All Products
Search
Document Center

Security Center:Configure notification settings

Last Updated:Dec 10, 2024

After you configure notification settings in the Security Center console, Security Center sends notifications to the contacts that you specified when risks are detected. This way, you can handle security events at the earliest opportunity to ensure asset security. Security Center can send notifications of items such as weekly security reports, baseline risks, alerts, and insufficient storage capacity. Security Center can send notifications by using emails, internal messages, or DingTalk chatbots. You can specify notification items, notification time ranges, and notification methods based on your business requirements to obtain asset security information at the earliest opportunity.

Notification items

Email/Internal message

Note
  • If events that can trigger notifications for specific items occur outside of the notification time ranges, the notifications of the items are delayed.

  • The following table describes the maximum number of notifications that can be sent to each email address or Alibaba Cloud account per day. The notifications can be sent by email or internal message.

    For example, the maximum number of notifications of AccessKey pair leaks that can be sent per day is 5. If you specify two contacts, each contact can receive up to five notifications of AccessKey pair leaks per day.

Notification item

Notification frequency

Notification time range

Notification method

Description

Weekly security reports

Every seven days

08:00 to 20:00

Email

Security Center sends a weekly security report on your servers. The report includes the number of unhandled vulnerabilities, suggestions on how to fix the vulnerabilities, number of baseline risks, and information about alerts on your servers.

Task execution result in anti-ransomware

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification of the execution result of a finished anti-ransomware backup or restoration task within the notification time range that you specified. You can check whether the task execution is successful.

Baseline risks

Every seven days

08:00 to 20:00

Email, internal message

Security Center sends a weekly report on unhandled baseline risks. The report includes the number of unhandled baseline risks on your servers.

Insufficient anti-ransomware capacity

Every seven days

08:00 to 20:00

Email and internal message

Security Center sends a notification in the following scenarios:

  • If the usage of your anti-ransomware capacity reaches 100%, a notification is sent in real time.

  • Security Center runs scheduled tasks on a daily basis to check the usage of the anti-ransomware capacity. If the usage of the anti-ransomware capacity reaches the specified threshold, a notification is sent. You can click the image.png icon in the Insufficient Anti-ransomware Capacity section to adjust the threshold.

Insufficient threat analysis log capacity

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification when the size of threat analysis logs exceeds 80% of the log storage capacity purchased for the threat analysis and response feature.

Alerts

Real-time notification

  • All day

  • 08:00 to 20:00

Email, internal message

Security Center sends a notification when an alert is generated. Up to five notifications can be sent per day. Only one notification can be sent for each server per day.

Alerts generated by the precision defense feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification when an alert of the Precision defense type is generated. Up to 5 internal messages and 20 emails can be sent per day.

Alerts generated by the web tamper proofing feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification when an alert is generated by the web tamper proofing feature. Up to five notifications can be sent per day.

Alerts generated by the container firewall feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email

If you set the protection mode of the container firewall feature to Alert, Security Center sends a notification when unauthorized network behavior is detected. Up to 100 notifications can be sent per day.

Proactive defense activities implemented by the container firewall feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email

If you set the protection mode of the container firewall feature to Intercept, Security Center intercepts unauthorized network behavior and sends a notification. Up to 100 notifications can be sent per day. If this limit is exceeded, subsequent notifications are delayed.

Alerts generated on malicious image samples

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

After an image scan is complete, Security Center sends a notification if malicious samples are detected.

Up to 24 emails and 24 internal messages can be sent per day.

Alerts generated on image baseline risks

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

After an image scan is complete, Security Center sends a notification if baseline risks are detected. Only one notification can be sent per day.

Alerts generated on image vulnerabilities

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

After an image scan is complete, Security Center sends a notification if vulnerabilities are detected. Up to 24 emails and 1 internal message can be sent per day.

Alerts generated on sensitive files

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

After an image scan is complete, Security Center sends a notification if sensitive files are detected. Up to 24 notifications can be sent per day.

Blocked brute-force attacks from malicious IP addresses

Real-time notification

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification when brute-force attacks from malicious IP addresses are blocked. Up to 10 notifications can be sent per day.

Virus scan results

Based on the virus scan cycle

  • All day

  • 08:00 to 20:00

Email and internal message

After a virus scan is complete, Security Center sends a notification of virus scan results. Security Center scans for viruses based on the scan cycle that you specified.

Excess logs

Every two days

  • All day

  • 08:00 to 20:00

Email and internal message

Security Center sends a notification when the log size exceeds the specified threshold based on the log storage capacity purchased for the log analysis feature.

You can click the image.png icon in the Excess Logs section to adjust the threshold.

Alerts generated by the cloud honeypot feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email, internal message

Security Center sends a notification when an alert is generated by the cloud honeypot feature. Up to five notifications can be sent per day.

Alerts generated by the application protection feature

Real-time notification

  • All day

  • 08:00 to 20:00

Email, internal message

Security Center sends a notification when an alert is generated by the application protection feature. Up to 10 notifications can be sent per day.

DingTalk chatbot

Notification item

Notification frequency

Notification method

Description

  • Vulnerability

  • Baseline check

  • Alert

  • AccessKey pair leak detection

  • Cloud honeypot

  • Application protection

  • Anti-ransomware

  • Core file monitoring

  • Malicious file detection

  • Every minute

  • Every five minutes

  • Every ten minutes

  • Every 30 minutes

  • No Limit

DingTalk chatbot

Messages are sent based on the configured notification frequency. If you select No Limit, up to 20 notifications can be sent to the webhook URL within one minute.

Specify notification contacts

Specify at least one notification contact. By default, the contact is the one you specified when you created your Alibaba Cloud account.

  1. Log on to the Message Center console.

  2. In the left-side navigation pane, choose Message Settings > Common Settings.

  3. Find Security Notice and click Modify in the Contact column.

  4. In the Modify Contact dialog box, add a contact or modify an existing contact, select one or more contacts to receive notifications from Security Center, and then click Save.

    Perform the following operations based on your business requirements:

    • To add a contact, click Add Receiver, enter the name and email address of the new contact, and then click OK.

    • To modify an existing contact, click Manage Contacts in the upper-right corner of the Common Settings page.

    After you click Save, the new settings immediately take effect.

    Note

    Before a contact can receive notifications, you must verify the email address of the contact. The system automatically sends a verification message to the specified email address. Follow the instructions in the email to complete the verification.

Configure notification settings on the Email/Internal Message tab

Security Center can send notifications by email or internal message. You can configure specific notification methods for different notification items.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Notification Settings.

  3. On the Email/Internal Message tab, find the notification item for which you want to configure the notification methods, and configure the Notification Time, Concerned Level, and Notification Method parameters.

    Note
    • The configurations immediately take effect.

    • If you select multiple notification methods for an item, Security Center sends notifications by using all selected methods at the same time.

Configure notification settings on the DingTalk Chatbot tab

After you configure the notification method of DingTalk chatbots, you can receive notifications for threats that are identified by Security Center in the specified DingTalk group in real time.

Note

Only the Enterprise and Ultimate editions of Security Center support the notification method of DingTalk chatbots.

Prerequisites

A DingTalk chatbot is created in the DingTalk group that is used to receive notifications, and the webhook URL of the chatbot is obtained. When creating the DingTalk chatbot, you should configure the keywords based on the notification language in the Security Settings.

  • Chinese: 云安全中心

  • English: Security

Procedure

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Notification Settings.

  3. On the Notification Settings page, click the DingTalk Chatbot tab and click Add Chatbot.

  4. In the Add DingTalk Chatbot panel, configure the parameters and click Add. The following table describes the parameters.

    Parameter

    Description

    Chatbot Name

    The name of the chatbot. We recommend that you enter an informative name.

    Webhook URL

    The webhook URL of the chatbot. You can obtain the webhook URL in the corresponding DingTalk group.

    Important

    Keep the webhook URL confidential. If the webhook URL is leaked, risks may arise.

    Asset Groups

    The asset group for which you want to send notifications. You can select an asset group that is created on the Assets page. After you select the asset group, the DingTalk chatbot sends notifications that are related to the assets in the asset group.

    Notify On

    The types and the severity levels of alerts for which you want to send notifications. The types are Vulnerability, Baseline Check, Alert, AccessKey Pair Leak Detection, Cloud Honeypot, Application Protection, Anti-ransomware, Core File Monitoring, and Malicious File Detection.

    Notification Interval

    The time interval at which the DingTalk chatbot sends notifications. Valid values: 1 Minute, 5 Minutes, 10 Minutes, 30 Minutes, and No Limit. If you select No Limit, a notification is sent each time an alert is generated.

    If you select No Limit, up to 20 notifications can be sent to the webhook URL within 1 minute.

    Language

    The language of the notifications. Valid values: English and Chinese.

    By default, a new DingTalk chatbot is in the Enabled state. After you complete the preceding steps, Security Center sends notifications based on your configurations.

  5. Optional. In the list of DingTalk chatbots, find the new DingTalk chatbot and click Test in the Actions column to check whether a notification is received in the DingTalk group.

    Note

    You can modify or delete a DingTalk chatbot. After you delete a chatbot, related notifications can no longer be received in the DingTalk group. However, Security Center continues to send notifications by using other methods that you specified, such as emails or internal messages.

FAQ

Can I receive notifications if I did not specify a severity level when I configured notification settings?

No,

Security Center does not send notifications for an item if you did not specify a severity level in the Concerned Level column for the item. In this case, you can go to the Alerts page to view the alerts that are generated on your assets. For more information, see View and handle alerts.

References

For more information about configuring security message recipients, see Best practices for configuring security message recipients.