After you configure notification settings in the Security Center console, Security Center sends notifications to the contacts that you specified when risks are detected. This way, you can handle security events at the earliest opportunity to ensure asset security. Security Center can send notifications of items such as weekly security reports, baseline risks, alerts, and insufficient storage capacity. Security Center can send notifications by using emails, internal messages, or DingTalk chatbots. You can specify notification items, notification time ranges, and notification methods based on your business requirements to obtain asset security information at the earliest opportunity.
Notification items
If events that can trigger notifications for specific items occur outside of the notification time ranges, the notifications of the items are delayed.
The following table describes the maximum number of notifications that can be sent to each email address or Alibaba Cloud account per day. The notifications can be sent by email or internal message.
For example, the maximum number of notifications of AccessKey pair leaks that can be sent per day is 5. If you specify two contacts, each contact can receive up to five notifications of AccessKey pair leaks per day.
Notification item | Notification frequency | Notification time range | Notification method | Description |
Weekly security reports | Every seven days | 08:00 to 20:00 | Security Center sends a weekly security report on your servers. The report includes the number of unhandled vulnerabilities, suggestions on how to fix the vulnerabilities, number of baseline risks, and information about alerts on your servers. | |
Task execution result in anti-ransomware | Real-time notification |
| Email and internal message | Security Center sends a notification of the execution result of a finished anti-ransomware backup or restoration task within the notification time range that you specified. You can check whether the task execution is successful. |
Baseline risks | Every seven days | 08:00 to 20:00 | Email, internal message, and DingTalk chatbot | Security Center sends a weekly report on unhandled baseline risks. The report includes the number of unhandled baseline risks on your servers. |
Insufficient anti-ransomware capacity | Every seven days | 08:00 to 20:00 | Email and internal message | Security Center sends a notification in the following scenarios:
|
Insufficient threat analysis log capacity | Real-time notification |
| Email and internal message | Security Center sends a notification when the size of threat analysis logs exceeds 80% of the log storage capacity purchased for the threat analysis and response feature. |
Alerts | Real-time notification |
| Email, internal message, and DingTalk chatbot | Security Center sends a notification when an alert is generated. Up to five notifications can be sent per day. Only one notification can be sent for each server per day. |
Alerts generated by the precision defense feature | Real-time notification |
| Email and internal message | Security Center sends a notification when an alert of the Precision defense type is generated. Up to 5 internal messages and 20 emails can be sent per day. |
Alerts generated by the web tamper proofing feature | Real-time notification |
| Email and internal message | Security Center sends a notification when an alert is generated by the web tamper proofing feature. Up to five notifications can be sent per day. |
Alerts generated by the container firewall feature | Real-time notification |
| If you set the protection mode of the container firewall feature to Alert, Security Center sends a notification when unauthorized network behavior is detected. Up to 100 notifications can be sent per day. | |
Proactive defense activities implemented by the container firewall feature | Real-time notification |
| If you set the protection mode of the container firewall feature to Intercept, Security Center intercepts unauthorized network behavior and sends a notification. Up to 100 notifications can be sent per day. If this limit is exceeded, subsequent notifications are delayed. | |
Alerts generated on malicious image samples | Real-time notification |
| Email and internal message | After an image scan is complete, Security Center sends a notification if malicious samples are detected. Up to 24 emails and 24 internal messages can be sent per day. |
Alerts generated on image baseline risks | Real-time notification |
| Email and internal message | After an image scan is complete, Security Center sends a notification if baseline risks are detected. Only one notification can be sent per day. |
Alerts generated on image vulnerabilities | Real-time notification |
| Email and internal message | After an image scan is complete, Security Center sends a notification if vulnerabilities are detected. Up to 24 emails and 1 internal message can be sent per day. |
Alerts generated on sensitive files | Real-time notification |
| Email and internal message | After an image scan is complete, Security Center sends a notification if sensitive files are detected. Up to 24 notifications can be sent per day. |
Blocked brute-force attacks from malicious IP addresses | Real-time notification |
| Email and internal message | Security Center sends a notification when brute-force attacks from malicious IP addresses are blocked. Up to 10 notifications can be sent per day. |
Virus scan results | Based on the virus scan cycle |
| Email and internal message | After a virus scan is complete, Security Center sends a notification of virus scan results. Security Center scans for viruses based on the scan cycle that you specified. |
Excess logs | Every two days |
| Email and internal message | Security Center sends a notification when the log size exceeds the specified threshold based on the log storage capacity purchased for the log analysis feature. You can click the |
Alerts generated by the cloud honeypot feature | Real-time notification |
| Email, internal message, and DingTalk chatbot | Security Center sends a notification when an alert is generated by the cloud honeypot feature. Up to five notifications can be sent per day. |
Alerts generated by the application protection feature | Real-time notification |
| Email, internal message, and DingTalk chatbot | Security Center sends a notification when an alert is generated by the application protection feature. Up to 10 notifications can be sent per day. |
icon in the Insufficient Anti-ransomware Capacity section to adjust the threshold. Specify notification contacts
Specify at least one notification contact. By default, the contact is the one you specified when you created your Alibaba Cloud account.
Log on to the Message Center console.
In the left-side navigation pane, choose .
Find Security Notice and click Modify in the Contact column.
In the Modify Contact dialog box, add a contact or modify an existing contact, select one or more contacts to receive notifications from Security Center, and then click Save.
Perform the following operations based on your business requirements:
To add a contact, click Add Receiver, enter the name and email address of the new contact, and then click OK.
To modify an existing contact, click Manage Contacts in the upper-right corner of the Common Settings page.
After you click Save, the new settings immediately take effect.
NoteBefore a contact can receive notifications, you must verify the email address of the contact. The system automatically sends a verification message to the specified email address. Follow the instructions in the email to complete the verification.
Configure notification settings on the Email/Internal Message tab
Security Center can send notifications by email or internal message. You can configure specific notification methods for different notification items.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Email/Internal Message tab, find the notification item for which you want to configure the notification methods, and configure the Notification Time, Concerned Level, and Notification Method parameters.
NoteThe configurations immediately take effect.
If you select multiple notification methods for an item, Security Center sends notifications by using all selected methods at the same time.
Configure notification settings on the DingTalk Chatbot tab
After you configure the notification method of DingTalk chatbots, you can receive notifications for threats that are identified by Security Center in the specified DingTalk group in real time.
Only the Enterprise and Ultimate editions of Security Center support the notification method of DingTalk chatbots.
Prerequisites
A DingTalk chatbot is created in the DingTalk group that is used to receive notifications, and the webhook URL of the chatbot is obtained. When creating the DingTalk chatbot, you should configure the keywords based on the notification language in the Security Settings.
Chinese: 云安全中心
English: Security
Procedure
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Notification Settings page, click the DingTalk Chatbot tab and click Add Chatbot.
In the Add DingTalk Chatbot panel, configure the parameters and click Add. The following table describes the parameters.
Parameter
Description
Chatbot Name
The name of the chatbot. We recommend that you enter an informative name.
Webhook URL
The webhook URL of the chatbot. You can obtain the webhook URL in the corresponding DingTalk group.
ImportantKeep the webhook URL confidential. If the webhook URL is leaked, risks may arise.
Asset Groups
The asset group for which you want to send notifications. You can select an asset group that is created on the Assets page. After you select the asset group, the DingTalk chatbot sends notifications that are related to the assets in the asset group.
Notify On
The types and the severity levels of alerts for which you want to send notifications. The types are Vulnerability, Baseline Check, Alert, AccessKey Pair Leak Detection, Cloud Honeypot, Application Protection, Anti-ransomware, Core File Protection, and Malicious File Detection.
Notification Interval
The time interval at which the DingTalk chatbot sends notifications. Valid values: 1 Minute, 5 Minutes, 10 Minutes, 30 Minutes, and No Limit. If you select No Limit, a notification is sent each time an alert is generated.
If you select No Limit, up to 20 notifications can be sent to the webhook URL within 1 minute.
Language
The language of the notifications. Valid values: English and Chinese.
By default, a new DingTalk chatbot is in the Enabled state. After you complete the preceding steps, Security Center sends notifications based on your configurations.
Optional. In the list of DingTalk chatbots, find the new DingTalk chatbot and click Test in the Actions column to check whether a notification is received in the DingTalk group.
NoteYou can modify or delete a DingTalk chatbot. After you delete a chatbot, related notifications can no longer be received in the DingTalk group. However, Security Center continues to send notifications by using other methods that you specified, such as emails or internal messages.
FAQ
Can I receive notifications if I did not specify a severity level when I configured notification settings?
References
For more information about configuring security message recipients, see Best practices for configuring security message recipients.