Security Center provides a comprehensive view of security alerts, helping you quickly identify and handle risks by enabling defense capabilities. You can view and manage active security alerts, and archive and export historical data for later analysis.
Security alert statistics
Security Center provides an overview of your alert defense capabilities to help you quickly understand the overall state of your alerts, including the status of your protection features.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Agentic SOC service, the navigation path changes to .
-
On the Alert page, view the alert statistics above the CWPP tab.
Statistic
Description
Actions
Alerting Servers
The number of instances with active security alerts.
Click the value to go to the Host Assets page for details.
Urgent Alerts
The number of unhandled alerts with the Urgent severity level.
NoteWe recommend that you handle these alerts first.
Click the value to filter for all Urgent alerts.
Total Unhandled Alerts
The total number of all unhandled alerts.
By default, these alerts are displayed in the alert list on the CWPP tab. For more information, see Evaluate and handle security alerts.
Precise Defense
The number of virus alerts automatically blocked by the Malicious Host Behavior Defense feature.
NoteAn automatically blocked alert indicates that Security Center has successfully defended against the threat, requiring no manual action.
Click the value to filter for and view all automatically blocked virus alerts.
Enabled IP Address Blocking Policies/All Policies
-
Active IP blocking policies: The number of interceptions by enabled brute-force attack protection rules.
-
All policies: The total number of interceptions by all brute-force attack protection rules, including disabled rules.
Click the value to open the IP Rule Policy Library panel and view details about IP blocking policies. For more information, see brute-force attack protection.
Quarantined Files
The number of threat files quarantined during alert handling. A quarantined file no longer poses a risk to your business.
Click the value to open the File Quarantine panel and view details about the quarantined files. For more information, see View and recover quarantined files.
Network Defense Alert
By default, this shows statistics from the last 7 days of Attack Analysis, including the number of basic attacks that were detected and automatically blocked.
Click the value to view the number of attacks, attack type distribution, top 5 attack sources, top 5 attacked assets, and the attack details list. For more information, see Network Defense Alert (formerly Attack Analysis).
-
AI-detected malicious file alerts
Security Center has added a large model detection engine that intelligently identifies malicious files. Alerts triggered by this engine are marked with the "AI Detected" tag, and you can filter alerts by this tag.
AI detection currently supports only malicious file alerts.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Agentic SOC service, the navigation path changes to .
-
Click the filter drop-down list, select AI Detected as the filter, and set the value to Yes.
Archived alert data
When the number of handled alerts exceeds 100, Security Center automatically archives any handled alert older than 30 days. Unhandled alerts are never archived. You cannot view archived alerts directly in the console, but you can download them for local analysis.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Agentic SOC service, the navigation path changes to .
-
In the upper-right corner of the Alert page, choose .
-
In the Archive data dialog box, view the archived data.
-
In the Download Link column of the archived data that you want to download, click Download to save the data to your local device.
The archived file is in XLSX format. The download time depends on your network bandwidth and the file size, and typically takes 2 to 5 minutes.
After the download is complete, you can open the file to view details of historical alerts, including the alert ID, alert name, alert details, severity level, status, affected asset, remarks for the affected asset, impact summary, and the time when the alert occurred.
NoteAn Expired status indicates the alert was not handled within 30 days of its creation. We recommend that you promptly handle all security alerts detected by Security Center.
Export alert data
You can filter and export security alerts by criteria such as severity, status, time range, asset group, and alert name. Only the filtered results are exported.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
NoteIf you have activated the Agentic SOC service, the navigation path changes to .
-
On the Alert page, on the CWPP tab, filter the alert data that you want to export.
-
In the upper-right corner of the alert list, click the
icon. -
When the export is complete, an Exported dialog box appears in the upper-right corner. Click Download to save the data locally.
Viewing and recovering quarantined files
Security Center can quarantine detected threat files and add them to the File Quarantine. Files in quarantine are automatically deleted after 30 days. During this period, if you determine that a quarantined file is safe, you can restore it with a single click.
-
Log on to the Security Center console.
-
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
-
Note
If you have activated the Agentic SOC service, the navigation path changes to .
-
In the upper-right corner of the Agentic SOC or Alert page, click Quarantined Files.
-
On the Quarantined Files panel, perform the following operations:
-
View quarantined files: The list displays the host, path, status, and quarantine time for each quarantined file.
-
Recover a file: In the Actions column for the target file, click Recover. The file is removed from quarantine and may reappear in the list of unhandled alerts.
-
Network Defense Alert (formerly Attack Analysis)
Background information
When you enable Network Threat Prevention rules in Malicious Host Behavior Defense and enable policies for brute-force attack protection, Security Center automatically intercepts attacks and displays the related data on the Network Defense Alert page.
-
For newly purchased cloud products, you must wait about 3 hours for Security Center to synchronize network attack data before you can view related attack analysis information.
-
Defensive alerts indicate that attacks are automatically blocked by Security Center. No manual action is required.
Precautions
This feature provides basic protection. For business-critical assets involved in high-risk attack events, we recommend building a defense-in-depth posture with the following measures:
-
Use WAF to protect against complex application-layer attacks.
-
Configure Cloud Firewall to implement fine-grained network access control and perimeter protection.
-
For high-risk attack source IP addresses, create blocking policies in Cloud Firewall or a security group to achieve more thorough isolation.
Attack data details
|
Data category |
Description |
Core purpose |
|
Number of attacks |
The total count of basic network attacks on all assets under your account within a specified time range. |
Helps you quickly understand the overall attack intensity and assess the network security pressure on your assets. |
|
Attack type distribution |
Displays the number and percentage of different attack types in charts. Common types include brute-force attacks, web attacks, vulnerability exploits, and DDoS attacks. |
Identifies the primary attack methods, helping you prioritize targeted security hardening. For example, if brute-force attacks are prevalent, focus on strengthening account and password policies. |
|
Top 5 attack sources |
Lists the top five source IP addresses of attacks. In some cases, it also provides the location and ISP of the IP address. |
Quickly pinpoints major threat sources. For persistent, high-frequency attacks, you can add these IP addresses to a blocklist or use them as a starting point for threat investigation. |
|
Top 5 attacked assets |
Displays the top five most-attacked cloud assets, identified by asset type (such as ECS instance, SLB for load balancing, and RDS database) and asset ID. |
Identifies high-priority targets in network attacks, helping you focus resources on hardening key assets, such as by upgrading protection policies or patching vulnerabilities. |
|
Attack details list |
Provides complete logs of all network defense events, including information about Attack-associated Vulnerabilities (CVE) and the Attack Payload. |
Provides raw, detailed data to support in-depth security event analysis, compliance auditing, and attack event forensics. |
Number of attacks
The Attacks section shows a line chart of the total number of attacks on your assets within a specified time range, along with peak and trough values. You can hover over the chart to view the date, time, and number of attacks.
Attack type distribution
The Distribution by Attack Type section displays the name of each attack type and the total number of attacks of that type.
Top 5 attack sources
The Top 5 Attack Sources section lists the top five attack source IP addresses and their corresponding attack counts.
Top 5 attacked assets
The Top 5 Attacked Assets section displays the public IP addresses of your top five most-attacked assets and their corresponding attack counts.
Attack details list
The attack details list displays detailed information about attacks on your assets, including the time of the attack, the source IP address, information about the attacked asset, the attack type, the attack method, and the attack status.
The attack details list can display a maximum of 10,000 entries. To view more data, change the Time Range to view all attack data within the selected period.
Parameters
|
Parameter |
Description |
|
Last Occurred At/First Occurred At |
The time when the attack occurred. |
|
Attack Source |
The source IP address and region from which the attack was initiated. |
|
Attacked Asset |
The name, public IP address, and private IP address of the attacked asset. |
|
Port |
The port number that was attacked. This appears only for SSH brute-force attacks. |
|
Attack Type |
The type of attack event, such as an SSH brute-force attack or code execution. |
|
Attack Status |
The current status of the attack event. For common attacks that Security Center detects and defends against by using its platform-native capabilities, the status is Defended. Security Center displays abnormal intrusion events on the CWPP tab of the Alert page. |
Supported operations
Attack source details
Click Details in the Actions column to view a detailed analysis of a specific network defense alert.
-
Attack Source Intelligence:
Analyzes multiple attributes of the attack source, including:
-
Basic information: Discovery time, attack source IP, last active time, country/region, and threat tags.
-
IP report details: Click Details to the right of the attack source IP address to go to the Threat Intelligence console and view the complete IP profile and all associated threat data.
-
-
Attack-associated Vulnerabilities (CVE): Displays vulnerabilities directly related to the alert. If any exist, we recommend handling them promptly to mitigate the risk. For more information, see View and handle vulnerabilities.
-
Attack Payload: The part of the attack traffic that contains malicious instructions or data. For example, in an HTTP request, the attack payload might be data in JSON or XML format that is carried in a POST request to trigger a vulnerability or perform a malicious action.
Attacked asset information
The attack event list displays information about the attacked asset.
Export attack events
Click the 
icon in the upper-left corner of the attack event list to export all attack events detected by Security Center and save them to your local device. The exported file is in Excel format.
Disable interception rules
-
In the attack event list, an
icon is displayed in the Attack Type column for events of certain attack types, such as SQL Server brute-force attack and SSH brute-force attack. You can hover over the icon to see the Disable interception rule dialog box. You can disable the system interception rules for the following attack types:-
SQL Server brute-force attack
-
SSH brute-force attack
-
RDP brute-force attack
-
AntSword WebShell communication
-
China Chopper WebShell communication
-
XISE WebShell communication
-
WebShell upload
-
PHP WebShell upload
-
JSP WebShell upload
-
ASP WebShell upload
-
WebShell upload with special suffix
-
Intelligent defense for WebShell upload
-
Adaptive web attack defense
-
Java generic RCE vulnerability blocking
-
-
If you want to stop Security Center from automatically intercepting this type of attack, click Go to the Malicious behavior Defense page. to navigate to the page and disable the corresponding system defense rule.
icon is displayed in the Attack Type column for events of certain attack types, such as SQL Server brute-force attack and SSH brute-force attack. You can hover over the icon to see the Disable interception rule dialog box. You can disable the system interception rules for the following attack types: