When Agentic SOC is enabled, Security Center analyzes ingested logs and generates alerts. This page describes how alerts are sourced, what limits apply, and how to view alert details.
After you enable Agentic SOC, Cloud Workload Protection Platform (CWPP) security alert information is migrated to the security alert directory of Agentic SOC. View and handle those alerts on the CWPP tab. For details, see Evaluate and handle security alerts.
Prerequisites
Before you begin, make sure that you have:
Purchased and enabled the Agentic SOC service. For details, see Purchase and enable Agentic SOC
Added logs from the required products. For details, see Product access
Alert sources
The Alerts page is organized into tabs by alert source. Each tab shows alerts from a distinct data source.
| Tab | Data source |
|---|---|
| Aggregate and Analyze Alerts | Alerts generated by Agentic SOC from your ingested logs, based on predefined rules. |
| Custom Alert Analysis | Alerts generated by Agentic SOC from your ingested logs, based on your custom rules. |
| CWPP | Security Center intrusion detection and defense alerts for hosts and containers. See Security alerts - CWPP (Cloud Workload). |
| Cloud Firewall | Alert logs from Alibaba Cloud Firewall and third-party firewalls (such as Tencent Cloud, Huawei Cloud, and Fortinet) added to Agentic SOC. |
| WAF | Alert logs from Alibaba Cloud Web Application Firewall (WAF) and third-party WAF products (such as Tencent Cloud, Huawei Cloud, and Fortinet) added to Agentic SOC. |
| EDR | Alert logs from third-party Endpoint Detection and Response (EDR) services added to Agentic SOC, such as Sangfor aES. |
| Others | All other alert logs added to Agentic SOC, excluding Security Center, Cloud Firewall, WAF, and EDR logs. |
Agentic SOC alerts vs. CWPP alerts
Alerts on the CWPP tab behave differently from alerts on all other tabs. The key differences are detection method and handling options.
| Dimension | Agentic SOC alerts (all tabs except CWPP) | CWPP alerts (CWPP tab only) |
|---|---|---|
| Detection method | Agentic SOC analyzes ingested logs against predefined and custom rules. | Security Center detects intrusions using threat detection models on host and container activity. |
| Individual handling | Cannot be handled individually — alerts are view-only. | Can be handled individually. Supported actions include trojan scan, fencing, blocking, and adding to the whitelist. |
| Incident handling | Handle security incidents — aggregated collections of Agentic SOC alerts — to address threats. | Handle both individual alerts and aggregated security incidents. |
Alert retention
Agentic SOC alerts (all tabs except CWPP) are retained as follows:
30 days by default.
180 days if the alert triggers an event generation rule and generates an event.
Alerts are deleted automatically when their retention period expires.
Why Agentic SOC alerts cannot be handled individually
Agentic SOC alerts are stateless: each alert is generated fresh from your ingested log data without referencing historical alert states. Agentic SOC analyzes and makes judgments based on the added log data. It does not rely on historical data to generate new alerts.
To respond to security threats identified by Agentic SOC alerts, use the security incident handling feature. Security incidents aggregate related alerts into complete attack chains, and you can apply response actions at the incident level. For details, see Handle security incidents and Response orchestration.
View alerts
The following steps use the Aggregate and Analyze Alerts tab as an example.
Log on to the Security Center console. In the upper-left corner, select the region where your asset is located: China or Outside China.Log on to the Security Center console.
In the left navigation pane, choose Agentic SOC > Alert.
On the Aggregate and Analyze Alerts tab, review the list of alerts generated by predefined rules. For each alert, you can:
Click the link in the Affected Asset column to see details about the asset involved.
Click the link in the Malicious Entity column to see the elements or behaviors parsed by Agentic SOC — such as IP addresses, processes, or files — that pose a threat.
Click the ID in the Associated Event ID column to open the associated security event.
In the Actions column, click Details to open the alert detail panel. The panel shows the alert's basic information, affected asset, occurrence time, and description.
Tutorials on handling common virus alerts
Security hardening
If you detect threats in your alerts, apply the following hardening measures to reduce exposure:
Upgrade Security Center: The Enterprise and Ultimate editions support automatic virus isolation, providing more precise defense and a broader set of security checks.
Restrict access: Open only necessary ports (such as 80 and 443). Apply strict IP address whitelists to management ports (22 and 3389) and database ports (3306).
For Alibaba Cloud ECS servers, see Manage security groups.
Use strong passwords: Set passwords containing uppercase letters, lowercase letters, digits, and special characters for all servers and applications.
Keep software up to date: Update applications to the latest official versions. Avoid versions that are no longer maintained or have known vulnerabilities.
Back up regularly: Create an automatic snapshot policy for important data and system disks.
For Alibaba Cloud ECS servers, see Create an automatic snapshot policy.
Fix vulnerabilities promptly: Use the Vulnerability Fix feature in Security Center to address important system and application vulnerabilities.
Reset the server system (use with caution): If a virus has deeply compromised underlying system components, back up your data and reinitialize the server. Follow these steps:
Create a snapshot to back up important data. See Create a snapshot.
Reinitialize the operating system. See Reinitialize a system disk.
Create a disk from the snapshot. See Create a data disk from a snapshot.
Attach the disk to the reinstalled server. See Attach a data disk.
What's next
Configure alert detection rules to aggregate related alerts into security incidents that show complete attack chains, reducing alert volume and improving response efficiency. See Configure threat detection rules.
Query security alert data using the API. See Security alerts API reference.