How to configure alert scan scope and alert handling rules - Security Center

Web applications deployed in non-standard paths—such as /data/wwwroot/my_project or /opt/app—are not discovered by Security Center's automatic directory detection, leaving those assets unmonitored. Alert settings let you add those custom web directories to extend scan coverage, and manage the handling rules that suppress or silence alerts. Both settings are maintained in a central panel so your security policies stay accurate over time.

Configure alert generation rules

Some alert types are generated by specific security features, not by alert settings. Manage those alert sources on their respective pages:

Feature category	Features	Alert types generated
Host protection	Malicious Behavior Defense, Approved Logon Management, Antivirus	Precise Defense, Unusual Logon, Account Errors, Malicious Software
Container protection	Proactive Defense for Containers, Container File Protection	Container Escape Prevention, Proactive Defense for Containers, Container Cluster Anomaly
Feature settings	Host Protection Settings, Container Protection Settings	Precise Defense, Webshell, Container Escape Prevention, Container Cluster Anomaly, Suspicious Process Behavior

Add a custom web directory

Security Center automatically discovers standard web directories on your servers and performs dynamic detection and static scans. For web applications deployed in non-standard paths, add those directories manually so they are included in scanning and protection.

When Security Center detects a web shell connection attempt on a monitored directory, it blocks the connection and generates an alert in the alert list.

Constraints

Do not add root directories. Do not add a server's root directory—/ on Linux or C:\ on Windows—as a web directory. Adding root directories degrades server performance and scanning efficiency.
Add specific web paths only. Add only the paths where your web applications are stored. Broad or irrelevant directories can cause false positives and unnecessary performance overhead.

Procedure

Log on to the Security Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are deployed: Chinese Mainland or Outside Chinese Mainland.
In the left navigation pane, choose Detection and Response > Alert.
If you have activated Agentic SOC, the path changes to Agentic SOC > Alert.
On the Alert page, click Cloud Workload Alert Management > Alert Settings in the upper-right corner.
In the Alert Settings panel, click Manage in the Custom Web Directory section.
In the Custom Web Directory panel, enter the absolute path of the web directory to monitor (for example, /home/www/my_app) and select the servers on which the path takes effect.
Click OK.

Manage alert handling rules

When you handle a security alert and select Add to Whitelist or Defense Without Notification, Security Center automatically creates a handling rule. These rules are stored centrally so you can review, update, or remove them without searching individual alerts.

Edit or delete a handling rule

Log on to the Security Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are deployed: Chinese Mainland or Outside Chinese Mainland.
In the left navigation pane, choose Detection and Response > Alert.
If you have activated Agentic SOC, the path changes to Agentic SOC > Alert.
On the Alert page, click Cloud Workload Alert Management > Alert Settings in the upper-right corner.
In the Alert Settings panel, click the Alert Handling Rule tab.
Find the rule you want to modify and click Edit or Delete in the Actions column.
- Edit: In the Edit Rule panel, update the servers on which the rule takes effect, then click OK.
- Delete: Click OK to confirm. > Important: Deleting a rule resumes the default detection and alerting behavior. For example, after you delete a whitelist rule, similar alerts that were previously ignored will be generated again. Make sure you understand the impact before deleting.