- Knowledge Base
- Alibaba Cloud
- Alibaba Cloud Security Center
- Enable Security Center Notifications
Enable Security Center notifications for all high risk items to ensure that designated security operators receive notifications as soon as security events happens within your Alibaba Cloud account.
Security Enabling Security Center notifications can help enhance security by providing real-time alerts and notifications about potential threats, vulnerabilities, and suspicious activities in your cloud environment, allowing timely response and mitigation measures to safeguard your cloud resources and data.
Audit
To determine if the Security Center notifications are enabled for all high risk items, perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.
03 In the top navigation bar, select the region where your servers reside (China or Outside China).
04 In the left navigation panel, under System Configuration, choose Notification Settings.
05 Choose the Email/Internal Message tab, and check the Notification Method column to determine if alert notifications are enabled for all the high risk items identified by Security Center. If Email and/or Internal Message checkboxes are not selected in Notification Method column for all the required event detection categories, Security Center notifications are not enabled for all high risk items.
Using Alibaba Cloud CLI
01 Run DescribeNoticeConfig command (OSX/Linux/UNIX) to describe the configuration details for each Security Center event detection category:
aliyun sas DescribeNoticeConfig
02 The command output should return the configuration information available for each event detection category:
{
"NoticeConfigList": [
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_security_Weekreport",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "sas_suspicious",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "health",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "remotelogin",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "virusScheduleTask",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "patch",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "suspicious",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "webshell",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "bruteforcesuccess",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_IP_Blocking",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_anti_Virus",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "agent",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "weeklyreport",
"Route": 7,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "sas_vulnerability",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "sas_healthcheck",
"Route": 7,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_ak_leakage",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_config_alert",
"Route": 0,
"TimeLimit": 1
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_webguard_event",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_vul_Emergency",
"Route": 2,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_aegis_AV_true",
"Route": 7,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_cloud_native_firewall",
"Route": 7,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_cloud_native_firewall_Defense",
"Route": 7,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_anti_virus_config",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"CustomThreshold": 90,
"Project": "yundun_sas_log",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_honeypot_alarm",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "aliyun_rasp_alarm",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_image_scan_vulnerability",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_image_scan_suspicious",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_image_scan_base_line",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_image_scan_sensitive_file",
"Route": 0,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"AllFocusLevel": "Success,Failed",
"CurrentPage": 1,
"FocusLevel": "Failed",
"Project": "yundun_sas_antiransomware_task",
"Route": 6,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"Project": "yundun_sas_cloudsiem_log",
"Route": 7,
"TimeLimit": 0
},
{
"AliUid": 1234567890123456,
"CurrentPage": 1,
"CustomThreshold": 80,
"Project": "yundun_defennce_antiRansomware_overflow",
"Route": 7,
"TimeLimit": 1
}
],
"RequestId": "ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"
}
Check the "Route" attribute value for each event detection category to determine the notification method used. Method 1 is text message, 2 is email, 3 is internal message, 4 is text message and email, 5 is text message and internal message, 6 is email and internal message, and method 7 is text message, email, and internal message. If the "Route" value is set to 0 (zero), there is no notification method used for the selected item, therefore, the Security Center notifications are not enabled for the verified event category.
Remediation / Resolution
To enable Security Center notifications for all high risk items, perform the following operations:
Using Alibaba Cloud Console
01 Sign in to your Alibaba Cloud account.
02 Navigate to Security Center console available at https://yundun.console.aliyun.com/?p=sas#/overview/home.
03 In the top navigation bar, select the region where your servers are located (China or Outside China).
04 In the left navigation panel, under System Configuration, choose Notification Settings.
05 Choose the Email/Internal Message tab, and check the Email and/or Internal Message checkboxes from the Notification Method column, for all the high risk items identified by Security Center.
Using Alibaba Cloud CLI
01 Run ModifyNoticeConfig command (OSX/Linux/UNIX) with the name of the event detection category that you want to configure as the identifier parameter, to enable Security Center notifications for the selected event category. The following command example enable notifications via email and internal messages (i.e. notification method 6) for the Weekly Security Report event detection category. Weekly Security Report notifies of unhandled items such as vulnerabilities, baseline risks, and alerts:
aliyun sas ModifyNoticeConfig --Project yundun_security_Weekreport --Route 6
02 If successful, the output should return the command request ID:
{"RequestId":"ABCDABCD-1234-ABCD-1234-ABCD1234ABCD"}
References
- Alibaba Cloud Documentation What is Security Center?
- Configure notification settings
- Alibaba Cloud CLI Documentation
- DescribeNoticeConfig
- ModifyNoticeConfig