Security Center sends you notifications by using text messages, emails, internal messages, or DingTalk chatbots. You can configure notification settings for items such as vulnerabilities, baseline risks, and tampered web pages. This topic describes how to configure notification settings and add DingTalk chatbots.

Background information

By default, the alert contact is the contact of your Alibaba Cloud account. To add more alert contacts, go to Message Center. Navigate to the Common Settings page. In the Product Message section, find Security Notice and click Modify in the Contact column. For more information, see How do I modify the alert contacts that receive notifications?

Only Security Center Enterprise and Ultimate support the notification method of DingTalk chatbots. If you use the Basic, Anti-virus, or Advanced edition, you must upgrade Security Center to the Enterprise or Ultimate edition before you can receive notifications from DingTalk chatbots.

Notification items

Item Notification frequency Notify at Notification method Description
Vulnerabilities Every seven days. 08:00 to 20:00 Email Security Center sends you a report on unhandled vulnerabilities of your servers every seven days. The report includes the number of unhandled vulnerabilities on your assets and suggestions to fix the vulnerabilities.
Baseline risks Every seven days. 08:00 to 20:00

Text message, email, and internal message

Security Center sends you a report on unhandled baseline risks every seven days. The report includes the number of unhandled baseline risks on your assets.
Alerts Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when an alert is generated. A maximum of five notifications can be sent per day. Up to one notification can be sent for each server per day.
Alerts of the Precision defense type Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when an alert of the Precision defense type is generated. A maximum of 2 text messages, 5 internal messages, and 20 emails can be sent per day.
AccessKey pair leaks Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when an AccessKey pair leak is detected. A maximum of five notifications can be sent per day.
Configuration risks of Alibaba Cloud services Every seven days. 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when a risky configuration is detected. The notifications are sent every seven days.
Urgent vulnerabilities Real-time notification. 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when an unfixed urgent vulnerability is detected. A maximum of 10 notifications can be sent per day.
Tampered web pages Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when a web page is tampered with. A maximum of five notifications can be sent per day.
Alerts generated by the container firewall feature Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00
Email If you set the protection mode of the container firewall feature to Alert, Security Center sends you notifications when unauthorized network behavior is detected. A maximum of 100 notifications can be sent per day.
Proactive defense activities implemented by the container firewall feature Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00
Email If you set the protection mode of the container firewall feature to Intercept, Security Center intercepts unauthorized network behavior and sends you notifications. A maximum of 100 notifications can be sent per day.
Blocked brute-force attacks initiated from malicious IP addresses Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when brute-force attacks initiated from malicious IP addresses are blocked. A maximum of 10 notifications can be sent per day.
Virus scan The notification frequency is based on the scan cycle of viruses. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications about virus scan results after a virus scan is complete. Security Center scans for viruses based on the scan cycle that you specify on the Virus Defense page.
Excess logs Every two days. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when the log size exceeds 90% of the purchased log storage capacity. The notifications are sent every two days.
Alerts generated by the cloud honeypot feature Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when alerts are generated by the cloud honeypot feature. A maximum of five notifications can be sent per day.
Alerts generated by the application security feature Real-time notification. Notifications can be sent in one of the following periods:
  • All day
  • 08:00 to 20:00

Text message, email, and internal message

Security Center sends you notifications when alerts are generated by the application security feature. A maximum of 10 emails, 10 internal messages, and 5 text messages can be sent per day.

Configure the notification methods of text messages, emails, and internal messages

  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Notification Settings.
  2. On the Text Message/Email/Internal Message tab of the Notification Settings page, configure the following parameters for the required items based on your business requirements: Notify At, Severity, and Notify By.
    Security Center allows you to modify the alert contact. For more information, see How do I modify the alert contacts that receive notifications?
    Note
    • The settings that you configure on the Notification Settings page immediately take effect.
    • If you select multiple notification methods, Security Center sends you notifications by using all the selected methods at the same time.

Configure the notification method of DingTalk chatbots

After you configure the notification method of DingTalk chatbots, you can receive notifications for threats that are identified by Security Center in the specified DingTalk group in real time.

Prerequisites

DingTalk is installed, and a DingTalk group is created to receive notifications.

Procedure

  1. Add a DingTalk chatbot in the DingTalk group.
    Important The operations described in this section are only for your reference. When you add a chatbot, follow the instructions that are displayed on your DingTalk.
    1. Find the DingTalk group to which you want to add a chatbot and click Group Settings in the upper-right corner. In the Group Settings panel, click Group Assistant. Then, click Add Robot. In the ChatBot dialog box, click Custom. In the Robot details dialog box, click Add.
    2. Configure the DingTalk chatbot.
      Select Custom Keywords for Security Settings, and enter Security Center and Security in the Custom Keywords field. Configure the parameters
    3. Copy the URL in the Webhook field and click Finished.
  2. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Notification Settings.
  3. On the Notification Settings page, click the DingTalk Chatbot tab and click Add Chatbot.
  4. In the Add DingTalk Chatbot panel, configure the parameters. Then, click Add.
    Parameter Description Configuration
    Chatbot Name The name of the chatbot. We recommend that you enter an informative name.
    Webhook URL The webhook URL of the chatbot. Find the webhook URL of the chatbot in the required DingTalk group, copy the webhook URL, and then paste the URL in the Webhook URL field.
    Important Keep the webhook URL confidential. If the webhook URL is leaked, risks may arise.
    Asset Groups The asset group for which you want to send notifications. You can select an asset group that is created on the Host page. After you specify the asset group, the DingTalk chatbot sends you notifications that are related to the assets in the asset group. Select an asset group from the drop-down list.
    Notify On The types of alerts for which you want to receive notifications. The following alert types are supported:
    • Vulnerabilities
    • Baseline risks
    • Alerts
    • AccessKey pair leaks
    • Alerts generated by cloud honeypot
    • Alerts generated by application security
    Select the alert types and risk levels from the drop-down list.
    Notification Interval The time interval at which the DingTalk chatbot sends notifications. Valid values are 1 Minute, 5 Minutes, 10 Minutes, 30 Minutes, and No Limit. If you select No Limit, a notification is sent each time an alert is detected.
    Note If you select No Limit, a maximum of 20 notifications can be sent to the webhook URL in one minute.
    Select a time interval from the drop-down list.
    Language The language of the notifications. Valid values: English and Chinese. Select a language from the drop-down list.
    By default, a newly added DingTalk chatbot is in the enabled state.
    Note
    • After you add the DingTalk chatbot, click Test in the Actions column to check whether the chatbot is associated with the DingTalk group.
    • You can modify or delete the DingTalk chatbot. After you delete the chatbot, you can no longer receive notifications in the DingTalk group. However, you can still receive notifications by using other methods that you specify, such as text messages, emails, or internal messages.
    After you complete the preceding steps, Security Center sends you notifications based on your configurations.