On the basis of the research results of domestic and foreign threat tracing methods, in order to solve the problem of network security threat defense in power monitoring system. This paper combines with the requirements of power monitoring system security protection and the characteristics of power secondary system security protection by establishing the source of event location chain attack. The method firstly models the alarm log tree, constructs an event generation tree, and then aggregates the occurrence tree to obtain an initial event generation chain set. Finally, after the chain breaking process, the final event generation chain set is obtained. The method can automatically analyze the alarm data of the power monitoring system, extract the attack event, and process the original alarm into an attack map that can be visually displayed, thereby effectively capturing the associated host, and helping the network manager to monitor network security status in real time. So that timely safety measures are taken to ensure the safety of the network, data and equipment.