Security Center collects asset fingerprint data from your servers — accounts, open ports, running processes, middleware, databases, web services, and more — giving you a detailed inventory of your IT environment. Use this data to spot configuration drift, identify exposed services, and accelerate threat investigation.
Automatic collection is disabled for all fingerprint types by default. No data is collected until you configure a collection schedule or trigger a manual collection.
Limitations
Subscription: Enterprise or Ultimate edition. To upgrade, see Upgrade Security Center.
The protection edition assigned to each server must match the edition you purchased. See Attach a protection edition to a server.
Pay-as-you-go: The pay-as-you-go billing method must be enabled for Host and Container Security. See Purchase Security Center.
The server protection level must be Host Protection or Host and Container Protection. See Attach a protection level to a server.
How data collection works
Security Center supports three collection methods:
| Method | When to use |
|---|---|
| Automatic periodic collection (recommended) | Set a collection frequency per fingerprint type. Security Center collects data on the configured schedule and keeps fingerprint tabs up to date. Start here if you want ongoing visibility. |
| Collect latest data for all assets | Trigger an immediate collection across all servers when you need a fresh snapshot before the next scheduled run. |
| Collect data for a single asset | Trigger an immediate collection for one specific server. |
The AI Component tab has three subtabs — AI Application, AI Tools, and AI Service — with different data sources:
AI Application data is collected by the Security Center client installed on your servers.
AI Tools and AI Service data comes from the agentless scanning feature. If you don't use agentless scanning or have no AI-related assets, these subtabs show no data.
Prerequisites
Before you begin, ensure that you have:
The Security Center client installed and online on the servers you want to collect data from. See Install the Security Center client
Configure automatic periodic collection
Log on to the Security Center consoleSecurity Center console. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
In the left navigation pane, choose Assets > Host.
On the Assets > Host > Account tab, click Configuration Management.
In the Configuration Management dialog box, set a collection frequency for each fingerprint type, then click OK.
The default refresh rate for all fingerprint types is Disabled. Set different frequencies for different types based on how often that data changes.
The collection frequency you set for Middleware also applies to Database, Web Service, and AI Component.
After you save the configuration, Security Center automatically collects fingerprint data at the specified frequency and updates the corresponding tabs.
Collect the latest data for all assets
On the Assets > Host > Account tab, click Collect Latest Data.
In the Collect Latest Data dialog box, select the fingerprint types to collect, then click OK.
Collection takes 1–5 minutes.
Collect data for a single asset
On the Assets > Host > Servers tab, find the server and click View in the Actions column.
On the asset details page, click the Asset Fingerprints tab, then click the tab for the fingerprint type you want.
ImportantThe Asset Fingerprint Investigation tab appears only for servers protected by Security Center Enterprise or Ultimate edition.
In the upper-right corner, click Collect Data Now. In the Data Collection Task Submitted dialog box, click OK.
Collection takes 1–5 minutes.
View asset fingerprint data
View fingerprints across all assets
Log on to the Security Center consoleSecurity Center console. In the upper-left corner, select your region.
In the left navigation pane, choose Assets > Host.
Click the tab for the fingerprint type you want to view, such as Account.
The page has three areas:
Fingerprint list — All fingerprints of the selected type, with a count of servers where each fingerprint appears.
Detail list — Click a fingerprint in the left list (for example, an account name) to see which servers have that fingerprint and its full details.
Search — Enter a value to filter fingerprints. Fuzzy match is supported. For example, search for an account name to find all servers where that account exists.
View fingerprints for a single asset
On the Servers tab, find the server and click View in the Actions column.
On the asset details page, click the Asset Fingerprint Investigation tab, then select the fingerprint type you want to view.
ImportantThe Asset Fingerprint Investigation tab appears only for servers protected by Security Center Enterprise or Ultimate edition.
Asset fingerprint reference
Account
Information about OS accounts on the server:
| Field | Description |
|---|---|
| Server information | The server the account belongs to. |
| Account | The account name. |
| ROOT permission | Whether the account has root permissions. |
| User group | The user group the account belongs to. |
| Expiration time | When the account password expires. |
| Password expired | Whether the account password has expired. |
| Password locked | Whether the account password is locked. |
| Account expired | Whether the account has expired. |
| Sudo account | Whether the account has sudo permissions. |
| Interactive logon account | Whether the account has logon permissions. |
| Last logon | The last time the account was used to log on to the server. |
| Last scan time | The last time Security Center collected this data. |
Port
Information about listening ports on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Port | The listener port number. |
| Network protocol | The protocol used by the listener port. |
| PID | The ID of the process bound to the listener port. |
| Associated process | The process bound to the listener port. |
| IP | The IP address of the network interface card (NIC) the listener port is attached to. |
| Last scan time | The last time Security Center collected this data. |
Process
Information about running processes on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Process name | The process name. |
| Process path | The startup path of the process. |
| Startup parameter | The startup parameters of the process. |
| Start time | When the process started. |
| Running user | The user who started the process. |
| Running permission | The permissions of the user who started the process. |
| PID | The process ID. |
| Parent process PID | The ID of the parent process. |
| File MD5 | The MD5 hash of the process binary. |
| Package process | Whether the process comes from an installation package. |
| Process status | The current status of the process. |
| Last scan time | The last time Security Center collected this data. |
Middleware
Information about middleware running on the server. Middleware refers to independently runnable system components, such as MySQL and Docker.
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Middleware | The middleware name. |
| Type | The middleware type. |
| Runtime environment version | The version of the middleware runtime environment. |
| Version | The middleware version number. |
| PID | The ID of the middleware startup process. |
| Startup path | The startup path of the middleware. |
| Version authentication information | The method used to determine the middleware version. |
| Parent process PID | The ID of the parent process. |
| Running user | The user who started the middleware. |
| Listener IP | The IP address the middleware listens on. |
| Listener port | The port the middleware listens on. |
| Listener status | The current listener status. |
| Listener port protocol | The network protocol of the listener port. |
| Start time | When the middleware started. |
| Process command line | The command and parameters used to start the middleware. |
| Container name | The container where the middleware is running (if applicable). |
| Image name | The image the container is based on (if applicable). |
| Configuration path | The absolute path to the middleware startup configuration. |
| Last scan time | The last time Security Center collected this data. |
AI components
The AI Component tab has three subtabs.
AI Application — Information about AI applications collected by the Security Center client. AI components are functional modules that make up an AI system, such as data modules, model modules, and inference modules.
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| AI component | The component name. |
| Type | The component type. |
| Version | The component version. |
| PID | The process ID. |
| Startup path | The startup path. |
| Version authentication information | The method and path used to determine the component version. |
| Parent process PID | The ID of the parent process. |
| Running user | The system user account the component process runs under. |
| Listener IP | The network address the component listens on. 0.0.0.0 means all IPv4 interfaces; :: means all IPv6 interfaces. |
| Listener port | The port the component listens on. |
| Listener status | The current listener status. |
| Listener port protocol | The network protocol of the listener port. |
| Start time | When the component started. |
| Startup command line | The full startup command and parameters. |
| Container name | The container instance where the component runs (if applicable). |
| Image name | The full image path in the image repository (if applicable). |
| Configuration path | Absolute paths to the component's key configuration files. |
| Last scan time | The last time Security Center collected this data. |
AI Tools — Information about AI tools detected by agentless scanning in ECS instances and images. AI tools are software libraries and frameworks used to develop, train, deploy, or run AI models — typically Python packages that underpin large model applications.
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| AI tool | The tool name. |
| Version | The tool version number. |
| Installation path | Where the tool is installed. |
| Last scan time | The last time agentless scanning collected this data. |
AI Services — Information about AI services detected by agentless scanning in ECS instances and images. AI services are large language model (LLM) interfaces provided by external platforms, callable over the network for AI chat, code generation, image understanding, and similar features.
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| AI service | The service name. |
| Endpoint | The interface address used to access the service. |
| File location | The configuration file path. |
| Last scan time | The last time agentless scanning collected this data. |
Database
Information about databases running on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Database name | The database name. |
| Type | The database type. |
| Version | The database version number. |
| PID | The ID of the database startup process. |
| Startup path | The startup path. |
| Version authentication information | The method used to determine the database version. |
| Parent process PID | The ID of the parent process. |
| Running user | The user who started the database. |
| Listener IP | The IP address the database listens on. |
| Listener port | The port the database listens on. |
| Listener status | The current listener status. |
| Listener port protocol | The network protocol of the listener port. |
| Start time | When the database started. |
| Startup command line | The command and parameters used to start the database. |
| Container name | The container where the database runs (if applicable). |
| Image name | The image the container is based on (if applicable). |
| Configuration path | The absolute path to the database startup configuration. |
| Last scan time | The last time Security Center collected this data. |
Web service
Information about web services running on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Web service name | The web service name. |
| Type | The web service type. |
| Runtime environment version | The JDK runtime environment version. |
| Version | The web service version number. |
| PID | The ID of the web service startup process. |
| Startup path | The startup path. |
| Version authentication information | The method used to determine the version. |
| Parent process PID | The ID of the parent process. |
| Running user | The user who started the web service. |
| Listener IP | The IP address the web service listens on. |
| Listener port | The port the web service listens on. |
| Listener status | The current listener status. |
| Listener port protocol | The network protocol of the listener port. |
| Start time | When the web service started. |
| Startup command line | The command and parameters used to start the web service. |
| Container name | The container where the web service runs (if applicable). |
| Image name | The image the container is based on (if applicable). |
| Configuration path | The absolute path to the web service startup configuration. |
| Web directory | The path to the web configuration page. |
| Last scan time | The last time Security Center collected this data. |
Software
Information about software installed on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Software name | The software name. |
| Version | The software version number. |
| Software startup path | The startup path. |
| Software update time | When the software version was last updated. |
| Last scan time | The last time Security Center collected this data. |
Scheduled task
Information about scheduled tasks configured on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Command | The command line the scheduled task runs. |
| Task schedule | The task schedule. |
| MD5 | The MD5 hash of the scheduled task process. |
| Account name | The account that starts the task. |
| Last scan time | The last time Security Center collected this data. |
Startup item
Information about services and programs configured to start automatically:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Startup item path | The path to the startup service. |
| Last scan time | The last time Security Center collected this data. |
Kernel module
Information about kernel modules loaded on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Module name | The kernel module name. |
| Module size | The size of the kernel module file. |
| Module file path | The path to the kernel module. |
| Number of dependent modules | The number of other modules this module depends on. |
| Last scan time | The last time Security Center collected this data. |
Website
Information about websites hosted on the server:
| Field | Description |
|---|---|
| Server information | The server name and IP address. |
| Domain name | The domain name configured for the website. |
| Site type | The web server software type. |
| Port | The listener port. |
| Web path | The path to the WebHome directory. |
| Web root path | The root directory path in the web configuration. |
| User | The user who started the web service. |
| Directory permission | The permissions on the web directory. |
| Listener protocol | The listener protocol. |
| PID | The process ID. |
| Start time | When the web service started. |
| Image name | The image the container is based on (if applicable). |
| Container name | The container where the website runs (if applicable). |
| Last scan time | The last time Security Center collected this data. |
What's next
To view the full security status of a server, see Manage servers.
To discover assets in an on-premises data center using network probes, see Connect to IDC assets.