All Products
Search
Document Center

Security Center:Customize Security Center alert notifications

Last Updated:Jun 04, 2026

Security Center sends alert notifications through DingTalk by default. To forward alerts to Lark or WeChat Work, use CloudMonitor event subscriptions.

Overview

Security Center pushes alerts to CloudMonitor, which forwards them to Lark or WeChat Work through event subscriptions. Follow these steps:

  1. Enable CloudMonitor push: Turn on the CloudMonitor push switch in Security Center notification settings and select alert types.

  2. Create a chatbot: Create a custom chatbot in Lark or WeChat Work and copy its webhook URL.

  3. Create a CloudMonitor alert contact group:

    1. Create an alert contact in CloudMonitor and bind the webhook URL.

    2. Add the alert contact to an alert contact group.

  4. Create a CloudMonitor notification policy: Create a notification policy and associate it with the alert contact group.

  5. Configure a CloudMonitor event subscription: Subscribe to Security Center system events and associate the subscription with the notification policy.

Step 1: Enable CloudMonitor push in Security Center

Enable CloudMonitor push so it can receive and forward Security Center alerts.

Important

CloudMonitor does not receive Security Center alerts until you enable this feature.

  1. Go to the Security Center console > System Settings > Notification Settings page. In the upper-left corner of the page, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  2. On the Cloud Monitor Push tab, select the notification items to push. The following table describes these notification items.

    Notification item

    Push frequency

    Description

    Security Incident

    Push ResultDetails: No limit

    Notifications for detected security attacks, such as DDoS attacks and brute-force attacks.

    Alert

    Push ResultDetails: No limit

    Notifications for threats detected on hosts or in containers, such as suspicious logon activity and malicious processes.

    Baseline Check

    Push ResultOverview: Sent once a week every Thursday.

    Notifications for summary reports of security baseline checks.

    CSPM

    Push ResultOverview: Sent once a week every Thursday.

    Notifications for summary reports of cloud platform configuration risk checks.

    Agentless Detection

    Push ResultDetails: Customizable

    Notifications for security scan results that do not require an agent to be installed.

    Malicious file

    Push ResultDetails: Customizable

    Notifications for malicious files detected by the malicious file detection SDK.

    Vulnerability

    Push ResultOverview: Sent once a week every Thursday.

    Push ResultDetails: Customizable

    Notifications for detection results and summaries of system and application vulnerabilities.

    Application Protection

    Push ResultDetails: Customizable

    Alert notifications for Runtime Application Self-Protection (RASP).

Step 2: Create a chatbot

Create a custom chatbot in Lark or WeChat Work and copy its webhook URL for use in Step 3.

Lark chatbot

Create a custom chatbot from the Lark desktop client.

  1. Open the Lark desktop client and log on. In a group, click the Settings icon icon in the upper-right corner, then click Group Robot.

  2. In the Group Robot panel, click Add Robot and select Custom Robot.

  3. On the chatbot configuration page, enter a Robot Name, such as CloudMonitor Alert, and click Add.

  4. Copy the webhook URL. Then, select Custom Keywords and enter keywords such as alert, CloudMonitor, or Security Center.

    Important
    • Lark blocks messages without a matching keyword. Add multiple general keywords to ensure delivery.

    • Save the webhook URL securely. You need it to configure the CloudMonitor alert contact.

    Lark webhook URL

Create a WeChat Work bot

Create a custom chatbot from the WeChat Work mobile app.

  1. Open and log on to the WeChat Work app.

  2. In a WeChat Work group, tap the More icon icon in the upper-right corner, then tap Group Robot.

  3. On the Group Robot page, tap Add Robot.

  4. On the Add Robot page, enter a Custom Robot Name, such as CloudMonitor Alert, then tap Add.

  5. On the confirmation page, tap Copy to save the webhook URL.

    Important

    Save the webhook URL securely. You need it to configure the CloudMonitor alert contact.

Step 3: Configure alert contacts and policies

Create an alert contact in CloudMonitor, bind the webhook URL from Step 2, and add the contact to a contact group.

  1. Create an alert contact

    1. Log on to the CloudMonitor console. In the left-side navigation pane, choose Alerts > Alert Contacts.

    2. On the Alert Contacts tab, click Create Alert Contact.

    3. In the Set Alert Contact panel, configure the following parameters:

      • Name: Enter a name, such as Lark chatbot or WeChat Work chatbot.

      • DingTalk|Lark|WeCom|Slack Webhook(http|https): Paste the webhook URL from Step 2. This universal webhook field accepts URLs for both Lark and WeChat Work.

    4. (Optional) Test webhook connectivity: Click Test next to the webhook field. A 200 status code confirms a successful connection.

    5. After you verify the information, click Confirm.

  2. Create an alert contact group

    1. Click the Alert Contact Group tab, and then click Create Alert Contact Group.

    2. In the Create Alert Contact Group panel, configure the following parameters and click Confirm.

      1. Group Name: Enter a name for the group, such as Lark chatbot group or WeChat Work chatbot group.

      2. Select contacts: Select the alert contact you created in the previous step.

  3. Create a notification policy

    1. In the left-side navigation pane, choose Event Center > Notification Configuration.

    2. Click Create policy. Configure the following parameters and click OK.

      • Name: Enter a name for the policy. For example, Security Center Alert Notification.

      • Notification Settings: Select Set Notification Group Directly.

      • Contact Group: Select the alert contact group you created in the previous step.

Step 4: Configure an event subscription

Subscribe to Security Center system events and associate the subscription with the notification policy from Step 3.

  1. Log on to the CloudMonitor console. In the left-side navigation pane, choose Event Center > Event Subscription.

  2. On the Subscription Policy tab, click Create Subscription Policy and configure the following parameters.

    • Name: Enter a descriptive name, such as Security Center Alerts to Lark.

    • Subscription Type: Select System Events.

    • Subscription Scope:

      • Products: Select Security Center.

      • Event Type: Select the event type that maps to the Notification Item and Push Content you enabled in Step 1. Mappings:

        Security Center

        CloudMonitor

        Security Incident

        Incident

        Alert

        Suspicious

        Baseline Check

        System-Baseline-cnt

        CSPM

        Cspm-cnt

        Agentless Detection

        Agentless

        Malicious file

        mfd SDK

        Vulnerability

        Push Result Overview: Vulnerability-cnt

        Push Result Details: Vulnerability

        Application Protection

        Rasp

      • Event name and Event Level: Select the events you want notifications for.

        • Leave these fields empty to receive notifications for all events.

        • If you select Set as blacklist, the rule inverts: you receive notifications for all events except those matching the specified Event name or Event Level.

      • Application grouping, Event Content, and Event Resources: Keep the defaults.

    • Combined Noise Reduction: Keep the defaults.

    • Notification Configuration: Select the notification policy from Step 3.

    • Custom Notification Method and Push and Integration: Keep the defaults.

  3. Click Submit.

FAQ

  • Why am I not receiving alerts after completing the configuration?

    Check the following:

    1. Security Center push switch: Verify that the Cloud Monitor Push switch is on for the expected alert types in Step 1.

    2. Event subscription rule: In Step 4, confirm that the filter conditions (Event Type, event level) match the expected alerts.

    3. Lark keywords (most common issue): Ensure the custom keywords match alert message content. Use general keywords like alert or event.

    4. Webhook URL: In CloudMonitor Alert Contacts, use Test to verify the webhook is reachable. Check for incorrect URLs or firewall blocking.

    5. CloudMonitor event history: Check Event Center > Event History for received events. Failed pushes show a failure reason.

  • How can I avoid alert fatigue?

    • Enable Merge and Reduce Noise: In the event subscription, configure Merge and Reduce Noise to consolidate repeated events within a time window (for example, 1 minute).

    • Filter precisely: Set the event level (for example, high-risk only) or specify particular event name values to reduce noise.

  • What should I do if the webhook test returns a non-200 status code?

    A non-200 status code means CloudMonitor cannot reach your chatbot. Common causes:

    • Incorrect URL: The webhook URL is incomplete or incorrect.

    • IP whitelist restrictions: Some tools like Lark use IP whitelists. Add CloudMonitor server IPs to the whitelist.

    • Keyword mismatch (Lark): The message lacks a matching keyword, so Lark blocks delivery.

    • Frequency limit exceeded: The bot hit its rate limit. WeChat Work, for example, allows only 15 messages per minute.