CloudGuard Dome9 Help
The Alerts tab in the Alerts page shows a near real-time dashboard view of notifications from Continuous Compliance assessments and from Log.ic queries. This can be useful for security admins or managers to see compliance or network security issues across their cloud environments in a single view. From this view, they can drill down to see more detail about the event, add remarks for the event or assign it to specific users for remedial action.
The view is searchable and can be filtered for specific events of interest, according to account, event type, entity type, compliance bundle, and other parameters. Events appear in the Findings view in near real-time.
- enterprise view across all platforms, accounts, entities
- shows only operational issues in cloud accounts
- system messages are in a separate tab
- search or filter the view for Organizational Unit, account, region, platform, source, entity, etc.
- actionable from dashboard (assign, acknowledge, modify)
- direct links to referenced entities (in Dome9)
- enterprise security manager needs a high level summary of security posture and key metrics of security findings across the organization
- security engineer needs high level summary of security posture and key metrics of security findings for specific cloud accounts, and the ability to review security findings for the relevant cloud accounts and apply remediations
Alerts in Dome9
Events that appear in the Alerts view are generated from Continuous Compliance failures for rules in assessment bundles, and from Log.ic.
Events that appear in the Findings view are generated from these sources:
- Continuous Compliance failures for rules in assessment bundles
- CloudGuard Log.ic according to the specific query defined in Log.ic
The Alerts view does not show normal system or account events (such as account sign-ins) or configuration issues, which appear in the System Alerts tab in the Alerts page.
You can configure notifications from Continuous Compliance or Log.ic events to appear in the Alerts Findings view. Do this by configuring aCloudGuard Dome9 Notification Policies for Continuous Compliance events.
Continuous Compliance Notification Policy
You configure Continuous Compliance notifications to the Alert view Notification Policies. You must do this for each policy separately, so you can control which bundles, and which accounts, will generate alerts. To receive alerts from all bundles and accounts, configure it in each policy.
In the Notification Policy, check the box Include in the alerts console.
Alerts Dashboard View
The Alerts Dashboard shows you a graphical summary of the findings in your account, giving you an at-a-glance picture of some key indicators of your account.The Dashboard has a set of widgets, each showing a different detail for your account, such as the top entities involved in findings, with a breakdown.
You can select from different dashboards, create additional dashboards, and customize the dashboard with specific widgets. You can also click-through from the information in the dashboard to more detail in other Dome9 pages.
Select filter options in the filter pane, on the left, to select the alerts that are included in dashboard.
- Click ADD DASHBOARD.
- Enter a name and click SAVE.
Alerts widgets show the distribution of alerts in your account according to a parameter, such as cloud entity, or region.
- Click ADD WIDGET.
- Enter a title for the widget.
- Select the type of widget (pie-chart, list, histogram, list).
- Select the parameter according to which the breakdown in the widget will be displayed (aggregation).
- Click SAVE.
The widget will be added to the currently open dashboard.
Click SAVE or SAVE AS to save the changes in the dashboard, either as the current dashboard, or as a new one.
Alert Findings View
The main Findings view shows a list of findings.
In the Filter pane on the left, you can filter the view of events according to Organizational Units, account, entity, ruleset, event severity, and other parameters. You can also choose to show or hide excluded findings.
You can search for specific events in the search box. You can search for specific text in the Cloud Account, Rule, Entity, and Entity Type fields.
You can sort the view of events according to any of the displayed columns.
Click on an event in the list to see more detail. This shows the specific rule that failed (for Compliance events) or query (for Log.ic).
Note: if you clone a ruleset, and run an assessment with it, you will see findings for it that may appear to be duplicates of the findings for the original ruleset (same rule, entity). You can use exclusions to hide the duplicate findings (see below).
From the Alerts view, you can perform these actions on events:
- add comments to an event (these are visible to all viewers).
- assign an event to a (Dome9) user, for further action (such as remedial actions)
- change the severity of the event (this will affect the view, if the severity is one of the filter settings).
- acknowledge a finding (this marks the event as 'read')
- create an exclusion for the finding
- create a remediation for the finding
- export the list of events as a CSV file
You can acknowledge a finding. This marks the finding as read. This does not close the finding, or indicate that it is resolved.
You can update a finding with the following attributes:
Assignee - assign the finding to a Dome9 user.
Severity - set a severity for the finding, from a list (High, Medium, Low)
Comments - add a text comment to the finding.
These attributes are visible to any user who can view the finding in the Alerts page (according to their permissions). They can also be used to filter the list of findings.
Click anywhere on the finding to be updated. This will expand the finding to show additional detail, including an action panel on the right.
- To assign the finding, select an assignee from the drop-down list. Possible assignees are all users of the Dome9 account.
- To change the finding severity, select the Severity of the finding, from the drop-down list. Initially, the severity is the severity of the rule that uncovered it
- To add a comment for the finding, click , and then enter text in the Comment field. Press Add to save the comment. You can add more than one comment to a finding.
- To create an exclusion for the finding, click EXCLUDE.
You can create a remediation to be associated with the rules underlying findings. These remediations are applied to cloud resources to correct the issues that caused the finding. Dome9 Cloudbots are an example of remedies that can be used.
- Select the finding in the list.
- Click opposite the finding.
- Complete the details for the remediation (see Add a remediation step), and then click SAVE.
You can create an exclusion from a finding, to exclude additional findings similar to it. You can exclude the specific ruleset, rule, and entity, or widen the exclusion to cover all entities in the rule, all account, or all rules in the bundle.
- Select the finding in the list.
- Click Exclude.
- Create an exclusion based on the finding. In the dialog box, the specific rule, account, and entity are select (excluding only this specific combination). Uncheck any of these choices to widen the exclusion to cover all rules, accounts, or entities.
- Click Exclude to create the exclusion. You can manage the exclusion on theExclusions page in the Compliance & Governance menu.
You can export selected findings to a CSV file. You can export all findings, or those shown in a filtered view on the Alerts page.
In the Alerts page, select a time interval, and filter the view to show the findings you want to export (or skip this step to show all findings for the time interval).
- Click , in the upper right.
- Select the findings to export - all findings, or the filtered list.
- Browse to a location to save the file, and click Save.