Features

With SA, you can manage security posture of all your cloud assets in one place. SA provides many functional modules, including Security Overview, Resource Manager, Threat Alarms, Baseline Inspection, Events, Logs, and Integrations.

Security Overview

The Security Overview page gives you a comprehensive overview of your asset security posture together with other linked cloud security services to collectively display security assessment findings.

**Table 1** Security Overview Functions
Function Module	Description
Security Score	SA evaluates and scores your cloud asset security. You can quickly learn of unhandled risks and their threats to your assets. The lower the security score, the greater the overall asset security risk.
Security Monitoring	You can view how many threats, vulnerabilities, and compliance violations that are not handled and view their details.
Your Security Score over Time	You can view your security scores for the last 7 days.

Resource Manager

SA displays the real-time security status of assets on the cloud.

**Table 2** Resources functions
Function Module	Description
Resource Manager	SA synchronizes the security status statistics of all resources in the current account. You can quickly locate unhealthy resources and find the solutions by viewing the resource name and security status as well as cloud services involved.

Threat Alarms

In this module, SA reports alarms based on real-time monitoring, displays details of alarms for the last 180 days, and defends against typical threats by using varied preset protection policies.

SA can detect and display varied types of threats, including distributed denial of service (DDoS) attacks, brute-force attacks, web attacks, Trojans, zombie computers, Command-and-Control (C&C) attacks, abnormal behavior, and exploits.

**Table 3** Function modules in Threat Alarms
Function Module	Description
Alarms	SA lists statistics on threat alarms. You can view details of threat alarms and details of threatened assets. You can also export all alarms.
Threat Analysis	SA allows you to query threats or attacks by Attack source or Attacked asset.
Alarm Monitoring	SA allows you to customize the threat list, alarm type, and risk severity to view only concerned threat alarms.
Alarm Notifications	SA allows you to customize alarm notifications. You can set scheduled daily alarm notifications and real-time alarm notifications to learn about threat risks in a timely manner.

Threat Alarm Events

SA monitors your network in rea time and reports alarms when threats are detected. SA can detect varied types of threats, including DDoS attacks, brute-force attacks, web attacks, backdoor Trojans, zombies, abnormal behavior, exploits, and C&C attacks.

**Table 4** Threat alarm event description
Alarm Name	Alarm Description
DDoS	SA detects DDoS attacks on any of your protected hosts in real time. More than 100 types of DDoS threats can be detected, including: Network layer attacks NTP flood and CC attacks Transport layer DDoS attacks SYN and ACK flood attacks Session layer attacks SSL DDoS attacks Application layer attacks HTTP-GET DDoS flood attacks and HTTP-POST DDoS flood attacks
Brute-force attacks	SA detects intrusions and internal risks on your hosts in real time, including brute force attacks on accounts, such as SSH, RDP, FTP, SQL Server and MySQL accounts, as well as abnormal logins. The following 22 types of brute-force attacks can be reported, including: Brute-force attacks that can be detected by SA SSH (2 types), RDP, Microsoft SQL, MySQL, FTP, SMB (3 types), HTTP (4 types), and Telnet brute force attacks Alarms reported by HSS SSH, RDP, FTP, MySQL, IRC, and Webmin brute force attacks, brute force attacks on other ports, and brute force attacks on OSs
Web attacks	SA detects web threats such as malicious web scanners, malicious IP addresses, and web Trojans in real time. The following 38 types of web threats can be detected: Web attacks Web shell attacks (3 types), cross-site scripting (XSS) attacks, code injection attacks (7 types), SQL injection attacks (9 types), and command injection attacks. Alarms reported by HSS Web shells, Linux web page tampering, and Windows web page tampering. Alarms reported by WAF Cross-site scripting (XSS) attacks, command injection attacks, SQL injection attacks, directory traversal attacks, local file inclusion, remote file inclusion, remote code execution, back doors, website information leakage, exploits, IP reputation databases exploits, malicious web crawlers, web page tampering, and web page crawlers
Trojan	SA detects Trojans and malicious requests to compromised hosts in real time. The following 5 types of Trojans can be detected: Trojan files, such as PHP and JSP files, in the web directory on hosts Characteristics of Trojans on compromised hosts Trojan: Win32/Ramnit Checkin, WannaCry ransomware request resolution, Trojan downloading, and access to HTTP File Server (HFS) download servers
Zombie	SA detects threats initiated by zombies in real time. The following 7 types of attacks initiated by zombie hosts can be detected: SSH brute-force attacks RDP brute-force attacks Web brute-force attacks MySQL brute-force attacks SQL Server brute-force attacks DDoS attacks Mining software
Abnormal behavior	SA detects abnormal changes and operations to the operating systems (OSs) on assets in real time. The following 21 types of abnormal behavior can be detected: Abnormal behavior that can be detected by SA Unauthorized file system scans, CMS V1.0 vulnerabilities, and unauthorized sensitive file access Alarms reported by HSS Alarms generated by abnormal logins, critical file changes, network interface cards (NICs) in promiscuous mode, unsafe accounts, reverse shells, abnormal shells, high-risk command execution, abnormal automatic startups, file privilege escalation, process privilege escalation, and rootkits Alarms reported by WAF Alarms generated against custom rules, whitelist, blacklist, geographical access control rules, malicious scanners & crawlers, IP blacklist or whitelist rules, and unauthorized access blocking
Exploit	SA detects in real time the potential compromised assets that may be used to initiate attacks. The following 2 types of vulnerabilities can be detected: Web-CMS exploits
CommandControl	SA detects command and control (C&C) servers in real time. A C&C server may remotely control host assets to access or establish links with malware. The following 3 types of C&C threats can be detected: Access to Domain Generation Algorithm (DGA) domain names Access to malicious C&C domain names Malicious communication channels between C&C servers and host assets

Baseline Inspection

SA can scan cloud baseline configurations to find out unsafe settings, report alarms for events, and offer hardening suggestions to you.

**Table 5** Baseline inspection description
Function Module	Description
Cloud Service Baseline	You can start a one-time scan or configure scheduled scans to let SA display results by category and provide hardening suggestions for you to fix unsafe settings.

Events

SA aggregates detection data from a variety of related services so that you can monitor all events in one place.

**Table 6** Description of events
Function Module	Description
Events	Multiple event types are included. You can mark and export events, and customize the event list. Event types include: Threat alarms, vulnerabilities, risks, compliance checks, violations, public opinions, and security notices

Logs

You can authorize Object Storage Service (OBS) to store SA logs in OBS buckets. This makes it easier for you to store and export SA logs securely and meet audit requirements for storing logs for 180 days.

**Table 7** Log management description
Function Module	Description
Logs	You can store SA logs in OBS to meet log audit and disaster recovery requirements.

Integrations

SA integrates a variety of security products to aggregate their detection data and manage the data sources of events.

**Table 8** Product integration function descriptions
Function Module	Description
Integrations	By integrating other security services, SA makes it easy for you to aggregate detection results or events reported by different products, manage the sources of events, view the transmitted data volume, and manage the health status of reporting detection data to SA.