Use notification settings to configure alert policies for security events such as security alert, vulnerability, and baseline risk. The system sends notifications via SMS, email, internal message, and DingTalk robot to help you respond promptly to security risks.
Configure notifications
Configure SMS, email, and internal message notifications
Step 1: Configure notification recipients
Before you configure notifications, you must specify the recipients. By default, notifications are sent to your account contact, the person specified during account registration.
Log on to Alibaba Cloud Message Center and go to the page.
On the Contact tab, manage notification recipients.
Select existing contacts: In the dialog box that appears, select the check boxes next to the contacts you want to receive notifications.
Add a new contact: Click Manage Contacts. This action redirects you to the Address and Contact. On the Address and Contact page, click Add Contact. Enter the name, mobile number, and email address, and then click Save.
NoteA new mobile number or email address must be verified before it can receive alerts. Check the verification SMS or email sent by the system and follow the instructions. For more information, see Manage basic message recipients and Modify an address and contact.
Modify a contact: Click Manage Contacts. This action redirects you to the Address and Contact. On the Address and Contact page, Enter the name, mobile number, and email address, and then click Save.
After you configure the settings, click Save. The changes take effect immediately.
Step 2: Configure notification policies
Security Center provides three notification channels: SMS, email, and Internal Message. You can configure each notification item as needed. The settings take effect immediately.
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your protected assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Text Message/Email/Internal Message tab, find the notification item that you want to configure. Use the following information to configure Notification Time, Concerned Level, and Notification Method.
Notification Time:
24 hours: Send real-time notifications around the clock. This option is recommended for urgent, high-severity events.
08:00–20:00: Send notifications only within the specified time range.
ImportantIf a notification is triggered outside the selected time window, its delivery might be delayed. Actual delivery times may vary.
The system sets the sending frequency, which you cannot change. For more information, see Quotas and limits.
Concerned Level: Filter notifications by event severity. For example, you can choose to receive only critical and high alerts.
Notification Method:
You can select multiple methods, such as SMS, email, and Internal Message.
Some notification items support only specific methods. The available methods are displayed in the console.
If you select multiple notification methods, the notification is sent to all selected channels simultaneously.
Configure DingTalk chatbot notifications
After you configure DingTalk chatbot notifications, you can receive real-time threat alerts from Security Center in your DingTalk groups.
Usage notes
Procedure
Obtain the webhook address
If you have not created a chatbot
In the DingTalk client, select the target group chat and click the Group Settings icon in the upper-right corner.
In the Group Management section, click Chatbot. On the Chatbot Management page, click Add Chatbot and select Custom.
In the Security Settings section, set Custom Keywords based on the configured notification language.
For Chinese notifications: 云安全中心
For English notifications: Security
Select the I have read and agree to the "Custom Robot Service and Disclaimer" check box and click Finish. After the chatbot is added, its webhook address is displayed.
NoteFor more information, see Create a custom chatbot.
If you have created a chatbot
In the DingTalk client, select the target group chat and click the Group Settings icon in the upper-right corner.
In the Group Management section, click Chatbot. On the Chatbot Management page, click the target chatbot. The webhook address is on the details page.
NoteFor more information, see Obtain the webhook address of a custom chatbot.
Add the chatbot in Security Center
Log on to the Security Center console.
In the left-side navigation pane, choose . In the upper-left corner of the console, select the region where your protected assets are located: Chinese Mainland or Outside Chinese Mainland.
On the DingTalk Chatbot tab of the Notification Settings page, click Add Chatbot. In the Add DingTalk Chatbot panel, complete the configuration and click Add. The following table describes the key parameters.
NoteBy default, new DingTalk chatbots are Enable.
Parameter
Description
Webhook URL
Paste the webhook address that you obtained in Step 1.
ImportantKeep your webhook address confidential. Do not post it on external websites. A leaked webhook address poses a security risk.
Asset Groups
Select an asset group that you created in the Assets of Security Center. After you select an asset group, the DingTalk chatbot will send alert notifications for the assets in that group. For more information about how to configure assets, see Manage server groups.
Notify On
Select the alert types and severity levels for which to receive DingTalk chatbot notifications.
NoteThe system uses OR logic to evaluate these settings. A notification is sent if an alert matches any specified type or severity level.
Notification Interval
The sending interval for DingTalk chatbot notifications.
ImportantA single webhook for a DingTalk chatbot can receive a maximum of 20 notifications per minute. For more information, see DingTalk chatbot frequency and throttling rules.
Language
The language of the notifications sent by the DingTalk chatbot. You can select Chinese or English.
Test the notification (optional)
In the DingTalk chatbot list, find the newly created chatbot and click Test in the Actions column to verify that the DingTalk chatbot is connected to the DingTalk group.
NoteYou can edit or delete DingTalk chatbot notifications. If you delete a chatbot configuration, you will no longer receive the related alert notifications from that chatbot. This does not affect the SMS, email, or Internal Message notifications that you have configured.
Configure Cloud Monitor Push
Enable Cloud Monitor Push in Security Center so that Cloud Monitor can receive alerts from Security Center. Once alerts are pushed to Cloud Monitor, you can use its event subscription feature to forward alerts from Security Center to channels like Lark groups or WeCom groups.
You must enable Cloud Monitor Push in Security Center before Cloud Monitor can receive the corresponding alert data.
Go to the Notification Settings page of the Security Center console. In the upper-left corner of the page, select the region where your protected assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Cloud Monitor Push tab, select the notification items to push. The following table describes these notification items.
Notification item
Push frequency
Description
Security Incident
Push ResultDetails: No limit
Notifications for detected security attacks, such as DDoS attacks and brute-force attacks.
Alert
Push ResultDetails: No limit
Notifications for threats detected on hosts or in containers, such as suspicious logon activity and malicious processes.
Baseline Check
Push ResultOverview: Sent once a week every Thursday.
Notifications for summary reports of security baseline checks.
CSPM
Push ResultOverview: Sent once a week every Thursday.
Notifications for summary reports of cloud platform configuration risk checks.
Agentless Detection
Push ResultDetails: Customizable
Notifications for security scan results that do not require an agent to be installed.
Malicious file
Push ResultDetails: Customizable
Notifications for malicious files detected by the malicious file detection SDK.
Vulnerability
Push ResultOverview: Sent once a week every Thursday.
Push ResultDetails: Customizable
Notifications for detection results and summaries of system and application vulnerabilities.
Application Protection
Push ResultDetails: Customizable
Alert notifications for Runtime Application Self-Protection (RASP).
Configure custom event subscriptions in Cloud Monitor. For more information, see Customize monitoring notifications for Security Center.
Disable notifications
Disable text, email, and internal notifications
On the left-side navigation pane, choose . In the upper-left corner of the console, select the region of your protected assets: Chinese Mainland or Outside Chinese Mainland.
On the Text Message/Email/Internal Message tab, find the target notification item, and in the Notification Method column, clear the check box for any unwanted channel.
Disable DingTalk chatbot
On the left-side navigation pane, choose . In the upper-left corner of the console, select the region of your protected assets: Chinese Mainland or Outside Chinese Mainland.
On the DingTalk Chatbot tab, find the target chatbot and perform one of the following actions:
Goal
How
Notes
Temporarily disable
(Temporarily stops all notifications)Turn off the switch in the Enabling Status column.
The configuration is saved and you can re-enable it at any time.
Permanently delete
(Stops using this chatbot)In the Actions column, click Actions.
This action cannot be undone. To use the chatbot again, you must create and configure it again.
Filter notifications
(Receive only specific alerts)1. In the Actions column, click Actions.
2. In the Notify On section, remove any unwanted alert types or severity levels.This allows you to control notification granularity and avoid information overload.
Disable CloudMonitor push notifications
On the left-side navigation pane, choose . In the upper-left corner of the console, select the region of your protected assets: Chinese Mainland or Outside Chinese Mainland.
On the Cloud Monitor Push tab, find the target notification item, and in the Push Content column, clear the check box for any unwanted notification item.
Quotas and limits
Notification frequency and rate limits
To prevent alert fatigue, Security Center limits the frequency and volume of notifications. The following tables describe the specific limits for each notification item.
Defense alerts
Item
Frequency/trigger condition
Daily rate limit (SMS/Email/internal message)
AccessKey leak intelligence
Sent in real time.
Up to 5 notifications per day.
precision defense
Up to 2 SMS messages, 20 emails, and 5 internal messages per day.
web tamper-proofing
Up to 5 notifications per day.
cloud honeypot alert
Up to 5 notifications per day.
application protection alert
Up to 5 SMS messages, 10 emails, and 10 internal messages per day.
malicious IP blocking alert
Up to 10 notifications per day.
Detection alerts
Item
Frequency/trigger condition
Daily rate limit (SMS/Email/internal message)
security alert
Sent in real time.
Up to 5 notifications per Alibaba Cloud account within 24 hours.
Up to 1 notification per server within 24 hours.
New security event
Notifications for the same security event (new or updated) are sent only once per day.
Up to 5 notifications for new and updated security events are sent per day in total.
Updated security event
emergency vulnerability intelligence
Up to 10 notifications per day.
Container security alerts
Item
Frequency/trigger condition
Daily rate limit (SMS/Email/internal message)
container microsegmentation alert
Sent in real time.
Up to 100 emails per day. Excess notifications are sent later.
container microsegmentation proactive defense notification
Up to 100 emails per day. Excess notifications are sent later.
container image scan malicious alert
Up to 1 SMS message, 24 emails, and 24 internal messages per day.
container image scan baseline risk notification
Up to 1 notification per day.
container image scan vulnerability risk notification
Up to 1 SMS message, 24 emails, and 1 internal message per day.
container image scan sensitive file alert
Up to 1 SMS message, 24 emails, and 24 internal messages per day.
Agentless detection alerts
Item
Frequency/trigger condition
Daily rate limit (SMS/Email/internal message)
agentless detection malicious sample notification
Notifications are sent after the scan task is complete.
Up to 1 SMS message, 1 email, and 1 internal message per day.
agentless detection vulnerability risk notification
agentless detection baseline risk notification
agentless detection sensitive file alert
Periodic and threshold-triggered notifications
Item
Frequency/trigger condition
Daily rate limit (SMS/Email/internal message)
security weekly report
Once every 7 days.
None
baseline check
cloud security posture management
anti-ransomware task execution result
Sent after the task is complete.
anti-ransomware storage capacity exceeded
Security Center sends an immediate notification when the anti-ransomware storage usage reaches 100% of the purchased capacity.
Security Center performs a check every 7 days and sends a notification if the used capacity exceeds the configured threshold.
threat analysis hot data log storage exceeded alert
Sent in real time.
threat analysis log ingestion traffic exceeded alert
log storage exceeded
Once every 2 days.
virus scan notification
Notifications are sent based on the virus scan cycle.
DingTalk Chatbot frequency and rate limits
Notification frequency: You can set the interval to 1 minute, 5 minutes, 10 minutes, 30 minutes, or No limit.
Rate limit for the No limit option: A single DingTalk Chatbot webhook URL can receive a maximum of 20 notifications per minute.
FAQ
Contact and recipient management
How do I modify the contact information (email address or phone number) for alert notifications?
Modify this information in Account Management. For details, see Step 1: Configure notification recipients.
Why are alerts still sent to an old contact, or not received by a new one, after I've updated the contact information?
To troubleshoot this issue, check the following:
Verify your changes: Confirm that you have correctly modified or added the contact and completed the phone or email verification. For details, see Step 1: Configure notification recipients.
Check other product configurations: Verify that other cloud products, such as CloudMonitor, do not have independent alert rules that still use the old contact.
How can I configure alert recipients in bulk by role (for example, O&M and development)?
Bulk configuration by role is not currently supported. As a workaround, use the "position" tag when adding or modifying contacts to identify them by role.
Troubleshoot alert delivery
I configured alert notifications but am not receiving them. What should I do?
To troubleshoot this issue, check the following:
Check the recipient: Verify that the phone number or email address has been added and verified in recipient management settings. For instructions, see Step 1: Configure notification recipients.
Check notification settings: Confirm that the relevant notification item is enabled, the Concerned Level matches the alert severity, and the notification schedule is set to 24 hours.
Check your spam folder: Look for the notification in your email's spam or junk folder, or in your SMS blocklist.
Check rate limits: Refer to the quotas and limits section to confirm that you have not exceeded the daily sending limit.
Check the region: Ensure the configured notification region (China or Global (excluding China)) matches the region of the asset that triggered the alert.
Why did my DingTalk Chatbot receive an "Unusual Logon" alert even though I disabled that alert type?
Cause: This occurs if you set the notification level for a security alert to Suspicious. The notification rule is triggered if either the alert type or the level matches your settings.
Solution: Go to Notification Settings and deselect Suspicious under the notification level settings for security alerts.
Appendix: Notifications
Periodic reports
Notification item
Description
Security weekly report
You receive a notification with the subject Alibaba Cloud Security Center Weekly Report. The report includes the number of unhandled vulnerabilities, suggested vulnerability fixes, the number of baseline risks, and alerts on your assets.
NoteYou do not receive the security weekly report if your account has no ECS instances, or if your ECS instances are stopped or have been released.
Baseline check
You receive a notification with the subject Security Center Weekly Report on Unhandled Baseline Configuration Risks. This report lists the number of unhandled baseline risks on your assets.
Resources and capacity
Notification item
Description
Insufficient anti-ransomware capacity
The notification mechanism for insufficient anti-ransomware capacity is as follows:
You receive a real-time notification when your used anti-ransomware capacity reaches 100% of your purchased capacity.
Security Center checks the anti-ransomware capacity usage at a scheduled time each day. If the used capacity exceeds the configured threshold, you receive a notification. You can click the
icon in the Insufficient Anti-ransomware Capacity area to adjust the notification threshold.
Excessive threat analysis hot data logs
This notification reports the storage usage for threat analysis logs.
Excessive threat analysis log ingestion
You receive an upgrade reminder when ingested log traffic exceeds 80% of your subscribed log traffic.
Excess logs
You receive a notification when your log storage volume exceeds the purchased capacity threshold.
In the Excess Logs area, click the
icon to adjust the log capacity threshold for notifications.Feature alerts
Notification item
Description
Anti-ransomware task execution results
During the configured notification period, you receive a notification after an anti-ransomware data backup or recovery task completes, if the result (success or failure) matches your preference.
New security events
You receive a notification when Security Center detects new security events that require handling.
Updated security events
You receive a notification when a security event in Pending status is updated with a new associated security alert.
Security alert
You receive a notification when Security Center detects a security alert.
Precision defense
You receive a notification when Security Center detects a precision defense alert.
AccessKey leak
You receive a notification when Security Center detects a leaked AccessKey for the current Alibaba Cloud account or its RAM users and confirms that the secret key (SK) is valid.
CSPM
You receive a notification when CSPM detects a risk.
Emergency vulnerability intelligence
You receive a notification when new intelligence about a widespread emergency vulnerability becomes available and Security Center supports its detection.
NoteTo receive notifications about vulnerabilities on your assets, you can create a DingTalk chatbot or use the security report feature in Security Center. For more information, see Configure DingTalk chatbot notifications and Security reports.
Web tamper-proofing
You receive a notification when Security Center detects a web tamper-proofing alert.
Malicious IP blocking alert
You receive a notification after Security Center blocks a brute-force attack from a malicious IP.
Virus scan notification
You receive a notification with the scan results after each virus scan completes, based on your configured scan cycle.
Cloud honeypot alert
You receive a notification when Security Center detects a cloud honeypot alert. You receive a maximum of five notifications per day.
Application protection alert
You receive a notification when Security Center detects an application protection alert.
Container security
Notification item
Description
Container microsegmentation anomaly alert
You receive a notification when Security Center detects unauthorized network activity.
Container microsegmentation proactive defense
You receive a notification when Security Center detects and proactively blocks unauthorized network activity.
Container image scan malicious sample alert
After a container image scan completes, you receive a notification for any generated malicious sample alerts.
Container image scan baseline risk notification
After a container image scan completes, you receive a notification for any generated baseline risk alerts.
Container image scan vulnerability risk notification
After a container image scan completes, you receive a notification for any generated vulnerability risk alerts.
Container image scan sensitive file alert
After a container image scan completes, you receive a notification for any generated sensitive file alerts.
Agentless detection
Notification item
Description
Agentless detection of malicious samples
After a security scan completes, you receive an alert notification for any malicious samples the scan finds.
Agentless detection of vulnerability risks
After a security scan completes, you receive an alert notification for any vulnerability risks the scan finds.
Agentless detection of baseline risks
After a security scan completes, you receive an alert notification for any baseline risks the scan finds.
Agentless detection of sensitive files
After a security scan completes, you receive an alert notification for any sensitive files the scan finds.