity level, and processing status. For example, you can search for an event by using the IP address or name of the server on which the event occurred, or the event name.
  5. Process events using applicable methods.
    • View: View event details.
    • Handle Offline: Remove the record from the list after the event has been confirmed and processed offline.
    • Ignore Once: Ignore the event and remove the record from the list.
    • Label as False Positive: Label the event as a false positive and remove it from the list.
    • (Webshell only) Handle Online: Quarantine the webshell file. The quarantined files can be viewed by clicking Quarantine in the upper-right corner of the page.
      Note The system only keeps a quarantined file for 30 days. You can restore any quarantined file before the system deletes the file.

Settings

You can customize your usual logon locations and scan targets. You can also set alarm severity levels and configure advanced logon detection.
Note Advanced logon detection is provided only in Security Center Enterprise Edition. With Security Center Enterprise Edition, you can specify more precise conditions of unusual logons, such as specifying valid logon IP addresses, logon times, and accounts.

To set security events, follow these steps:

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Events.
  3. In the upper-right corner, click Settings and then configure the settings.
    • Add usual logon locations
      1. Click Add next to Usual Logon Locations.
      2. Select a usual logon location and its associated servers or server groups.
      3. Click OK.

      You can Edit or Delete an added usual logon location.

      • Click Edit next to a usual logon location to change its associated servers.
      • Click Delete next to a usual logon location to delete the configurations for this usual logon location.
    • Configure advanced logon alarming
      Note You can specify valid logon IP addresses, logon times, and accounts. Security Center sets alarms to trigger when unusual logon attempts are detected. Operations related to the following functions are similar to the configurations of usual logon locations. You can perform the operations of Add, Edit, Delete by referring to the preceding section.
      • Click the switch next to Valid Logon IPs to enable or disable IP address check. If the IP check is enabled, alarms are triggered when logons are performed from unspecified IP addresses.
      • Click the switch next to Valid Logon Time to enable or disable logon time check. If the logon time check is enabled, alarms are triggered when logons are performed at unspecified times.
      • Click the switch next to Valid Logon Accounts to enable or disable account check. If account check is enabled, alarms are triggered when logons are performed using unspecified accounts.
    • Customize scan targets

      Security Center automatically detects the scan targets that are on your servers. It then performs dynamic and static scans. You can also customize your scan targets.

      1. Click Add next to Add Scan Targets.
      2. Specify a valid scan target and select the server on which the scan target is stored.
        Note Adding the root directory is not supported.
      3. Click OK.
    • Set alarm severity levels

      At the bottom of the Settings sidebar, select the severity levels of the events to be detected.

      The alarm severity levels are as follows:
      • Reminder: An event of this severity level indicates an event that requires you to verify its validity, for example, account creation.
      • Warning: An event of this severity level indicates a possible intrusion event, for example, a logon record to your ECS instance from an unfamiliar location.
      • Urgency: An event of this severity level indicates a successful hacker attack, for example, virus or a denial-of-service attack.