Security Center is a security management system that dynamically identifies and analyzes security threats, and generates alerts when threats are detected. You can use Security Center to ensure the security of your cloud resources and local servers in a centralized manner and meet regulatory compliance requirements. You can configure the alert ingestion system of Log Service as a notification method in the Security Center console. This way, Security Center alerts can be ingested into Log Service. Then, the alerting system of Log Service denoises the alerts and sends alert notifications.

Prerequisites

Configure an alert notification method in the Security Center console

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. In the DingTalk Chatbot Notification Settings section of the Notifications tab, click Add Chatbot.
    Ingest Security Center alerts into Log Service
  4. In the Add DingTalk Chatbot panel, set the parameters and click Add.
    Set the Webhook URL parameter to the full path of the Internet webhook URL that is generated after you create an alert ingestion application. For more information, see Obtain webhook URLs. For information about other parameters, see Add a DingTalk chatbot. Ingest Security Center alerts into Log Service

Security Center alert parsing

Security Center generates alerts when vulnerabilities, baseline risks, security events, and AccessKey pair leaks are detected. The following tables describe the fields in different types of alerts.

  • Alerts for vulnerabilities
    Field Description Mapping relationship with Log Service
    instanceName The name of the instance that is protected by Security Center, for example, the name of an Elastic Compute Service (ECS) instance. The instanceName field is mapped to the labels field in the alerts that are supported by Log Service.
    instanceId The ID of the instance that is protected by Security Center, for example, the ID of an ECS instance. The instanceId field is mapped to the labels field in the alerts that are supported by Log Service.
    alias_name The alias of the vulnerability. The alias_name field is mapped to the labels field in the alerts that are supported by Log Service.
    internetIp The IP address. The internetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    intranetIp The internal IP address. The intranetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    uuid The universally unique identifier (UUID) of the server. The uuid field is mapped to the labels field in the alerts that are supported by Log Service.
    aliUid The ID of the associated Alibaba Cloud account. The aliUid field is mapped to the labels field in the alerts that are supported by Log Service.
    time The time when the alert is triggered. The time field is mapped to the alert_time and fire_time fields in the alerts that are supported by Log Service.
  • Alerts for baseline risks
    Field Description Mapping relationship with Log Service
    instanceName The name of the instance that is protected by Security Center, for example, the name of an ECS instance. The instanceName field is mapped to the labels field in the alerts that are supported by Log Service.
    instanceId The ID of the instance that is protected by Security Center, for example, the ID of an ECS instance. The instanceId field is mapped to the labels field in the alerts that are supported by Log Service.
    type_alias The alias of the check type in Chinese. The type_alias field is mapped to the annotations field in the alerts that are supported by Log Service.
    risk_name The name of the risk. The risk_name field is mapped to the annotations field in the alerts that are supported by Log Service.
    internetIp The IP address. The internetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    intranetIp The internal IP address. The intranetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    uuid The UUID of the server. The uuid field is mapped to the labels field in the alerts that are supported by Log Service.
    aliUid The ID of the associated Alibaba Cloud account. The aliUid field is mapped to the labels field in the alerts that are supported by Log Service.
    time The time when the alert is triggered. The time field is mapped to the alert_time and fire_time fields in the alerts that are supported by Log Service.
  • Alerts for security events
    Field Description Mapping relationship with Log Service
    instanceName The name of the instance that is protected by Security Center, for example, the name of an ECS instance. The instanceName field is mapped to the labels field in the alerts that are supported by Log Service.
    instanceId The ID of the instance that is protected by Security Center, for example, the ID of an ECS instance. The instanceId field is mapped to the labels field in the alerts that are supported by Log Service.
    instanceId
    machineIp The IP address of the machine. The machineIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    internetIp The IP address. The internetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    intranetIp The internal IP address. The intranetIp field is mapped to the annotations field in the alerts that are supported by Log Service.
    uuid The UUID of the server. The uuid field is mapped to the labels field in the alerts that are supported by Log Service.
    aliUid The ID of the associated Alibaba Cloud account. The aliUid field is mapped to the labels field in the alerts that are supported by Log Service.
    groupId The ID of the asset group. The groupId field is mapped to the labels field in the alerts that are supported by Log Service.
    event_type The type of the alert. The event_type field is mapped to the alert_name field in the alerts that are supported by Log Service.
    event_name The name of the alert. The event_name field is mapped to the annotations and title fields in the alerts that are supported by Log Service.
    op The action that is performed on a security event. Valid values:
    • new: detects a new security event.
    • fix: fixes a security event.
    • verify: verifies a security event.
    The op field is mapped to the annotations field in the alerts that are supported by Log Service.
    status The status of the security event. For more information, see Security event status. The status field is mapped to the annotations field in the alerts that are supported by Log Service.
    time The time when the alert is triggered. The time field is mapped to the alert_time and fire_time fields in the alerts that are supported by Log Service.

    The following table describes the status of security events.

    Valid value of status Description Alert status in Log Service
    Pending Pending firing
    Handled Confirmed firing
    Dealing Processing firing
    Auto Dealing Automatic blocking firing
    Ignore Ignored resolved
    Fault Marked as false positives resolved
    Done Processed resolved
    Expire Expired resolved
    Deleted Deleted resolved
    Auto Dealing Done Automatic blocking completed resolved
  • Alerts for AccessKey pair leaks
    Field Description Mapping relationship with Log Service
    github_user The GitHub account that is leaked. The github_user field is mapped to the labels field in the alerts that are supported by Log Service.
    github_file The GitHub file that is leaked. The github_file field is mapped to the labels field in the alerts that are supported by Log Service.
    source The source of the leak. The source field is mapped to the labels field in the alerts that are supported by Log Service.
    github_repo The GitHub repository that is leaked. The github_repo field is mapped to the labels field in the alerts that are supported by Log Service.
    accesskey_id The AccessKey pair that is leaked. The accesskey_id field is mapped to the labels field in the alerts that are supported by Log Service.
    aliUid The ID of the associated Alibaba Cloud account. The aliUid field is mapped to the labels field in the alerts that are supported by Log Service.
    time The time when the alert is triggered. The time field is mapped to the alert_time and fire_time fields in the alerts that are supported by Log Service.

Field mappings

The following table describes the mappings between the alert attributes of Log Service and the alert fields of Security Center.

Log Service Security Center Description
aliuid None The ID of the Alibaba Cloud account to which the alert ingestion application belongs.
alert_id None The ID of the alert monitoring rule.
alert_type None The type of the alert. Valid value: sls_pub.
alert_name event_type The name of the alert monitoring rule.
status status The status of the alert. Valid values: firing and resolved.

The status of each security event in Security Center is mapped to the status of the corresponding alert in Log Service. For more information, see Security event status.

next_eval_interval None The interval at which the alert is evaluated. Valid value: 0.
alert_time time The time when the alert is evaluated.
fire_time time The time when the first alert is triggered.
resolve_time None The time when the alert is cleared.
  • If the value of the status field is firing, the resolve_time field is set to 0.
  • If the value of the status field is resolved, the resolve_time field is set to the value of the fire_time field.
labels instanceName, instanceId, accountName, aliUid, and uuid The labels of the alert. The following fields are included:
  • instanceName
  • instanceId
  • accountName
  • aliUid
  • uuid

If you add a label on the Enrichment tab when you create the alert ingestion application, the label is added to the labels field.

annotations status, internetIp, intranetIp, machineIp, op, and event_name The annotations of the alert. The following fields are included: status, internetIp, intranetIp, machineIp, op, and title.

The title field is mapped to the event_name field.

The following fields are also added to the annotations field:
  • __config_app__: "sls_pub_alert"
  • __pub_alert_service__: {The ID of the alert ingestion service}
  • __pub_alert_app__: {The ID of the alert ingestion application}
  • __pub_alert_protocol__: "sas"
  • __pub_alert_region__: {The region of the endpoint to which the alert is sent}

If you add an annotation on the Enrichment tab when you create the alert ingestion application, the annotation is added to the annotations field.

severity event level The severity of the alert.
  • If the event level in a Security Center alert is serious, the value of the severity field is critical.
  • If the event level in a Security Center alert is suspicious, the value of the severity field is high.
  • If the event level in a Security Center alert is other, the value of the severity field is medium.
policy None The alert policy that is specified for the alert ingestion application. For more information, see Description of the policy variable.
project None The project to which Alert Center belongs. For more information, see Project.
drill_down_query None The value is a link. The link contains the URL of a Security Center alert. You can click the link to go to the corresponding page that shows the Security Center alert.