CloudGuard Dome9 User Guide
The Alerts tab in the Alerts page shows a near real-time dashboard view of notifications from Continuous Compliance assessments and from Log.ic queries. This can be useful for security admins or managers to see compliance or network security issues across their cloud environments in a single view. From this view, they can drill down to see more detail about the event, add remarks for the event or assign it to specific users for remedial action.
The view is searchable and can be filtered for specific events of interest, according to account, event type, entity type, compliance bundle, and other parameters. Events appear in the Findings view in near real-time.
- enterprise view across all platforms, accounts, entities
- shows only operational issues in cloud accounts
- system messages are in a separate tab
- search or filter the view for Organizational Unit, account, region, platform, source, entity, etc.
- actionable from dashboard (assign, acknowledge, modify)
- direct links to referenced entities (in Dome9)
- enterprise security manager needs a high level summary of security posture and key metrics of security findings across the organization
- security engineer needs high level summary of security posture and key metrics of security findings for specific cloud accounts, and the ability to review security findings for the relevant cloud accounts and apply remediations
Alerts in Dome9
Events that appear in the Alerts view are generated from Continuous Compliance failures for rules in assessment bundles, and from Log.ic.
Events that appear in the Findings view are generated from these sources:
- Continuous Compliance failures for rules in assessment bundles
- CloudGuard Log.ic according to the specific query defined in Log.ic
The Alerts view does not show normal system or account events (such as account sign-ins) or configuration issues, which appear in the System Alerts tab in the Alerts page.
You can configure notifications from Continuous Compliance or Log.ic events to appear in the Alerts Findings view. Do this by configuring aCloudGuard Dome9 Notification Policies for Continuous Compliance events.
Continuous Compliance Notification Policy
You configure Continuous Compliance notifications to the Alert view Notification Policies. You must do this for each policy separately, so you can control which bundles, and which accounts, will generate alerts. To receive alerts from all bundles and accounts, configure it in each policy.
In the Notification Policy, check the box Include in the alerts console.
Alert Findings View
The main Findings view shows a list of findings.
In the Filter pane on the left, you can filter the view of events according to Organizational Units, account, entity, ruleset, event severity, and other parameters. You can also choose to show or hide excluded findings.
You can search for specific events in the search box. You can search for specific text in the Cloud Account, Rule, Entity, and Entity Type fields.
You can sort the view of events according to any of the displayed columns.
Click on an event in the list to see more detail. This shows the specific rule that failed (for Compliance events) or query (for Log.ic).
Note: if you clone a ruleset, and run an assessment with it, you will see findings for it that may appear to be duplicates of the findings for the original ruleset (same rule, entity). You can use exclusions to hide the duplicate findings (see below).
From the Alerts view, you can perform these actions on events:
- add comments to an event (these are visible to all viewers).
- assign an event to a (Dome9) user, for further action (such as remedial actions)
- change the severity of the event (this will affect the view, if the severity is one of the filter settings).
- acknowledge an event (this marks the event as 'read')
- create an exclusion for the finding
- export the list of events as a CSV file
Create an exclusion
You can create an exclusion from a finding, to exclude additional findings similar to it. You can exclude the specific ruleset, rule, and entity, or widen the exclusion to cover all entities in the rule, all account, or all rules in the bundle.
Note: you can exclude only Compliance alerts.
- Select the finding in the list.
- Click Exclude.
- Create an exclusion based on the finding. In the dialog box, the specific rule, account, and entity are select (excluding only this specific combination). Uncheck any of these choices to widen the exclusion to cover all rules, accounts, or entities.
- Click Exclude to create the exclusion. You can manage the exclusion on theExclusions page in the Compliance & Governance menu.