Security Center:Features

Billing items

Feature menu

Overview

• Security Score

  • Feature description: This feature uses a comprehensive evaluation mechanism for dual global data centers (China and global) to dynamically calculate a health index on a scale of 0 to 100. The score is calculated by deducting points based on the real-time security status of cloud assets, such as alert events and configuration defects. A higher score indicates a better security posture for your assets, reflecting both current security risks and the degree of remediation.

  • Edition support: Supported by default. No edition limits apply.

Assets

• Cloud Asset Overview

  • Feature description: Provides a panoramic view and a unified entry point for managing the security of your cloud assets. It includes a complete overview of your cloud assets, network topology, security scores, and asset security risks.

  • Edition support:

    Billing Model	Support Information
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Container Asset Overview

  • Feature description: Provides visualized security management and a network topology of your cloud container assets. This feature helps you efficiently manage the security of your container assets across clusters, containers, images, and applications.

  • Edition support:

    Billing Model	Support Information
    Subscription	Only supported by Ultimate.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Hosts and Container Protection.

• Server List

  • Feature description: Provides security status information for all servers, including protection status, group, region, and virtual private cloud (VPC) statistics.

  • Edition support: Supported by default. No edition limits apply.

• Asset Fingerprint Investigation

  • Feature description: Collects the following fingerprint data:

    • Account: Collects server account and permission information to inventory privileged accounts and detect privilege escalation.

    • Port: Collects and displays port listener information to help you inventory open ports.

    • Process: Collects and displays process snapshots to help you inventory legitimate processes and detect abnormal ones.

    • Middleware: Collects middleware information to help you understand the middleware present on your assets.

    • Database: Collects database information to help you understand the databases present on your assets.

    • Web Service: Collects web service information to help you understand the web services present on your assets.

    • Software: Inventories installed software information to quickly locate affected assets when a high-risk vulnerability is discovered.

    • Scheduled Task: Collects scheduled task information to help you inventory the task paths on your assets.

    • Startup Item: Collects startup item information to quickly locate the corresponding startup item when handling vulnerabilities.

    • Kernel Module: Collects kernel module information to quickly locate the corresponding kernel module when handling vulnerabilities.

    • Website: Collects web site information from servers to help you understand the details of web sites on your assets.

    • IDC Probe Finding: If an IDC probe is configured on an IDC server, this feature displays information about other IDC servers detected within the data center. This helps you understand the basic status of servers in your IDC.

  • Edition support:

    Billing Model	Support Information
    Subscription	Only supported by Enterprise and Ultimate.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Security Check

  • Feature description: After you perform a one-click check, Security Center runs checks on the specified servers based on your configurations. These checks include vulnerability detection and baseline checks.

  • Edition support:

    Billing Model	Support Information
    Subscription	Only supported by Advanced, Enterprise, and Ultimate.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Container Assets

  • Feature description: Provides security status statistics and risk information for all clusters, pods, containers, and images.

  • Edition support:

    Billing Model	Support Information
    Subscription	Only supported by Ultimate.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Hosts and Container Protection.

• Cloud Products

  • Feature description: Provides security status information for cloud products. This includes information about at-risk cloud products and statistics by cloud product category, such as Server Load Balancer and ApsaraDB RDS.

  • Edition support: Supported by default. No edition limits apply.

• Websites

  • Feature description: Provides security status information for all websites, including root domain names, subdomains, and statistics on their risk status and alert counts.

  • Edition support: Supported by default. No edition limits apply.

• Serverless Assets

  • Feature description: Supports runtime security risk detection for instances of serverless architecture cloud products on Alibaba Cloud. This includes assets such as Serverless App Engine (SAE) and serverless instances of Container Compute Service (ACS). The feature provides malicious file detection, vulnerability scanning, and compliance baseline checks.

  • Edition support:

    Billing Model	Support Information
    Subscription	Not supported
    Pay-as-you-go	Enable the Serverless Asset Protection pay-as-you-go feature.

Risk Governance

• Asset Exposure Analysis

  • Feature description: Scans and analyzes Alibaba Cloud resources, such as ECS instances, gateway assets, system components, and ports. It identifies security risks and vulnerabilities that may be exposed to the internet, helping you promptly discover and resolve issues to improve the security of your cloud resources.

  • Edition support:

    Billing Model	Support Information
    Subscription	Only supported by Enterprise and Ultimate.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go feature, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Vulnerability Management

  • Feature description: Automatically discovers, assesses, and remediates security vulnerabilities on your servers. It provides automated vulnerability scanning and remediation solutions, replacing traditional manual patching for large-scale server cluster security maintenance.

    Scanning methods

    Vulnerability scanning supports two methods: manual scanning and automatic (periodic) scanning.

    • Manual scanning: Immediately assesses the vulnerability status of your servers.

    • Automatic scanning (periodic): Sets up periodic tasks for automated, continuous vulnerability monitoring.

    Vulnerability fixing

    Vulnerability scanning supports the following three remediation methods:

    • One-click remediation: Security Center provides a one-click remediation feature in the console to help you automate vulnerability remediation without logging on to servers for manual operations.

      Important

      The one-click remediation feature is not supported for Application Vulnerability or Urgent Vulnerability.

    • Automatic remediation: You can turn on the Automatic Vulnerability Remediation switch to configure automatic remediation tasks. This lets you periodically fix newly discovered vulnerabilities at a specified time.

      Important

      • Automatic remediation tasks depend on the one-click remediation feature. If the current edition and vulnerability type do not support one-click remediation, automatic remediation is also not supported.

      • Automatic remediation only supports non-kernel Linux system vulnerabilities. Other vulnerabilities are not supported.

    • Manual remediation: If the current edition or vulnerability does not support one-click remediation, or if the Vulnerability Fix feature is not enabled, you must log on to the server and fix the vulnerability manually based on the suggestions in the vulnerability details.

    Vulnerability types and fixing solutions

    • Linux Software Vulnerability:

      • Detection method: Compares software versions against the official CVE vulnerability database using an OVAL matching engine to alert on vulnerabilities in the currently used software versions.

      • Remediation solution: Supports one-click remediation and one-click rollback through automated snapshot capabilities for safer vulnerability remediation.

    • Windows System Vulnerability:

      • Detection method: Syncs with Microsoft's official patch source to detect and alert on high-risk and impactful vulnerabilities.

      • Remediation solution: Supports one-click remediation. It automatically identifies prerequisite patch packages required for vulnerability remediation, resolving issues where servers cannot be patched due to missing prerequisites. It also provides reminders for vulnerabilities that require a system restart, improving the efficiency of remediating Windows system vulnerabilities.

    • Web-CMS Vulnerability:

      • Detection method: Monitors website directories, identifies common website building software, and detects vulnerabilities in the software by comparing vulnerability files.

      • Remediation solution: Uses self-developed vulnerability patches and supports one-click remediation. It fixes vulnerabilities at the source code level by replacing or modifying files.

    • Urgent Vulnerability:

      • Detection method: Provides detection services for newly emerging emergency vulnerabilities on the network.

      • Remediation solution: Does not support one-click remediation. You can log on to the server and fix the vulnerability manually based on the provided suggestions.

    • Application Vulnerability:

      • Detection method: Provides detection for weak passwords in system services, system service vulnerabilities, and application service vulnerabilities.

      • Remediation solution: Does not support one-click remediation. You can log on to the server and fix the vulnerability manually based on the provided suggestions.

  • Edition support:

    Service Model	Service Edition / Protection Level	Manual Scan Scope	Periodic Automatic Scan Scope	Vulnerability Fixing Capability
    Subscription	Enterprise Edition, Ultimate Edition	All	All	Supports fixing Linux, Windows, and Web-CMS vulnerabilities.
    	Advanced Edition	All vulnerabilities except Application Vulnerability.	All vulnerabilities except Application Vulnerability.	Supports fixing Linux and Windows vulnerabilities.
    	Basic Edition, Value-added Edition, Anti-virus Edition	Urgent Vulnerability only.	Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability.	Important To enable One-click Fix, you must purchase the separate Vulnerability Fix value-added service. For instructions, see Purchase Vulnerability Fixing (Subscription) and Activate Vulnerability Fixing (Pay-as-you-go). After purchase, supports fixing Linux and Windows vulnerabilities.
    Pay-as-you-go	Host Protection, Host and Container Protection	All	All
    	Unprotected, Anti-Virus	Urgent Vulnerability only.	Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability.

• Cloud Security Posture Management

  • Feature description: Cloud Security Posture Management (CSPM) discovers and manages security risks in cloud assets through automated risk checks, baseline scans, and attack path analysis. This feature identifies security vulnerabilities, such as cloud product configuration errors and server configuration defects, and provides remediation suggestions to resolve these security risks.

    • Cloud Product Configuration Risk Check: Scans the configurations of your cloud assets to identify configuration risks in multicloud environments across three scenarios: identity and permission management, cloud product security best practices, and compliance checks.

    • Baseline Risk Check: Dives deep into the host (server) operating system level to discover and remediate issues such as weak passwords, insecure configurations, or missing important patches based on industry standards and security specifications to meet compliance requirements.

      Server baseline checks

      • Check description:

        • Performs security configuration scans on servers through a task-based model and sends alerts for items that do not meet the standards.

        • Supports custom detection policies to set check items, check cycles, and applied server groups. Custom detection scripts are not currently supported.

        • Supports custom weak password rules. It periodically checks your cloud product baselines for these weak passwords based on your configured baseline policies and sends an alert if a match is found.

      • Detection scope:

        • High-risk exploit

          Detects risks of unauthorized access vulnerabilities in services such as CouchDB and Docker.

        • Container security

          Detects risks in Docker, Kubernetes master nodes, and Kubernetes nodes.

        • Classified protection compliance

          Checks for compliance with security baseline requirements for MLPS Level 3, MLPS Level 2, and international general security best practices.

        • Security best practices

          Checks for compliance with security baseline requirements for Linux, Windows, Redis, and more.

        • Weak password

          Detects weak passwords used for logging on to MongoDB, FTP, Linux systems, and more.

      Container baseline checks

      • Check description: Provides security detection and alerts for container configurations. It performs risk checks on container baseline configurations for Kubernetes master and node nodes based on Alibaba Cloud's container security best practices.

      • Detection scope:

        • Alibaba Cloud Standard - Docker Security Baseline Check

          Based on Alibaba Cloud's best security practices for Docker baselines, it performs risk investigation and timely warnings from aspects such as Docker's security audit, service configuration, and file permissions.

        • Alibaba Cloud Standard - Kubernetes Master Security Baseline Check

          Baseline checks for Kubernetes master nodes based on Alibaba Cloud's container security best practices.

        • Alibaba Cloud Standard - Kubernetes Node Security Baseline Check

          Baseline checks for Kubernetes node nodes based on Alibaba Cloud's container security best practices.

    • Attack Path Analysis: Analyzes risks such as vulnerabilities, exposed assets, and misconfigurations to identify attack paths and potential risk points in the cloud. It also supports posture analysis and management of cloud product configurations and potential attack paths in a unified console.

  • Edition support:

    Subscription

    • Purchase the Advanced, Enterprise, or Ultimate Edition

      Important

      If your current edition is Anti-virus or the value-added plan and you have not purchased the CSPM value-added service, you can detect and verify the free check items of Cloud service configuration check. However, risk remediation, baseline check, and attack path analysis are not supported.

      Feature	Feature details	Quota consumption
      Cloud service configuration check	Check items: Free check items. Note The Ultimate Edition additionally supports KSMP check items. Operations: Detection and verification are supported. Remediation is not supported.	Does not consume Quota.
      Baseline check	Check items: Advanced Edition: Supports only weak password check items. Enterprise Edition: Supports all check items except those for container security. Ultimate Edition: Supports all check items. Operations: Scanning, verification, and remediation are supported.	Included in the edition fee; does not consume Quota.
      Attack path analysis	Not supported	N/A

    • Purchase the CSPM value-added service

      Important

      If you purchase a service edition at the same time, feature support is as follows:

      • For Advanced, Enterprise, or Ultimate Edition: Your current edition determines the supported check items and operations for Baseline check (see the description of Advanced, Enterprise, or Ultimate Editions). Cloud service configuration check and Attack path analysis are not affected by the edition and are detailed in the table below.

      • For Anti-virus Edition and value-added plan: Baseline check, Cloud service configuration check, and Attack path analysis are not affected by the edition and are detailed in the table below.

      Feature	Feature details	Quota consumption
      Cloud service configuration check	Check items: All check items (free + paid). Operations: Detection, verification, and remediation are supported.	Free check items: Successful remediation consumes Quota. Paid check items: Scanning, verification, or successful remediation consumes Quota.
      Baseline check	Check items: All check items. Operations: Detection, verification, and remediation are supported.	Scanning, verification, or successful remediation consumes Quota.
      Attack path analysis	Supported	This feature is included with the paid CSPM service and does not consume Quota.

    Pay-as-you-go

    You must enable the CSPM pay-as-you-go feature.

    Important

    If you only purchase the Host and Container Security pay-as-you-go feature, you can detect and verify free check items for Cloud Service Configuration Risk. However, risk remediation, System Baseline Risks, and Attack Path features are not supported.

    Feature	Feature details	Quota consumption
    Cloud service configuration check	Check items: All check items (free + paid). Operations: Detection, verification, and remediation are supported.	Free check items: Successful remediation consumes Quota. Paid check items: Scanning, verification, or successful remediation consumes Quota.
    Baseline check	Check items: All check items. Operations: Detection, verification, and remediation are supported.	Scanning, verification, or successful remediation consumes Quota.
    Attack path analysis	Supported	This feature is included with the paid CSPM service and does not consume Quota.

• AccessKey Leak Detection

  • Feature description: Monitors the code hosting site GitHub in real time to detect if publicly available source code contains AccessKey information for your Alibaba Cloud account.

  • Edition support: Supported by default. No edition limits apply.

• Cloud Honeypot

  • Feature description: Provides ready-to-use proactive defense capabilities for both cloud and on-premises environments. It deploys honeypots on critical paths of a potential intrusion to lure attackers into decoy applications. This lets you obtain fake data, prolong the attack, record the complete attack behavior for tracing, capture advanced unknown attacks, and even launch counter-attacks. It provides security operators and defenders with a proactive defense approach.

  • Edition support:

    Billing Model	Support Information
    Subscription	Requires the purchase of the Cloud Honeypot value-added service
    Pay-as-you-go	Not supported.

• Malicious File Detection SDK

  • Feature description:

    • File Detection SDK: Leverages the Security Center multi-engine detection platform to provide an easy-to-use malicious file detection service. You only need to write a small amount of code to identify malicious files using the SDK.

    • OSS File Detection: Combines cloud-native advantages to support the detection of files in Alibaba Cloud Object Storage Service (OSS) buckets and accurately identify malicious files.

    • Malicious File Handling: When a risky file, such as a web shell, mining program, or virus/Trojan, is detected in an ECS instance or OSS bucket, an alert is generated. The Malicious File Detection SDK provides methods to handle the detected malicious file, such as adding it to a whitelist, ignoring it, or blocking access.

  • Edition support:

    Billing Model	Support Information
    Subscription	Requires the purchase of the Malicious File Detection value-added service.
    Pay-as-you-go	Requires enabling the Malicious File Detection pay-as-you-go feature.

• Log Analysis

  • Feature description: Centrally stores and manages security-related logs, providing a unified entry point for querying and analysis. This helps you quickly locate issues and meet compliance audit requirements.

    • Host Logs: Records logs such as logon history, process startups, account snapshots, and DNS requests. This helps you monitor user activity, system events, and application operations on hosts to discover potential threats and optimize performance.

    • Security Logs: Records security logs such as vulnerabilities, baselines, security alerts, and cloud security posture management. This helps you observe security trends, improve security policies and defense mechanisms, and identify system weaknesses.

  • Edition support:

    Billing Model	Support Information
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate: Requires the purchase of the Log Analysis value-added service. Note For the specific log categories supported by different editions, see Log categories and field descriptions.
    Pay-as-you-go	Enable the Log Management pay-as-you-go service. Note The Log Analysis feature has been integrated into Log Management. For more information, see Migration guide from Log Analysis to Log Management and Log Management.

Detection and Response

• Security Alert

  • Feature description:

    • CWPP (Cloud Workload) Security Alerts:

      • Provides real-time detection of security alerts for hosts, containers, and cloud products. The detection scope covers activities on hosts and containers, such as processes, files, and network behavior. Using threat detection models, it provides detection capabilities for abnormal process behavior, web shells, malware, vulnerability exploits, container escapes, and more. This helps you promptly discover security threats in your assets and maintain a real-time understanding of your security posture.

      • In addition to various detection models, the precision defense model provides defense and interception capabilities for high-risk attack behaviors, such as ransomware attacks, reverse shells, malicious command execution, loading of high-risk drivers, and planting of malicious files.

      • It also provides methods for threat removal, such as Virus Detection and Removal, Deep Cleanup, and Quarantine, and alert noise reduction, such as Add to Whitelist and Ignore, to handle security threats promptly.

    • Network Defense Alert (formerly Attack Analysis): If you enable the Network Threat Prevention rules in Host Rules - Malicious Behavior Defense and the Host Rules - Brute-force Attacks Protection policy, Security Center provides defense and interception capabilities for high-risk network attack behaviors, such as malicious DNS requests, web shell uploads, adaptive web attack defense, and brute-force attacks. The Network Defense Alert page displays more information about the intercepted network attacks.

  • Edition support:

    Subscription

    Service Edition	Detection Scope	Alert Handling Capability
    Basic, Value-added Plan	Common simple attacks in the cloud, including traditional one-line web shells, logons from unusual locations, self-mutating Trojans, DDoS Trojans, and mining programs (does not include container assets).	Alert noise reduction: Add to Whitelist, Ignore, etc.
    Anti-virus	Basic capabilities + detection and precision defense models for suspicious and malicious files (including binaries) (does not include container assets)	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert noise reduction: Add to Whitelist, Ignore, etc.
    Advanced	Anti-virus capabilities + detection and precision defense models for suspicious and malicious process activities and file operations (does not include container assets).
    Enterprise	Advanced capabilities + over 380 detection and precision defense models for all malicious behaviors such as process activities, file operations, and network connections (does not include container assets).
    Ultimate	Enterprise capabilities (covering container assets) + detection and proactive defense models for container-specific attack behaviors such as container escapes, running risky images, and starting non-image programs.

    Pay-as-you-go

    Protection Level	Detection Scope	Alert Handling Capability
    Unprotected	Common simple attacks in the cloud, including traditional one-line web shells, logons from unusual locations, self-mutating Trojans, DDoS Trojans, and mining programs (does not include container assets).	Alert noise reduction: Add to Whitelist, Ignore, etc.
    Antivirus	Unprotected level capabilities + detection and precision defense models for suspicious and malicious files (including binaries) (does not include container assets)	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert noise reduction: Add to Whitelist, Ignore, etc.
    Host Protection	Antivirus level capabilities + over 380 detection and precision defense models for all malicious behaviors such as process activities, file operations, and network connections (does not include container assets).
    Hosts and Container Protection	Host Protection capabilities (covering container assets) + detection and proactive defense models for container-specific attack behaviors such as container escapes, running risky images, and starting non-image programs.

• Security Event Handling

  • Feature description:

    • Security Center uses graph computing technology to aggregate related CWPP alerts into events, such as alerts with the same MD5 hash or parent process ID. By assessing the impact of an event, performing handling actions to contain the threat, and hardening the system, you can prevent similar events from recurring.

    • Handling methods include the following: Use Recommended Handling Policy, Add to Whitelist, Update Incident Status, and Run Playbook.

  • Edition support: Supported by default. No edition limits apply. However, the alert data that generates events and the types of alerts detected vary by edition.

• Log Management

  • Feature description: Supports storing and viewing Security Center logs, such as vulnerability logs, security alert logs, and client event logs. This helps you accurately locate alerts, trace the source of attacks, and improve response speed.

  • Edition support:

    Billing Model	Support Information
    Subscription	Purchase the Log Storage Capacity of the Agentic SOC value-added service. Important If you only purchase log ingestion traffic, storing and querying Security Center logs is not supported.
    Pay-as-you-go	Enable the Log Management pay-as-you-go service.

Agentic SOC

When the Agentic SOC service is enabled, Detection and Response related services are migrated under the Agentic SOC service. It also supports ingesting logs from third-party cloud products (such as Tencent Cloud and Huawei Cloud) and local IDCs.

• Feature description:

  • Product Integration: Provides a unified log integration center to collect, standardize, and analyze log data from various sources, including third-party clouds (such as Fortinet, Chaitin, Microsoft, Sangfor, Tencent Cloud, HUAWEI CLOUD, Hillstone Networks, and Knownsec) and on-premises data centers (DCs).

  • Rule Management: Analyzes ingested alerts and logs, reconstructs threat attack chains and timelines, and generates correlated alerts and detailed security events. It also supports custom detection rules to build a threat detection system tailored to your business.

  • Security Alert

    • Analyzes and processes logs ingested into Agentic SOC to generate alerts and events.

    • The CWPP Security Alert feature is migrated into the Agentic SOC Security Alert feature.

  • Security Event Handling

    • Uses predefined or custom detection rules in Agentic SOC to analyze the context of multiple security alerts and aggregate them into complete events. It reconstructs the attack chain and extracts malicious entities to help you quickly respond to and handle cloud security risks.

    • The feature for aggregating CWPP alerts, such as those with the same MD5 hash or parent process ID, into security events is migrated into Agentic SOC Security Event Handling.

    • Handling methods include the following: Use Recommended Handling Policy, Update Incident Status, Run Playbook, Add to Whitelist, and Automatically handle security events (response orchestration).

  • Response Orchestration: Response Orchestration (SOAR) is a comprehensive security solution. It orchestrates and connects different systems or services to automate the operations and maintenance (O&M) for security alerts and events. It aims to strengthen enterprise security defense and improve security event response efficiency.

  • Log Management:

    • Standardized Logs: Stores standardized alert logs generated by custom rules and standardized logs generated for Real-time Consumption through the standardized ingestion policy.

    • Security Center Logs: The Log Management feature of Detection and Response is migrated into the Agentic SOC Log Management feature.

• Edition support:

  Billing Model	Support Information
  Subscription	Purchase the Agentic SOC value-added service. Important To support Security Center logs, you must purchase the Log Storage Capacity for Agentic SOC.
  Pay-as-you-go	Enable the Agentic SOC pay-as-you-go service.

Host Protection

• Virus Scanning

  • Feature description: The Security Center expert team has launched a virus scanning engine based on Alibaba Cloud's machine learning technology. This engine provides one-click virus scanning by automatically analyzing massive virus samples, persistence methods, and attack techniques.

  • Edition support:

    Billing Model	Support Information
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Antivirus, Host Protection, or Host and Container Protection.

• Host Rule Management

  • Feature description:

    • Malicious Behavior Defense: Supports built-in and custom malicious behavior defense rules to harden server system security.

    • Defense Against Brute-force Attacks: Sets policies to prevent brute-force cracking of host resource account passwords.

    • Common Logon Management: Sets common logon locations, IP addresses, times, and accounts to generate alerts for logons from outside the specified scope.

  • Edition support:

    Service Model	Feature Support Description
    Subscription	Anti-virus Only supports whitelisting process hashes using custom rules in Malicious Behavior Defense. Only supports Common Logon Location management in Common Logon Management. Advanced Only supports Process Protection in System Defense Rule under Malicious Behavior Defense. Network defense is not supported. Supports all features of Defense Against Brute-force Attacks and Common Logon Management. Enterprise and Ultimate Supports all features of Malicious Behavior Defense, Defense Against Brute-force Attacks, and Common Logon Management.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and bind a protection level to the server. Antivirus Supports whitelisting process hashes using custom rules in Malicious Behavior Defense. Supports Common Logon Location management in Common Logon Management. Host Protection and Host and Container Protection: All features Supports all features of Malicious Behavior Defense, Defense Against Brute-force Attacks, and Common Logon Management.

• Core File Monitoring

  • Feature description: Provides real-time monitoring and alerts for file operations such as access, modification, deletion, and renaming to reduce the risk of core files being stolen or tampered with.

  • Edition support:

    Billing Model	Support Information
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Host Protection or Host and Container Protection.

• Agentless Detection

  • Feature description: Uses agentless technology to scan and discover security risks such as ECS vulnerabilities, malicious files, and baseline configuration issues without installing a client.

  • Edition support:

    Billing Model	Support Information
    Subscription	Not supported
    Pay-as-you-go	Enable the Host Protection Agentless Detection pay-as-you-go feature.

• Anti-ransomware

  • Feature description: Supports backup and recovery of server and database files to mitigate the impact of ransomware attacks.

  • Edition support:

    Billing Model	Support Information
    Subscription	Purchase the Anti-ransomware value-added service.
    Pay-as-you-go	Enable the Host Protection Anti-ransomware pay-as-you-go feature.

• Web Tamper Proofing

  • Feature description: Provides real-time monitoring of website directories and restores tampered files or directories from backups. This ensures that important website information is not maliciously altered and prevents the injection of Trojans, black links, or illegal content, such as content related to terrorism or pornography.

  • Edition support:

    Billing Model	Support Information
    Subscription	Purchase the Web Tamper Proofing value-added service.
    Pay-as-you-go	Enable the Web Tamper Proofing pay-as-you-go feature.

Container Protection

• Proactive Container Defense

  • Feature description:

    • Risk Image Blocking

      This feature performs security risk checks on images and takes actions such as blocking, alerting, or allowing based on proactive container defense rules. This ensures that only images that meet your security requirements are started in the cluster.

    • Non-image Program Defense

      This feature detects and blocks the startup of programs that are not part of the image during container runtime, proactively defending against malware intrusion.

    • Container Escape Prevention

      This feature detects high-risk behaviors from multiple dimensions such as processes, files, and system calls. It establishes a protective barrier between the container and the host, effectively blocking escape attempts and ensuring container runtime security.

  • Edition support:

    Billing Model	Support Information
    Subscription	Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Host and Container Protection.

• Container File Protection

  • Feature description: The container file defense feature provides real-time monitoring of directories or files within a container. It generates alerts or blocks tampering attempts when directories or files are maliciously altered, preventing the injection of illegal information or malicious code files into applications.

  • Edition support:

    Billing Model	Support Information
    Subscription	Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Host and Container Protection.

• Container Firewall

  • Feature description: The container firewall is a firewall service provided by Security Center for container environments. If an attacker intrudes a container cluster using vulnerabilities or malicious images, the container firewall generates an alert or blocks the abnormal behavior.

  • Edition support:

    Billing Model	Support Information
    Subscription	Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Host and Container Protection.

• Container Image Signing

  • Feature description: Supports trusted signing of container images to ensure that only approved container images are deployed. This prevents the startup of unauthorized, unsigned images and helps improve asset security.

    Note

    Currently, only Kubernetes clusters deployed in the China (Hong Kong) region support container image signing.

  • Edition support:

    Billing Model	Support Information
    Subscription	Ultimate
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and set the server's protection level to Host and Container Protection.

• Image Security Scan

  • Feature description: Supports trusted signing of container images to ensure that only approved container images are deployed. This prevents the startup of unauthorized, unsigned images and helps improve asset security.

    Note

    Currently, only Kubernetes clusters deployed in the China (Hong Kong) region support container image signing.

  • Edition support:

    Billing Model	Support Information
    Subscription	Requires the purchase of the Container Image Scan value-added service. Important When purchasing, you can only buy the Container Image Scan value-added service if you select Advanced, Enterprise, Ultimate, or Value-added Plan.
    Pay-as-you-go	Not supported.

• CI/CD Integration Settings

  • Feature description: Detects and identifies high-risk system vulnerabilities, application vulnerabilities, malicious viruses, web shells, malicious execution scripts, configuration risks, and sensitive data in images during the build stage of Jenkins or GitHub projects. It also provides vulnerability remediation suggestions.

  • Edition support:

    Billing Model	Support Information
    Subscription	Requires the purchase of the Container Image Scan value-added service. Important When purchasing, you can only buy the Container Image Scan value-added service if you select Advanced, Enterprise, Ultimate, or Value-added Plan.
    Pay-as-you-go	Not supported.

Application Protection

• Feature description: Based on runtime application self-protection (RASP) technology, it provides security defense for applications by detecting attacks at runtime and generating alerts or blocking them. For more information, see What is Application Protection.

• Edition support:

  Billing Model	Support Information
  Subscription	Purchase the Application Protection value-added service.
  Pay-as-you-go	Enable the Application Protection pay-as-you-go service.

System Settings

• Task Hub

  • Feature description: Provides task management features. By executing tasks, you can automate and batch-remediate vulnerabilities on multiple servers.

  • Edition support:

    Billing Model	Support Information
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable pay-as-you-go for Vulnerability Fixing.

• Security Report

  • Feature description: You can customize the security data you want to follow and have it sent periodically to the mailboxes of relevant security personnel. This allows for more effective real-time monitoring of your asset's security status.

  • Edition support:

    Billing Model	Support Information
    Subscription	Advanced, Enterprise, and Ultimate
    Pay-as-you-go	Enable any pay-as-you-go service.

• Feature Settings - Settings - Host Protection Settings

  • Feature description:

    • Proactive Defense

      Feature Name	Function Overview
      Malicious Host Behavior Prevention	Helps you automatically block and kill common network viruses, including mainstream ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, backdoors, and worms.
      Anti-ransomware (Bait Capture)	Provides a honeypot to capture new ransomware viruses and automatically initiates defense against new ransomware based on virus behavior analysis.
      Webshell Prevention	Helps you automatically block abnormal connection behaviors from hackers through known web shells. You can also view alerts and quarantine samples in Security Alert, and view the quarantined samples in the quarantine box.
      User Experience Optimization in Proactive Defense	If a server shuts down abnormally or its security defense capabilities are compromised, Security Center will collect the server's Kdump data for security analysis to continuously improve the security defense experience.

    • Webshell Detection and Removal: Periodically detects web shells and Trojan programs in website servers and web directories.

    • Adaptive Threat Detection Capability: After you enable adaptive threat detection, if a high-risk intrusion event occurs on a server, Security Center automatically switches the server's client to strict alert mode to detect intrusions more quickly.

    • Alert Settings: Provides different alert modes for server alerts to meet your security needs in various application scenarios.

      • Balanced Mode: Alibaba Cloud aims to minimize false positives while detecting more potential risks.

        Note

        By default, Security Center enables Balanced Mode for all connected servers.

      • Strict Mode: Provides a wider range of suspicious behavior alerts but comes with a higher risk of false positives. It is suitable for use during major events. Enable with caution.

  • Edition support:

    Service Model	Feature Support Description
    Subscription	Anti-virus: Proactive Defense: Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture) Webshell Detection and Removal Alert Settings Advanced: Proactive Defense: Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Prevention Webshell Detection and Removal Alert Settings Enterprise and Ultimate: All features.
    Pay-as-you-go	Enable the Host and Container Security pay-as-you-go service, and bind a protection level to the server. Antivirus: Proactive Defense: Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture) Webshell Detection and Removal Alert Settings Host Protection, Host and Container Protection: All features.

• Feature settings - Settings - Container protection settings

  • Feature description:

    • Threat Detection on Kubernetes Containers: Detects the security status of running container clusters in real time. This helps you promptly find security risks and intrusions in your clusters. The feature supports the following check items:

      • Abnormal instructions executed by the K8s API server

      • Abnormal folder mounts in pods

      • Lateral movement of K8s service accounts

      • Pods started from malicious images

    • Container Escape Prevention: Detects high-risk behaviors from multiple dimensions, such as processes, files, and system calls. It builds a protective barrier between containers and hosts to block escape attempts and secure the container runtime.

  • Supported editions:

    Service model	Feature support
    Subscription	Ultimate
    Pay-as-you-go	The pay-as-you-go service for Host and Container Security is activated, and the server's protection level is Host and Container Protection.

• Feature settings - Settings - Client configuration

  • Feature description:

    • Agent Protection: When enabled, Security Center blocks any attempt to uninstall the client that does not originate from the Security Center console. This prevents attackers from maliciously uninstalling the client after they intrude into your server. It also prevents other programs from accidentally shutting down the client process.

    • Client Resource Management: Allows you to manually adjust the client's running mode to limit its resource usage. This helps meet the protection needs of servers in different business scenarios. The modes include Low Consumption Mode, Smooth Mode, and Custom Mode.

    • Local File Detection Engine: The local file detection engine scans new script files and binary files on your server for security threats. If a threat is detected, an alert is reported.

    • In-depth Detection Engine: The deep detection engine helps you discover advanced security risks such as rootkits, tunnels, and backdoors.

  • Supported editions:

    Service model	Feature support
    Subscription	Anti-virus and Advanced: Support only Agent Protection and Client Resource Management (Low Consumption Mode and Smooth Mode). Enterprise and Ultimate: All features.
    Pay-as-you-go	You have enabled the pay-as-you-go Host and Container Security service and attached a protection level to the server. Antivirus: Supports only Agent Protection and Client Resource Management (Low Consumption Mode and Smooth Mode). Host Protection and Host and Container Protection: All features.

• Features - Settings - Other configurations

  • Feature description:

    • Data Delivery of ActionTrail: Uses the service-linked role of Security Center to ship ActionTrail data to the Logstore of Security Center. This data is used for threat detection and alert analysis, such as abnormal AccessKey pair calls, abnormal logon to RAM accounts, and execution of important commands.

    • Global Log Filter: Filters and deduplicates client logs before they are reported. This reduces log storage costs and improves the efficiency of security operations without compromising security.

  • Supported editions:

    Billing method	Usage notes
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate: Require the purchase of the Log Analysis value-added service. All editions support Data Delivery of ActionTrail by default. After you purchase the Log Analysis value-added service, the Global Log Filter feature is available. Note For more information about the log types and fields that are supported by different editions, see Log types and fields.
    Pay-as-you-go	Data Delivery of ActionTrail is supported after you enable any feature.

    Service model	Feature support
    Subscription
    Pay-as-you-go	The pay-as-you-go service for Host and Container Security is enabled, and a protection level is attached to the servers. Antivirus: Supports only Agent Protection and Client Resource Management. Host Protection and Host and Container Protection: All features.

• Feature settings - client

  • Description: Centrally view servers that do not have the security client, obtain security commands, and uninstall the client. This feature also supports the agent-based access client solution.

  • Supported versions: Supported by default. No version restrictions apply.

• Feature settings - Multicloud configuration management

  • Feature description:

    • Onboarding multicloud assets: Connect non-Alibaba Cloud servers, such as third-party cloud servers and IDC servers, to Security Center for protection and management.

    • Onboarding IDC assets: Create an IDC probe to detect and discover IDC server assets. The discovered servers are synchronized to the Asset Center module in Security Center for unified management.

    • Asset management rules: Set conditions for asset management rules to group or tag servers that meet the same criteria. This improves the efficiency of asset management.

  • Supported editions: Supported by default. No edition restrictions apply.

• Notification settings

  • Feature description: You can configure alert policies for security events, such as security alerts, vulnerability information, and baseline risks. You can receive notifications through the following methods.

    • Email/Internal Message

    • DingTalk Chatbot

    • Cloud Monitor Push

  • Supported editions:

    Service model	Feature support description
    Subscription	Anti-virus: Email/Internal Message, Cloud Monitor Push Advanced, Enterprise, and Ultimate: All features are supported.
    Pay-as-you-go	Activate any pay-as-you-go service.

• Multi-account security management

  • Description: This feature lets you centrally manage the security of assets across multiple member accounts. It delivers prompt security risk information for all member accounts in your organization.

  • Supported versions: Supported by default. No version restrictions apply.

• Compliance checks

  • Feature description:

    • Security Compliance Check: Performs classified protection compliance checks for communication networks, area borders, computing environments, and management centers. This feature also generates classified protection compliance reports.

    • ISO 27001 Compliance Check: Checks if your system meets the requirements for ISO 27001 Certification, such as asset management, access control, cryptography, and operational security. This helps you achieve ISO 27001 Certification.

  • Supported editions: This feature is supported by default and has no edition restrictions.