Security Center alerts you to security findings — including security alerts, vulnerability reports, and baseline risks — through three delivery channels. Use the channel that fits your team's workflow:
| Channel | Best for | Edition requirement |
|---|---|---|
| Detailed reports, audit trails | All editions | |
| Internal message | In-console notifications | All editions |
| DingTalk Chatbot | Real-time team alerts without logging in to the console | Enterprise or Ultimate |
Set up email and internal message notifications
Step 1: Manage notification recipients
Before configuring alert rules, confirm that the right person receives them. By default, Security Center sends alerts to the Account Contact from account registration — often not the security team.
Go to the Message Center. On the Security message tab, find Security Notice and click Modify in the Actions column. The Modify Message Receiving Configurations page opens.
On the Contact tab, manage the recipient list:
Select an existing contact: In the dialog box, select the checkbox next to each contact.
Add a new contact: Click Manage Contacts, then click Add Receiver in the upper-right corner. Enter a name and email address, then click OK. > Important: A newly added email address must be verified before it can receive alerts. Check your inbox for a verification email and follow the instructions. For more information, see Manage basic message notifications.
Modify a contact: Click Manage Contacts. On the Manage Contacts page, click Modify in the Actions column. Edit the name or email address, then click OK.On the Manage Message Recipients page, click Edit in the Actions column of the target contact.On the Manage Message Recipients page, click Add Receiver in the upper-right corner.
Click OK. The changes take effect immediately.
Step 2: Configure notification rules
Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left-side navigation pane, choose System Settings > Notification Settings. In the upper-left corner, select the region where your assets are located: China or Outside China.
On the Email/Internal Message tab, find the notification item to configure. Set the following fields: Notification Time — When alerts are sent: Concerned Level — Select the severity levels to receive alerts for, such as Critical or High Risk. Notification Method — Choose Email, Internal Message, or both.
ImportantAlerts triggered outside the 08:00–20:00 window may be delayed. The sending frequency is fixed and cannot be adjusted. See Quotas and limits for details.
Not all alert types support all notification methods. Only supported options appear in the console. If you select multiple methods, the same alert is sent to all selected channels simultaneously.
Option Behavior Use when 24 hours Immediate alerts, around the clock Critical or emergency events 08:00–20:00 Alerts only during this window Non-urgent events
Set up DingTalk Chatbot notifications
Get Security Center alerts in a DingTalk group chat so your team can respond to threats without logging in to the console.
Prerequisites
Before you begin, make sure you have:
A Security Center Enterprise or Ultimate edition subscription. Upgrade if needed.
At least one pay-as-you-go feature enabled.
Step 1: Get the webhook URL from DingTalk
If you haven't created a chatbot yet:
In the DingTalk client, select the target group chat and click Group Settings in the upper-right corner.
In the Group Management section, click Bot. On the robot management page, click Add Robot and select Custom.
In the Security Settings area, set Custom Keywords to Security Center or Security based on the notification language you plan to use.
Select the I Acknowledge and Accept *DingTalk Custom Robot Service Terms of Service* checkbox.
Click Finished. Copy the webhook URL displayed on the page.
If you already have a chatbot:
In the DingTalk client, select the target group chat and click Group Settings in the upper-right corner.
In the Group Management section, click Bot. Click the target robot to view its webhook URL on the details page.
Step 2: Add the chatbot in Security Center
Log on to the Security Center consoleSecurity Center console.Log on to the Security Center console.
In the left-side navigation pane, choose System Settings > Notification Settings. Select the region where your assets are located: China or Outside China.
On the DingTalk Chatbot tab, click Add Chatbot. In the Add DingTalk Chatbot panel, configure the following parameters and click Add.
A newly created DingTalk Chatbot is Enabled by default.
Parameter Description Webhook URL Paste the webhook URL from Step 1. Keep it confidential — exposing it on public websites creates security risks. Asset Groups Select asset groups from the Assets page. Alerts are sent only for assets in the selected groups. See Manage server groups. Notify On Select alert types and risk levels. A notification is sent if any selected condition is met (OR logic). For example, selecting both "Security alert" type and "Suspicious" level means either condition independently triggers a notification. To avoid unexpected alerts, review both type and level selections together. Notification Interval How often the chatbot sends batched notifications: 1 minute, 5 minutes, 10 minutes, 30 minutes, or No Limit. Each webhook URL can receive up to 20 notifications per minute. See DingTalk Chatbot rate limits. Language The language of notifications: Chinese or English.
Step 3: Test the connection
In the DingTalk Chatbot list, find the newly created chatbot and click Test in the Actions column. A test message is sent to the DingTalk group to verify the connection.
Editing or deleting a chatbot configuration only affects DingTalk notifications and does not change your email or internal message settings.
Disable notifications
Disable email and internal message notifications
Log on to the Security Center consoleSecurity Center console.
In the left-side navigation pane, choose System Settings > Notification Settings. Select the region where your assets are located: China or Outside China.
On the Email/Internal Message tab, find the target notification item and deselect the channels in the Notification Method column.Email/Internal Message
Disable or adjust a DingTalk Chatbot
Log on to the Security Center consoleSecurity Center console.
In the left-side navigation pane, choose System Settings > Notification Settings. Select the region where your assets are located: China or Outside China.
On the DingTalk Chatbot tab, find the target chatbot and take one of the following actions:
Goal How Notes Temporarily disable Turn off the switch in the Enabling Status column. The configuration is saved and can be re-enabled at any time. Permanently delete Click Delete in the Actions column. This action is irreversible. Reconfigure the chatbot to use it again. Filter notifications Click Edit in the Actions column, then update the Notify On section. Remove alert types or levels you no longer want to receive.
Quotas and limits
Security Center limits notification frequency and volume to prevent alert fatigue.
Email and internal message limits
Defense alerts
| Type | Trigger | Daily limit |
|---|---|---|
| Precision defense | Real-time | Max 5 internal messages and 20 emails |
| Web tamper-proofing | — | Max 5 notifications |
| Cloud honeypot alert | — | Max 5 notifications |
| Application protection alert | — | Max 10 emails and 10 internal messages |
| Malicious IP blocking alert | — | Max 10 notifications |
Detection alerts
| Type | Trigger | Daily limit (Email/Internal Message) |
|---|---|---|
| Security alert | Real-time | Max 5 per account; max 1 per server |
| New security events | When a new event is detected | Max 1 per event; max 5 total per day |
| Updated security events | When a pending event gets a new alert | Max 1 per event; max 5 total per day |
Container security alerts
| Type | Trigger | Daily limit (Email/Internal Message) |
|---|---|---|
| Container microsegmentation alert | Real-time | Max 100 emails (excess notifications delayed) |
| Container microsegmentation proactive defense notification | Real-time | Max 100 emails (excess notifications delayed) |
| Container image scan malicious alert | After scan completes | Max 24 emails and 24 internal messages |
| Container image scan baseline risk notification | After scan completes | Max 1 notification |
| Container image scan vulnerability risk notification | After scan completes | Max 24 emails and 1 internal message |
| Container image scan sensitive file alert | After scan completes | Max 24 internal messages |
Agentless detection alerts
| Type | Trigger | Daily limit (Email/Internal Message) |
|---|---|---|
| Agentless detection malicious sample notification | After scan completes | Max 1 email and 1 internal message |
| Agentless detection vulnerability risk notification | After scan completes | Max 1 email and 1 internal message |
| Agentless detection baseline risk notification | After scan completes | Max 1 email and 1 internal message |
| Agentless detection sensitive file alert | After scan completes | Max 1 email and 1 internal message |
Periodic and threshold-triggered notifications
| Type | Trigger | Daily limit |
|---|---|---|
| Security weekly report | Once every 7 days | None |
| Baseline check | — | None |
| Anti-ransomware task execution results | After the task completes | — |
| Anti-ransomware storage capacity exceeded | Immediately at 100% usage; checked every 7 days if a threshold is configured | — |
| Threat analysis hot data log storage exceeded alert | Real-time | — |
| Threat analysis log ingestion traffic exceeded alert | When ingested traffic exceeds 80% of the subscribed limit | — |
| Log storage exceeded | Once every 2 days | — |
| Virus scan notification | Per the configured scan cycle | — |
DingTalk Chatbot rate limits
Notification Interval options: 1 minute, 5 minutes, 10 minutes, 30 minutes, or No Limit.
Rate limit for "No Limit": A single webhook URL can receive up to 20 notifications per minute.
FAQ
Contact and recipient management
How do I update the email address or phone number that receives alerts?
Update it in the Alibaba Cloud Message Center. Follow the steps in Step 1: Manage notification recipients.Alibaba Cloud Message Center
I updated a contact, but alerts are still going to the old address. What's wrong?
Check two things. First, confirm the new contact completed email verification — unverified addresses don't receive alerts. Second, check whether other cloud products (such as CloudMonitor) have separate alert rules that still reference the old contact.
Can I assign different alert recipients by role, such as O&M or developers?
Batch assignment by role isn't supported. As a workaround, add a position tag when creating or editing contacts to identify them by role.
Troubleshooting alert delivery
I configured notifications but I'm not receiving any alerts. What should I check?
Work through these checks in order:
Verify the recipient: Confirm the email address or phone number is added and verified in Step 1.
Check notification settings: Make sure the notification item is enabled, the Concerned Level matches the actual alert severity, and Notification Time is set to 24 hours if you need around-the-clock coverage.
Check spam: Look in your email spam or junk folder.
Check rate limits: See Quotas and limits to confirm you haven't reached the daily sending limit.
Check the region: The region you selected in Notification Settings (China or Outside China) must match the region where the alerting asset is located.
My DingTalk Chatbot received an "Unusual Logon" alert even though I disabled that alert type. Why?
The Notify On field uses OR logic — a notification is sent if the alert matches either the selected type or the selected level. If you set the level to Suspicious, any alert at that severity level triggers a notification regardless of type. To stop receiving this alert, go to Notification Settings and deselect Suspicious from the level settings for Security alert.
Appendix: Notification descriptions
Periodic reports
| Type | Description |
|---|---|
| Security weekly report | Sends a notification with the subject Alibaba Cloud Security Center Weekly Report. Includes the number of unhandled vulnerabilities, fix suggestions, baseline risks, and alert summaries. Note Not sent if your account has no running ECS instances. |
| Baseline check | Sends a notification with the subject Security Center - Weekly Report on Unhandled Baseline Risks. Includes the number of unhandled baseline risks on your assets. |
Resources and capacity
| Type | Description |
|---|---|
| Anti-ransomware storage capacity exceeded | Sent immediately when used anti-ransomware capacity reaches 100%. Also sent on a 7-day check cycle if usage exceeds the configured threshold. Click the settings icon in the Insufficient Anti-ransomware Capacity area to adjust the threshold. |
| Notification for excessive threat analysis hot data logs | A notification about threat analysis log storage usage. |
| Notification for excessive threat analysis access log traffic | Sent when ingested log traffic exceeds 80% of the subscribed ingested log traffic. |
| The log quota has been exceeded | Sent when log storage volume exceeds the purchased log analysis capacity. Click the settings icon in the Excess Logs area to adjust the threshold. |
Feature alerts
| Type | Description |
|---|---|
| Anti-ransomware task execution results | Sent when a data backup or recovery task completes, if the result (success or failure) matches your notification preference. |
| New security events | Sent when new, unhandled security events are detected. |
| Updated security events | Sent when a security event with a "Pending" status receives a new associated security alert. |
| Security alert | Sent when a security alert is detected. |
| Precision defense | Sent when a precision defense alert is detected. |
| Web tamper-proofing | Sent when a web tamper-proofing alert is detected. |
| Malicious IP blocking alert | Sent when a brute-force attack from a malicious IP is blocked. |
| Virus scan notification | Sent when a virus scan completes, based on your configured scan cycle. |
| Cloud honeypot alert | Sent when a cloud honeypot alert is detected. Maximum 5 notifications per day. |
| Application protection alert | Sent when an application protection alert is detected. |
Container security
| Type | Description |
|---|---|
| Container microsegmentation abnormal alert | Sent when unauthorized network activity is detected. |
| Container microsegmentation proactive defense notification | Sent when unauthorized network activity is detected and proactively blocked. |
| Container image scan malicious alert | Sent after an image scan completes, for any malicious sample alerts found. |
| Container image scan baseline risk notification | Sent after an image scan completes, for any baseline risk alerts found. |
| Container image scan vulnerability risk notification | Sent after an image scan completes, for any vulnerability risk alerts found. |
| Container image scan sensitive file alert | Sent after an image scan completes, for any sensitive file alerts found. |
Agentless detection
| Type | Description |
|---|---|
| Agentless detection of malicious samples notification | Sent after a security scan completes, for any malicious samples found. |
| Agentless detection of vulnerability risks notification | Sent after a security scan completes, for any vulnerability risks found. |
| Agentless detection of baseline risks notification | Sent after a security scan completes, for any baseline risks found. |
| Agentless detection of sensitive files alert | Sent after a security scan completes, for any sensitive files found. |