Security Center can send you notifications by using text messages, emails, internal messages, or DingTalk chatbots. You can configure notification settings for items such as weekly security reports, baseline risks, and web pages that are tampered with. This topic describes how to configure the notification settings of Security Center.
Background Information
By default, the contact that receives notifications is the contact of your Alibaba Cloud account. You can modify the notification contact. For more information, see How do I modify the contacts that receive alert notifications?
Only the Enterprise and Ultimate editions of Security Center support the notification method of DingTalk chatbots.
Supported notification items
Item | Notification frequency | Notification time | Notification method | Description |
Weekly security reports | Every seven days. | 08:00 to 20:00 | Security Center sends you a weekly security report of your servers every seven days. The report includes the number of baseline risks, number of unhandled vulnerabilities, suggestions to fix the vulnerabilities, and information about alerts on your assets. | |
Task execution result in anti-ransomware | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when an anti-ransomware backup task or restoration task is complete. The notification is sent based on the specified result to notify you of whether the task is successful or fails. The notification is sent in the notification period that you specify. |
Baseline risks | Every seven days. | 08:00 to 20:00 | Text message, email, internal message, and DingTalk chatbot | Security Center sends you a report on unhandled baseline risks every seven days. The report includes the number of unhandled baseline risks on your assets. |
Insufficient anti-ransomware capacity | Real-time notification. | 08:00 to 20:00 | Text message, email, and internal message | Security Center sends you a notification when your anti-ransomware capacity is insufficient.
|
Insufficient threat analysis log capacity | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when the size of threat analysis logs exceeds 80% of the purchased storage capacity for threat analysis logs. The notification is sent in the notification period that you specify. |
Alerts | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, internal message, and DingTalk chatbot Note Security Center Basic supports only internal messages. | Security Center sends you a notification when an alert is generated. A maximum of five notifications can be sent per day. A maximum of one notification can be sent for each server per day. |
Alerts generated by the precision defense feature | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when an alert is generated based on the precise defense feature. A maximum of 2 text messages, 5 internal messages, and 20 emails can be sent per day. |
AccessKey pair leaks | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, internal message, and DingTalk chatbot | Security Center sends you a notification when an AccessKey pair leak is detected. A maximum of five notifications can be sent per day. |
Configuration risks of Alibaba Cloud services | Every seven days. | 08:00 to 20:00 | Text message, email, and internal message | Security Center sends you a notification when configuration risks are detected. The notifications are sent every seven days. |
Urgent vulnerabilities | Real-time notification. | 08:00 to 20:00 | Text message, email, and internal message | Security Center sends you a notification when an unfixed urgent vulnerability is detected. A maximum of 10 notifications can be sent per day. |
Web pages that are tampered with | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when it detects that a web page is tampered with. A maximum of five notifications can be sent per day. |
Alerts generated by the container firewall feature | Real-time notification. | Notifications can be sent in one of the following periods:
| If you set the protection mode of the container firewall feature to Alert, Security Center sends you a notification when unauthorized network behavior is detected. A maximum of 100 notifications can be sent per day. | |
Proactive defense activities implemented by the container firewall feature | Real-time notification. | Notifications can be sent in one of the following periods:
| If you set the protection mode of the container firewall feature to Intercept, Security Center intercepts unauthorized network behavior and sends you a notification. A maximum of 100 notifications can be sent per day. | |
Blocked brute-force attacks initiated from malicious IP addresses | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when it blocks brute-force attacks initiated from malicious IP addresses. A maximum of 10 notifications can be sent per day. |
Virus scan results | The notification frequency is based on the scan cycle of viruses. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification for virus scan results after a virus scan is complete. Security Center scans for viruses based on the scan cycle that you specify. |
Excess logs | Every two days. | Notifications can be sent in one of the following periods:
| Text message, email, and internal message | Security Center sends you a notification when the log size exceeds the specified threshold based on the purchased log storage capacity. The notification is sent every two days. You can click the |
Alerts generated by the cloud honeypot feature | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, internal message, and DingTalk chatbot | Security Center sends you a notification when an alert is generated by the cloud honeypot feature. A maximum of five notifications can be sent per day. |
Alerts generated by the application protection feature | Real-time notification. | Notifications can be sent in one of the following periods:
| Text message, email, internal message, and DingTalk chatbot | Security Center sends you a notification when an alert is generated by the application protection feature. A maximum of 10 emails, 10 internal messages, or 5 text messages can be sent per day. |
icon in the Insufficient Anti-ransomware Capacity section to adjust the threshold. Configure notification settings on the Text Message/Email/Internal Message tab
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the Text Message/Email/Internal Message tab of the Notification Settings page, configure the following parameters for the required items based on your business requirements: Notify At, Severity, and Notify By.
You can modify the notification contact. For more information, see How do I modify the contacts that receive alert notifications?
NoteThe settings that you configure on the Text Message/Email/Internal Message tab immediately take effect.
If you select multiple notification methods, Security Center sends notifications by using all the selected methods at the same time.
Configure notification settings on the DingTalk Robot tab
After you configure the notification method of DingTalk chatbots, you can receive notifications for threats that are identified by Security Center in the specified DingTalk group in real time.
Prerequisites
DingTalk is installed, and a DingTalk group is created to receive notifications.
Procedure
Create a DingTalk chatbot in the DingTalk group.
ImportantThe operations described in this section are only for your reference. When you create a chatbot, follow the instructions that are displayed on your DingTalk.
Find the DingTalk group in which you want to create a chatbot and click Group Settings in the upper-right corner. In the Group Settings panel, click Group Assistant. Then, click Add Robot. In the ChatBot dialog box, click Custom. In the Robot details dialog box, click Add.
Configure the DingTalk chatbot.
Select Custom Keywords for Security Settings, and enter Security Center and Security in the Custom Keywords field.
Copy the URL in the Webhook field and click Finished.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose .
On the DingTalk Chatbot tab of the Notification Settings page, click Add Chatbot.
In the Add DingTalk Chatbot panel, configure the parameters and click Add.
Parameter
Description
Configuration
Chatbot Name
The name of the chatbot.
We recommend that you enter an informative name.
Webhook URL
The webhook URL of the chatbot.
Find the webhook URL of the chatbot in the DingTalk group, copy the webhook URL, and then paste the URL in the Webhook URL field.
ImportantKeep the webhook URL confidential. If the webhook URL is leaked, risks may arise.
Asset Groups
The asset group for which you want to receive notifications. You can select an asset group that is created on the Assets page. After you select the asset group, the DingTalk chatbot sends you notifications that are related to the assets in the asset group.
Select an asset group from the drop-down list.
Notify On
The items for which you want to receive notifications. The following notification items are supported:
Vulnerabilities
Baseline risks
Alerts
AccessKey pair leaks
Alerts generated by cloud honeypot
Alerts generated by application protection
Anti-ransomware
Select the alert types and risk levels from the drop-down list.
Notification Interval
The time interval at which the DingTalk chatbot sends notifications. Valid values are 1 Minute, 5 Minutes, 10 Minutes, 30 Minutes, and No Limit. If you select No Limit, a notification is sent each time an alert is generated.
NoteIf you select No Limit, a maximum of 20 notifications can be sent to the webhook URL in one minute.
Select a time interval from the drop-down list.
Language
The language of the notifications. Valid values: English and Chinese.
Select a language from the drop-down list.
By default, a newly created DingTalk chatbot is in the enabled state.
NoteAfter you create the DingTalk chatbot, click Test in the Actions column to check whether the chatbot is connected to Security Center.
You can modify or delete the DingTalk chatbot. After you delete the chatbot, you can no longer receive notifications in the DingTalk group. However, you can still receive notifications by using other methods that you specify, such as text messages, emails, or internal messages.
After you complete the preceding steps, Security Center sends you notifications based on your configurations.