CloudGuard Dome9 Help

Alerts


Introduction

The Alerts tab in the Alerts page shows a near real-time dashboard view of notifications from Continuous Compliance assessments and from Log.ic queries. This can be useful for security admins or managers to see compliance or network security issues across their cloud environments in a single view. From this view, they can drill down to see more detail about the event, add remarks for the event or assign it to specific users for remedial action.

The view is searchable and can be filtered for specific events of interest, according to account, event type, entity type, compliance bundle, and other parameters. Events appear in the Findings view in near real-time.

Benefits

  • enterprise view across all platforms, accounts, entities
  • shows only operational issues in cloud accounts
    • system messages are in a separate tab
  • search or filter the view for Organizational Unit, account, region, platform, source, entity, etc.
  • actionable from dashboard (assign, acknowledge, modify)
  • direct links to referenced entities (in Dome9)

Use cases

  • enterprise security manager needs a high level summary of security posture and key metrics of security findings across the organization
  • security engineer needs high level summary of security posture and key metrics of security findings for specific cloud accounts, and the ability to review security findings for the relevant cloud accounts and apply remediations

Alerts in Dome9

Events that appear in the Alerts view are generated from Continuous Compliance failures for rules in assessment bundles, and from Log.ic.

Events that appear in the Findings view are generated from these sources:

The Alerts view does not show normal system or account events (such as account sign-ins) or configuration issues, which appear in the System Alerts tab in the Alerts page.

Configure alerts

You can configure notifications from Continuous Compliance or Log.ic events to appear in the Alerts Findings view. Do this by configuring aCloudGuard Dome9 Notification Policies for Continuous Compliance events.

Continuous Compliance Notification Policy

You configure Continuous Compliance notifications to the Alert view Notification Policies. You must do this for each policy separately, so you can control which bundles, and which accounts, will generate alerts. To receive alerts from all bundles and accounts, configure it in each policy.

In the Notification Policy, check the box Include in the alerts console.

 Notification-Policy-Alerts-console.png

Alerts Dashboard View

The Alerts Dashboard shows you a graphical summary of the findings in your account, giving you an at-a-glance picture of some key indicators of your account.The Dashboard has a set of widgets, each showing a different detail for your account, such as the top entities involved in findings, with a breakdown.

You can select from different dashboards, create additional dashboards, and customize the dashboard with specific widgets. You can also click-through from the information in the dashboard to more detail in other Dome9 pages.

Select filter options in the filter pane, on the left, to select the alerts that are included in dashboard.

 

 

Alert Findings View

The main Findings view shows a list of findings.

In the Filter pane on the left, you can filter the view of events according to Organizational Units, account, entity, ruleset, event severity, and other parameters. You can also choose to show or hide excluded findings.

You can search for specific events in the search box. You can search for specific text in the Cloud Account, Rule, Entity, and Entity Type fields.

You can sort the view of events according to any of the displayed columns.

Click on an event in the list to see more detail. This shows the specific rule that failed (for Compliance events) or query (for Log.ic).

Note: if you clone a ruleset, and run an assessment with it, you will see findings for it that may appear to be duplicates of the findings for the original ruleset (same rule, entity). You can use exclusions to hide the duplicate findings (see below).

Actions

From the Alerts view, you can perform these actions on events:

  • add comments to an event (these are visible to all viewers).
  • assign an event to a (Dome9) user, for further action (such as remedial actions)
  • change the severity of the event (this will affect the view, if the severity is one of the filter settings).
  • acknowledge a finding (this marks the event as 'read')
  • create an exclusion for the finding
  • create a remediation for the finding
  • export the list of events as a CSV file