All Products
Search

This Product

    Security Center:Security alerts - Agentic SOC

    Document Center

    Security Center:Security alerts - Agentic SOC

    Last Updated:Jan 20, 2026

    After you enable Agentic SOC, Security Center analyzes and processes logs in Agentic SOC to generate alerts and incidents. The security alert feature lets you centrally manage alert records from multiple security products. This topic describes the security alert feature of Agentic SOC and explains how to view alert data.

    Notes

    After you enable Agentic SOC, security alert information from Cloud Workload Protection Platform (CWPP) is migrated to the security alert directory of Agentic SOC. You can view and handle these alerts on the CWPP tab. For more information about how to handle alerts, see Evaluate and handle security alerts.

    Prerequisites

    • You have purchased and enabled the Agentic SOC service. For more information, see Purchase and enable Agentic SOC.

    • You have added logs from the required products. For more information, see Product access.

    Alert source

    The following table describes the data sources for alerts on the different tabs of the Alerts page.

    Tab

    Data source description

    Aggregate and Analyze Alerts

    Agentic SOC performs an in-depth analysis of the logs that you add and generates alerts based on predefined rules.

    Custom Alert Analysis

    Agentic SOC performs an in-depth analysis of the logs that you add and generates alerts based on preset custom rules.

    CWPP

    Security Center alerts for intrusion detection and defense related to hosts and containers. For more information, see Security alerts - CWPP (Cloud Workload).

    Cloud Firewall

    • Alert logs of Alibaba Cloud Cloud Firewall that are added to Agentic SOC.

    • Alert logs of firewalls from third-party cloud and security vendors that are added to Agentic SOC, such as Tencent Cloud, Huawei Cloud, and Fortinet firewalls.

    WAF

    • Alert logs of Alibaba Cloud Web Application Firewall that are added to Agentic SOC.

    • Alert logs of Web Application Firewalls from third-party cloud and security vendors that are added to Agentic SOC, such as Tencent Cloud, Huawei Cloud, and Fortinet firewalls.

    EDR

    Alert logs of third-party Endpoint Detection and Response (EDR) services that are added, such as Sangfor aES alert logs.

    Others

    Other alert logs that are added to Agentic SOC, excluding Security Center alert logs, firewall logs, Web Application Firewall logs, and EDR logs.

    Comparison between Agentic SOC alerts and CWPP alerts

    Difference

    Agentic SOC alerts (non-CWPP alerts)

    CWPP alerts

    Alert source

    Alerts are generated by analyzing and processing logs that are added to Agentic SOC based on predefined and custom rules.

    Note

    Alerts on tabs other than the CWPP tab.

    Alerts for intrusion detection and defense related to hosts and containers are detected using threat detection models.

    Note

    All alerts on the CWPP tab.

    Can be handled

    • Agentic SOC alerts cannot be handled individually. You can only view the alerts.

    • You can handle security incidents that are collections of Agentic SOC alerts.

    • CWPP alerts can be handled individually. The handling methods include trojan scan, fencing, blocking, and adding to the whitelist.

    • You can handle aggregated security incidents.

    Alert retention period

    Alerts are retained for 30 days. If an alert hits an event generation rule and generates an event, it is retained for 180 days. Alerts are automatically deleted after their retention period expires.

    Note

    The preceding alert retention period applies to Agentic SOC alerts. These alerts are displayed on all tabs except for the CWPPtab.

    Alert handling instructions

    • Agentic SOC alerts are stateless and cannot be handled. Agentic SOC analyzes and makes judgments based on the added log data. It does not rely on historical data to generate new alerts.

    • You can use the security incident handling feature of Agentic SOC to address security threats to your assets. For more information, see Handle security incidents and Response orchestration.

    View alerts

    The following procedure describes how to view alerts. This topic uses the alerts on the Aggregate and Analyze Alerts tab as an example.

    1. Log on to the Security Center console. In the upper-left corner of the console, select the region where your asset is located: China or Outside China.

    2. In the navigation pane on the left, choose Agentic SOC > Alert.

    3. On the Aggregate and Analyze Alerts tab, view the alerts that are generated based on predefined rules.

      • To view the affected asset of an alert, click the link in the Affected Asset column to view the details of the affected asset.

      • To view the malicious entity that generates an alert, click the link in the Malicious Entity column to view the elements or behaviors that are parsed by Agentic SOC and pose a threat to system security. Malicious entities include IP addresses, processes, and files that initiate attacks.

      • To view the associated event of an alert, click the ID in the Associated Event ID column to view the details of the associated event.

    4. In the Actions column for an alert, click Details to view its details.

      You can view the basic information, affected asset, occurrence time, and description of the alert.

    Tutorials on how to handle common virus alerts

    Security hardening solutions

    • Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus isolation, which provides precise defense and more security check items.

    • Tighten access control: Open only necessary service ports, such as 80 and 443. Configure strict IP address whitelists for management ports, such as 22 and 3389, and database ports, such as 3306.

      Note

      For Alibaba Cloud ECS servers, see Manage security groups.

    • Set complex server passwords: Create complex passwords that contain uppercase letters, lowercase letters, digits, and special characters for your servers and applications.

    • Upgrade software: Promptly update your applications to the latest official versions. Avoid using old versions that are no longer maintained or that have known security vulnerabilities.

    • Perform regular backups: Create an automatic snapshot policy for important data and system disks.

      Note

      If you use an Alibaba Cloud ECS server, see Create an automatic snapshot policy.

    • Fix vulnerabilities promptly: Regularly use the Vulnerability Fix feature in Security Center to fix important system and application vulnerabilities promptly.

    • Reset the server system (use with caution).

      If a virus deeply infects the system and compromises underlying system components, back up important data and then reset the server system. Perform the following steps:

      1. Create a snapshot to back up important data on the server. For more information, see Create a snapshot.

      2. Reinitialize the operating system of the server. For more information, see Reinitialize a system disk.

      3. Create a disk from the snapshot. For more information, see Create a data disk from a snapshot.

      4. Attach the disk to the server on which you reinstalled the operating system. For more information, see Attach a data disk.

    References

    • After you add logs from cloud services, you can configure alert detection rules to aggregate multiple related security alerts into security incidents that show complete attack chains. This reduces the number of alerts and improves the efficiency of alert analysis and response. For more information, see Configure threat detection rules.

    • You can call API operations for security alerts to query security alert information. For a list of the API operations, see Security alerts.